MS to intro product key check in WinXP SP1 WPA

And uncrack cracked systems

  • alert
  • submit to reddit

Boost IT visibility and business value

Microsoft has released details of the changes being made in Windows Product Activation (WPA) with WinXP Service Pack 1. As expected, SP1 will fail to install if either of "two well-known pirated product keys" has previously been used to activate the system, and such systems will also be denied access to Windows Update. But the changes will have a far wider impact than this, as Microsoft appears to be trying to cover all currently known holes in WPA security.

Activations taking place after SP1 has been applied (largely on new systems, one presumes) will include the product key in the installation ID. According to Allen Nieman, lead technical product manager i/c WPA, the full key will be sent to Microsoft in an internet activation, while telephone activations will include a hash value of the key, " in order to limit the increase in size of the telephone Installation ID." Nieman says "we should have included this in the Installation ID from the beginning," and now they have.

This installation ID previously consisted of product ID and hardware hash, so the addition of the product key takes the components to three. The major impact of this change is that Microsoft can now check a product key "to determine its validity," which perhaps means that Microsoft does have a list of valid keys of some sort, and that key generation software will cease to function. If however Microsoft does not have such a list for products already shipped, it most certainly will have in the future. Failing that, the change at least gives Microsoft a mechanism for swiftly cracking down on new leaked keys.

As Windows Update will also now be checking keys, Microsoft can deny access to updates even if SP1 has been successfully applied on a system whose key is subsequently determined to be compromised. No bombs vaping systems as yet though - it still seems to be the intention simply to freeze systems by denying them updates. Apart from...

"Service Pack 1 for Windows XP will contain fixes to cracks used by software pirates to circumvent activation. Installations of Windows XP patched by a crack will require activation after SP1 has been installed." So, although as far as leaked product keys are concerned, Microsoft is sticking to its promise of just freezing the system state at pre-SP1, users of patched versions applying SP1 will be bombed.

Why the differentiation? People using cracks are badder than people using dodgy corporate keys? Market research? Possibly, Microsoft recognises that users of leaked keys stand a greater chance of being genuine customers using the keys either deliberately or obliviously, and that it stands some chance of shooting its friends by mistake.

Windows Update, by the way, will not be validating product keys until 2nd October, according to Nieman, which means until then the product key data is simply discarded. After that date it will be used for validation and then discarded, he says. But, um, hang on a moment there Mr Nieman. If Microsoft has a list of valid keys, and if it checks my key against that list, then must it not place some form of tick on the list, in order to cater for my known propensity to pass on my product key to my neighbours, pets and passing tradespeople? (I jest, please stop trying to break down that door.)

Anyway, the nature of 'discarded' here seems to us to warrant further investigation, and the importance of the 2nd October switchover is probably that Microsoft wants to avoid the possibility of two sets of changes going horribly wrong at the same time.

There is one small relaxation in the new model, in that users forced to reactivate after making hardware changes will now have three days in which to do so, rather than having their system break instantly, and being forced to fix it then. From the user's perspective this probably does not amount to a particularly large hill of beans, but it will likely make them less cross when they phone up, and it does look like a concession.

As regards corporate customers, an encryption feature has been added, "to allow the encryption of the VLK for unattended setups of Windows XP with Service Pack 1. Customers who place their VLK in an unattended setup file (unattend.txt) will be able to encrypt the VLK such that it will be time limited and hidden from plain text. This means that the VLK could be encrypted in the unattend.txt on a network share install point, RIS, CD-based install, etc."

The implications of this aren't immediately clear to us, and rather depend on what that "time limited and hidden from plain text" means. It should not mean that corporate customers will need to be issued with new keys for existing installations (as Nieman hotly denied when we suggested this might be the case), but it does seem to suggest new 'disposable' keys are envisaged for new slipstreamed installations. Limited time keys would certainly make sense, considering what techies are like.

Microsoft puts all of this in its very own way. The changes are "ensuring licensed customers receive full benefits" and "raising the bar on pirates" who "have been busy engineering circumventions to digital rights technologies including Microsoft's own product activation." So there you have it - WPA is a digital rights technology. Which may remind you of something. ®

Build a business case: developing custom apps

More from The Register

next story
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
Leaked Windows Phone 8.1 Update specs tease details of Nokia's next mobes
New screen sizes, dual SIMs, voice over LTE, and more
Mozilla keeps its Beard, hopes anti-gay marriage troubles are now over
Plenty on new CEO's todo list – starting with Firefox's slipping grasp
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Cloudy CoreOS Linux distro declares itself production-ready
Lightweight, container-happy Linux gets first Stable release
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.