MS to intro product key check in WinXP SP1 WPA

And uncrack cracked systems

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Microsoft has released details of the changes being made in Windows Product Activation (WPA) with WinXP Service Pack 1. As expected, SP1 will fail to install if either of "two well-known pirated product keys" has previously been used to activate the system, and such systems will also be denied access to Windows Update. But the changes will have a far wider impact than this, as Microsoft appears to be trying to cover all currently known holes in WPA security.

Activations taking place after SP1 has been applied (largely on new systems, one presumes) will include the product key in the installation ID. According to Allen Nieman, lead technical product manager i/c WPA, the full key will be sent to Microsoft in an internet activation, while telephone activations will include a hash value of the key, " in order to limit the increase in size of the telephone Installation ID." Nieman says "we should have included this in the Installation ID from the beginning," and now they have.

This installation ID previously consisted of product ID and hardware hash, so the addition of the product key takes the components to three. The major impact of this change is that Microsoft can now check a product key "to determine its validity," which perhaps means that Microsoft does have a list of valid keys of some sort, and that key generation software will cease to function. If however Microsoft does not have such a list for products already shipped, it most certainly will have in the future. Failing that, the change at least gives Microsoft a mechanism for swiftly cracking down on new leaked keys.

As Windows Update will also now be checking keys, Microsoft can deny access to updates even if SP1 has been successfully applied on a system whose key is subsequently determined to be compromised. No bombs vaping systems as yet though - it still seems to be the intention simply to freeze systems by denying them updates. Apart from...

"Service Pack 1 for Windows XP will contain fixes to cracks used by software pirates to circumvent activation. Installations of Windows XP patched by a crack will require activation after SP1 has been installed." So, although as far as leaked product keys are concerned, Microsoft is sticking to its promise of just freezing the system state at pre-SP1, users of patched versions applying SP1 will be bombed.

Why the differentiation? People using cracks are badder than people using dodgy corporate keys? Market research? Possibly, Microsoft recognises that users of leaked keys stand a greater chance of being genuine customers using the keys either deliberately or obliviously, and that it stands some chance of shooting its friends by mistake.

Windows Update, by the way, will not be validating product keys until 2nd October, according to Nieman, which means until then the product key data is simply discarded. After that date it will be used for validation and then discarded, he says. But, um, hang on a moment there Mr Nieman. If Microsoft has a list of valid keys, and if it checks my key against that list, then must it not place some form of tick on the list, in order to cater for my known propensity to pass on my product key to my neighbours, pets and passing tradespeople? (I jest, please stop trying to break down that door.)

Anyway, the nature of 'discarded' here seems to us to warrant further investigation, and the importance of the 2nd October switchover is probably that Microsoft wants to avoid the possibility of two sets of changes going horribly wrong at the same time.

There is one small relaxation in the new model, in that users forced to reactivate after making hardware changes will now have three days in which to do so, rather than having their system break instantly, and being forced to fix it then. From the user's perspective this probably does not amount to a particularly large hill of beans, but it will likely make them less cross when they phone up, and it does look like a concession.

As regards corporate customers, an encryption feature has been added, "to allow the encryption of the VLK for unattended setups of Windows XP with Service Pack 1. Customers who place their VLK in an unattended setup file (unattend.txt) will be able to encrypt the VLK such that it will be time limited and hidden from plain text. This means that the VLK could be encrypted in the unattend.txt on a network share install point, RIS, CD-based install, etc."

The implications of this aren't immediately clear to us, and rather depend on what that "time limited and hidden from plain text" means. It should not mean that corporate customers will need to be issued with new keys for existing installations (as Nieman hotly denied when we suggested this might be the case), but it does seem to suggest new 'disposable' keys are envisaged for new slipstreamed installations. Limited time keys would certainly make sense, considering what techies are like.

Microsoft puts all of this in its very own way. The changes are "ensuring licensed customers receive full benefits" and "raising the bar on pirates" who "have been busy engineering circumventions to digital rights technologies including Microsoft's own product activation." So there you have it - WPA is a digital rights technology. Which may remind you of something. ®

Remote control for virtualized desktops

More from The Register

next story
That dreaded syncing feeling: Will Microsoft EVER fix OneDrive?
Microsoft's long history of broken Windows sync
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Mozilla, EFF, Cisco back free-as-in-FREE-BEER SSL cert authority
Let’s Encrypt to give HTTPS-everywhere a boost in 2015
SLURP! Flick your TONGUE around our LOLLIPOP – Google
Android 5 is coming – IF you're lucky enough to have the right gadget
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.