Hackers Find New Vista Activation Crack

UPDATED 11:00 pm December 8, 2006: Cori Hartje, Director of Microsoft’s Genuine Software Initiative, issued the following statement to BetaNews regarding the activation crack:

“We are actively monitoring these types of piracy and counterfeit situations, and will take action on any Key Management Service (KMS) or Multiple Activation Key (MAK) keys that have been reported as stolen or abused. Microsoft will continue to make investments under the Genuine Software Initiative (GSI) and is committed to engineering world-class anti-counterfeiting technologies in order to make piracy harder and protect customers and channel partners from the various risks associated with counterfeit software.”

With all the talk about Microsoft’s stepped up efforts to curb piracy through Vista’s new activation methods, it may all be for naught after some crafty hackers figured out a way to crack the Vista Activation Server.

Microsoft’s new activation policies call for every single copy of the new operating system to be activated. This includes copies purchased as part of the company’s corporate volume licensing program, and Microsoft tried to make the process less daunting for IT administrators.

The company created something called the “Key Management Service,” which would allow the administrator to activate all the computers in a single swoop. From there, a central computer would maintain all activations for the network.

To prevent piracy, however, the activation is good only for a period of 180 days. After that, the computer would need to reconnect with the KMS to receive another key. This was done to discourage people from attempting to use the KMS to activate their own computers at home.

But it was only a matter of time before hackers figured out how to reproduce a local KMS using a VMware image and a VBS script. From there, as long as the edition of Vista is either Business or Enterprise, the keys generated would successfully activate the operating system

It should be noted that Home and Ultimate editions do no accept KMS keys, and still must use the traditional activation method — although more secure in Vista — of calling in directly to Microsoft themselves.

In order for the crack work, when installing Vista, a KMS product key must be used. If the system is ever captured by Microsoft’s Windows Genuine Advantage program, Microsoft would be able to mark it as pirated and deactivate the key.

Second, as mentioned above, the user would need to ensure the KMS server is run every 180 days in order to keep the copy of Vista activated and usable. But regardless of its drawbacks, the new crack still marks yet another shift in the battle between Microsoft and pirates of its software.

Existence of the crack was first reported by Australian technology publication APC on Thursday.

Yes, there is an Office 2007 ‘kill switch’

Buried in a Knowledge Base article that Microsoft published to the Web on November 14 are details of Microsoft’s plans to combat Office 2007 piracy via new Office Genuine Advantage lockdowns.

When asked last month whether Microsoft was planning to punish alleged Office 2007 pirates by crippling the functionality of their software in the same way that Microsoft is doing with Vista via reduced-functionality mode, Microsoft officials were noncommittal.

But now Microsoft’s intentions are clear: Just as it is doing with Vista, Microsoft plans to incorporate what basically amounts to a “kill switch” into Office 2007. Office 2007 users who can’t or won’t pass activation muster within a set time period will be moved into “reduced-functionality mode,” according to Microsoft’s Knowledge Base article.

Link: KB Article 927921

Windows Genuine Advantage: What it is, how to ditch it

Windows Genuine Advantage (WGA) software is installed on computers running Windows XP via Microsoft’s online update services. For most XP users, that means Automatic Updates, which Microsoft has worked very hard since Windows XP SP2 to make us run in full-automatic mode. WGA has already appeared in several beta versions, with slightly different behaviors, and Microsoft appears to be still actively developing this tool. For many people, the fact that the software giant delivers WGA as a security update is another strong note of insincerity. Microsoft may kid itself into believing that WGA has some sort of security aspect, but many knowledgeable computer users aren’t buying that.

When WGA detects a problem, it lets you keep running Windows, periodically popping up nag screens informing you that your Microsoft software may be counterfeit. If this happens to you, you should pursue the process that WGA presents; it may provide you with information that will help you rectify the problem.

For example, in my tests I was able to make the WGA “counterfeit” warning appear by changing the date of the system clock one month later. The Web-based WGA program was able to determine that was the problem and it suggested I reset the system date. When I did that, the WGA warnings disappeared. While most WGA detections don’t resolve that easily, it can’t hurt you to learn as much as you can about why WGA believes your copy of Windows or Microsoft Office may be illegitimate.

With nag screens the extent of the negative effect, WGA doesn’t have much of a bite — for now. But might that change in the future? Microsoft has said it won’t “turn off” illegitimate copies of Windows. But could the software giant be interpreting that literally? The more likely preventive measure probably isn’t turning off the computer. It’s not hard to imagine that WGA might direct its predecessor, Windows Product Activation (WPA), to lock you out of your computer. When WPA kicks in, the computer boots to a login screen that doesn’t let you use the computer until a valid activation code is entered. In Vista, this WPA screen links to an option that lets you buy a new copy of Windows, letting you use Internet Explorer for that purpose.

Microsoft has more than once alluded to the fact that it is reserving the right to enforce the installation of WGA on all computers, possibly sometime early this fall. WGA is built into Windows Vista, without any user option to remove it. It’s simply not known how Vista’s version of WGA will behave.

It is still possible to both remove WGA and to prevent it from attempting to reinstall after you have removed it.

How to Ditch WGA

There are many sites online that purport to help you remove WGA from your system, but Microsoft recently changed WGA and many of those sites now offer outdated advice. I have yet to see a definitive work on removing WGA, and I don’t consider this writing to be either. Since WGA is still in beta, and still under development, I suspect that the best set of instructions is yet to come.

A large portion of these instructions are based on Microsoft’s “How to disable or uninstall the pilot version of Microsoft Windows Genuine Advantage Notifications” KnowledgeBase article, which showed a July 12, 2006 revision date at the time that I prepared this article

Important: These instructions require editing the registry. You may want to start by creating a System Restore point so that you can revert to it in the event that something goes wrong. Also, I attempt to go beyond uninstalling WGA Notifications to uninstalling other aspects and leave-behinds of WGA. I can’t promise that you won’t run into trouble. The one thing I can tell you is that I’ve done all this on my own computers without incident.

To make a System Restore point, open the Start menu, choose Run, copy and paste this line into the Run field, and press Enter:


If you prefer not to mess around with the System Registry yourself, there’s a free utility called RemoveWGA 1.2 available for download on the Internet from Firewall Leak Tester.

Removing WGA: Step by Step

1. In the Add or Remove Programs Control Panel, turn on the “Show Updates” check box at the top.

2. Open the Folder Options Control Panel. Click the View tab. Remove the check, if any, beside “Hide extensions for known file types.” While you’re at it, click the radio button beside “Show hidden files and folders” and uncheck the box beside “Hide protected operating system files.” Click OK. (Note: If children or computer novices use your computer, you’ll want to reverse these steps later.)

3. Start by searching your entire system boot drive for any file containing the letters “wga”.

4. If WGA is installed on your computer, the search should return the filenames WgaLogon.dll and WgaTray.exe in your \Windows\System32 folder. You’ll also find WGA’s LegitCheckControl.dll in the same folder (but it won’t be in your search results). You may well have several other search results, and we’ll come back to those later.

5. In the search results window, rename the following two files as shown:

WgaLogon.dll => WgaLogon.old
WgaTray.exe => WgaTray.old

5. Restart your computer.

6. Open the Start menu, choose Run, type “cmd” without the quotation marks and press Enter. This runs the Windows command-line console.

7. In the black command-line box, type the following line of text, then press Enter:

Regsvr32 %Windir%\system32\LegitCheckControl.dll /u

8. Restart your computer.

9. Use Windows Explorer (any folder window) to navigate to the \Windows\System32 folder and delete these files:


Microsoft hands out ‘private’ folders

Free software lets people store sensitive data on their home or work computers in a password-protected folder.

Microsoft has introduced Private Folder 1.0, free software that lets people store sensitive data on their home or work computers in a password-protected folder.

Private Folder 1.0, which is saved to a person’s desktop, aims to shield private data from others when they have access to someone’s computer or account. The potential fallout from IT administrators remains to be seen, should their colleagues opt to hide sensitive data in a private, password-protected folder. Microsoft does not offer support for the software.

“Private Folder 1.0 is a useful tool…to protect your private data when friends, colleagues, kids or other people share your PC or account,” the software giant said in its announcement.

People who want to download the software are first required to run their computers through the Windows Genuine Advantage program. The controversial antipiracy tool is designed to verify that people have a legitimate copy of Microsoft Windows.

Those using the software also must have Windows XP Home Edition, Professional Edition or Media Center Edition, with Service Pack 2. The software also needs a high-resolution Super VGA video adapter and monitor to work properly.

Some observers are raising concerns about the potential headaches Private Folder may create for IT administrators.

“Oh great, have they even thought about the impact this could have on enterprises. I’m already trying to frantically find information on this product so that A) I can block to all our desktops and B) figure out how we then support it when users inevitably lose files. I can see the benefit in this product for home users, but it’s a bit of a sloppy release by Microsoft,” said an individual named Stuart Graham in a posting on MSBlog, a site related to Windows Server 2003.

Another individual, Daniel Goldleaf, said on MSBlog that companies should have terms of usage for corporate PCs that instruct employees not to download software onto their systems.

“If they install (Private Folder), uninstall it from Add/Remove Programs,” Goldleaf added.

[originating url]

Microsoft: Here’s how to halt WGA alerts

Microsoft released a new version of Windows Genuine Advantage Notifications on Tuesday and detailed how to remove the controversial antipiracy software.

The updated WGA Notifications package includes changes that respond to criticism Microsoft has faced over the software, the company said. It no longer checks in with Microsoft after each restart, for example.

“Our customers have told us that they were disappointed with their WGA Notifications experience, and we have made an effort to improve that with this update,” a Microsoft representative said in an e-mail interview.


WGA Notifications displays alerts on systems running a pirated copy of Windows and includes a separate tool called WGA Validation that runs a piracy check.

Microsoft has faced a lot of heat over WGA Notifications–in particular, because it delivered a prerelease version of the tool alongside security fixes, perhaps turning Windows users into unsuspecting guinea pigs. Also, WGA Notifications was found to ping a Microsoft server after each system restart, a behavior the company did not disclose.

While Microsoft is responding to some of the criticism, it said it will continue to distribute WGA Notifications via the Automatic Updates feature in Windows as a “high priority” update, even though it is not a security update. Some critics had argued that Microsoft should find another way to distribute the tool. Automatic Updates is a service intended to keep users secure by delivering software updates and drivers that help protect against the latest publicly known security threats and reliability issues.

“By using Automatic Updates, Microsoft is able to reach the greatest number of PC users,” a representative of the software company said. “Microsoft believes it has a right to know whether systems using a service intended for licensed customers are in fact licensed systems.”

Removing alert tool
For the first time, though, Microsoft is offering guidelines on how to remove WGA Notifications. Previously, it had said the software could not be uninstalled, leading others to develop numerous cracks and homegrown patches to counter the tool.

WGA Notifications still can’t be removed using the Windows “Add or Remove Programs” feature. Installing the new version will automatically remove the older version of the software.

But for those who don’t want the new release, Microsoft now provides step-by-step removal instructions for the old version in a support article on its Web site. It said those instructions will also work to uninstall the updated release of the antipiracy tool, but it said it doesn’t sanction that use–if you try to remove the latest version and mess up, you’re on your own.

“We have heard from customers that some wish to remove the software,” the company representative said. “Anyone who uninstalls…WGA Notifications will still have the new release offered to them via Automatic Updates or Windows Update. Uninstalling the newest version using these instructions is not tested, supported or recommended.”

Installation of WGA Notifications remains optional, though that might change in the future, the Microsoft representative said.

The update ends the trial period for WGA Notifications. Microsoft will now start pushing it to users worldwide. All users of English, Spanish, French, German, Italian, Dutch and Brazilian Portuguese language versions of Windows XP will soon be offered the updated software, Microsoft said. While WGA Notifications won’t “call home” to Microsoft, WGA Validation still periodically checks in with Microsoft, the software maker said.

Windows Genuine Advantage is a stepped-up effort by Microsoft to boost the number of Windows users who actually pay for the operating system. The company has said that roughly a third of Windows copies worldwide have not been acquired legitimately–as a boxed product or bundled onto a machine, for example.

Microsoft has gradually expanded its pirate-busting efforts. At the moment, Windows users must have their PC electronically approved before they can download add-on Microsoft software such as Windows Media Player and Windows Defender. When the antipiracy program started, validation was optional for downloads.

Counterfeit software hurts users and businesses, Microsoft has said. It also contends that pirated versions of Windows sometimes include malicious software and that sellers of legitimate copies of Windows can’t compete with the low prices offered by pirates.

[originating url]

Microsoft WGA Attracts Copycat Worm and Second Lawsuit

Security researchers have identified a worm virus masked to appear as Microsoft’s Windows Genuine Advantage anti-piracy program, while end users have filed a second lawsuit against the software giant’s use of the actual program.

Workers at anti-virus specialist Sophos were among the first to unearth the worm disguising itself as WGA. Dubbed by the firm as Cuebot-K, the virus is spreading over AOL’s popular instant messaging network posing as Microsoft’s controversial anti-piracy software.

Sophos said Cuebot-K is registering itself on infected PCs as a new system driver service named “wgavn” that also bears the public display name of “Windows Genuine Advantage Validation Notification.” The virus automatically runs during system startup, and users who view the list of services offered by the threat are informed that removing or stopping the service will result in system instability.

Researchers indicated that once in place, Cuebot-K disables the Windows OS firewall and opens a backdoor to infected computers, which could potentially allow hackers to gain remote access of a machine to spy on users or launch DDOS (distributed denial-of-service) attacks.

The image

Adding to the threat is widespread controversy over WGA that has forced Microsoft to offer an updated version of the program, a previous iteration of which some people have labeled as having spywarelike capabilities. End users looking for that update could unknowingly expose themselves to Cuebot-K, experts said.

“People may think they have been sent the file from one of their AOL IM buddies, but in fact the program has no friendly intentions, and technical Windows users wouldn’t be surprised to see WGA in their list of services, and so may not realize that the worm is using that name as a cloak to hide the fact that it has infected the PC,” said Graham Cluley, senior technology consultant at Sophos, based in Abingdon, U.K. “Once in place, this malware disables the firewall and opens a backdoor by which hackers can gain control over your computer to steal, spy and launch DOS attacks.”

Microsoft representatives didn’t immediately return calls seeking comment on the WGA-themed virus.

Adding to the company’s headaches over WGA, Microsoft has also been hit with a second class-action lawsuit filed over the capabilities of a previous version of the anti-piracy software.

PointerClick here to read more about the first lawsuit.

In a case filed on June 29 in the United States District Court of Seattle, plaintiffs Engineered Process Controls and Univex, along with individual end users David DiDomizio, Edward Misfud and Martin Sifuentes, have charged that Microsoft’s technology amounts to a form of spyware.

eWEEK.com Special Report: Piracy & Counterfeiting

The suit specifically contends that Microsoft intentionally duped its customers by delivering WGA as part of a critical security update without telling them that the anti-piracy program would secretly communicate with its own servers. Since the program “gathers data that can easily identify individual PCs,” including a machine’s IP address and BIOS information, and could potentially be used to gather other types of information, it is akin to malicious threats, the suit claims.

In doing so, WGA violates Washington’s existing anti-spyware laws, according to the suit, which mirrors a similar claim filed by a California man on June 26. That legal action, brought forward in the U.S. District Court in Seattle by Los Angeles resident Brian Johnson, claims that Microsoft failed to properly disclose all the details of WGA when the technology, meant to help stop the widespread pirating of Microsoft’s Windows operating system, was upgraded in April.

PointerClick here to read more about the WGA Notifications controversy.

While WGA was first introduced in 2004, the suit alleges that the feature became similar to a form of spyware when it was expanded to include a system that made contact with Microsoft’s servers to help the company identify people who may be using pirated versions of its market-leading operating system.

The updated version of the WGA tool included two separate components, WGA Validation and WGA Notifications, which, respectively, promised to determine whether a copy of Windows is pirated or not and alert users who Microsoft believes are running illegal copies of its software. However, WGA’s notification aspect was discovered to have been “phoning home” to Microsoft’s servers on a daily basis, touching off a wave of controversy among those who believe the feature could be used by Microsoft to keep tabs on people using its software.

eWEEK.com Special Report: Worm Attacks

On June 27, Microsoft agreed to remove the controversial notification component from WGA, announcing an updated version of the tool that is being delivered to millions of Windows XP users via Automatic Updates with one major change. Previously, a PC that had installed WGA Notifications checked a server-side configuration setting upon each log-in to determine if WGA Notifications should run or not. This daily configuration file check has been removed in the updated WGA Notifications package.

The company said WGA Validation still will check periodically to determine whether the version of Windows is genuine. Microsoft officials did not immediately respond to calls seeking comment on the new WGA lawsuit, but have labeled the claims of the initial class-action suit as “without merit.”

“This [suit] distorts the real objectives of the [WGA] program and obscures the real issue, which is the harm to consumers posed by software piracy,” Jim Desler, a Microsoft spokesperson, said of Johnson’s lawsuit. “As with all of our programs we’ve gotten constructive customer feedback, the program has evolved and we’ve made improvements; Microsoft continues its efforts to foster better communications with its customers.”

[originating url]

MS’ Genuine Advantage Attracts Worm, Second Lawsuit

MS’ Genuine Advantage Attracts Worm, Second Lawsuit

Malware writers have created a new worm virus disguised as Microsoft’s Windows Genuine Advantage, the real version of which has been targeted by a second lawsuit.

Microsoft Faces Second WGA Lawsuit

Two Washington state businesses and three Seattle residents have filed a second lawsuit against Microsoft over its Windows Genuine Advantage program. The suit alleges that legitimate customers are receiving non-licnesed notifications every hour, and seeks class-aciton status.

According to a copy of the court filing published by the Seattle PI, the plaintiffs argue that all customers who have Automatic Updates enabled will receive WGA whether they wish to or not. In addition, the lawsuit claims that end-users are deceived into thinking the software is a security update and "are not told that the program ‘phones home’ daily."


The first lawsuit — filed in California last week — made similar complaints, alleging that Microsoft’s WGA functionality violated the state’s anti-spyware statutes, as well as laws in Washington. Also seeking class-action status, that case does not ask for monetary damages, only an injunction to prevent the use of the phone home feature in future WGA releases.

WGA Notifications , the component responsible for connecting to Microsoft’s servers each day to check for a configuration file, was officially rolled out worldwide last week. The final release removed the daily check, but WGA will still communicate with Microsoft periodically.

When asked how often customers’ computers will connect to Microsoft, the company told BetaNews, "The frequency varies depending upon license type, but typically takes place every 90 days or so. This enables Microsoft to update our list of bad keys, and ensure that newly discovered counterfeits are not proliferating."

The second lawsuit against WGA goes further than the first, demanding that Microsoft provide an automatic update to remove WGA and enable users to download any updates without having the program installed. As of July 2005, customers that do not pass WGA certification may not download non-critical updates and many programs from the Microsoft Download Center.

In addition, the filing asks that Microsoft work with security vendors to enable the removal of WGA using antivirus applications. It also says Microsoft should waive any claim it has under the Digital Millennium Copyright Act regarding individuals that investigate or remove WGA.

Compensation for consumers who have been harmed by WGA, and attorney’s fees are additionally requested.

For its part, Microsoft has said that users can choose not to install the new version of WGA Notifications. The company is also providing instructions on how to remove the previous version of the software for those who do not want to upgrade to the official release.

Microsoft says it continues to modify WGA based on customer feedback, noting that the tool plays a critical role in stopping piracy of Windows, and protects customers from counterfeit versions of the operating system that may not be secure.

[originating url]

Anti-piracy tool confuses users – WGA

Windows XP
Windows XP is used in millions of homes and business

An anti-piracy check for Microsoft Windows is causing problems for some users who are being told their copies of operating system XP are not genuine.

The tool, called Windows Genuine Advantage (WGA), is aimed at cracking down on millions of illegal copies of Windows XP in circulation.

The tool is downloaded and installed voluntarily but Microsoft has said it could become mandatory in the future.

Blogs and forums have been hit with comments and queries about the tool.

The tool was downloaded as part of a wave of security updates Microsoft offered to users. If it is not installed Windows XP will periodically remind people to download and run the program.

On the official Microsoft forum for WGA, thousands of people have left confused comments.

One person posted: “I have a Microsoft sticker on the back of the computer with 25 characters.

“Doesn’t that assure me that the XP version on the CPU [Central Processing Unit] is genuine? Why everything was okay before (for three years) and suddenly I get this from Microsoft…”

Readers of the BBC News website have also reported their computers being forced to dial up to the net with their modems everytime they re-boot or having problems with brand new equipment.

WGA requires users to enter the key code that comes with every copy of Windows XP.

If the code is not genuine or has been used by someone else, users are told that they do not have a licence to use XP and are invited to buy a genuine copy at a discount price.

Counterfeit copy

Users with a counterfeit copy of Windows XP can continue to use their computer and will receive periodic notices that the operating system is unlicensed.

A shop in Vietnam encourages users to buy genuine products

A shop in Vietnam encourages users to buy genuine products

Michala Alexander, head of anti-piracy for Microsoft, in the UK, said the tool had been a huge success in countering piracy.

“Customers have been crying out for a tool which could tell them if they have been duped,” she said.

But she admitted that the company could have been a bit more “open and honest” about the pilot tool when it was launched.

Ms Alexander said Microsoft had listened to users and updated WGA accordingly.

According to Microsoft 15% of operating systems checked so far have proved to be counterfeit in the UK.

Microsoft has said it will not deny users access to their computer if the key code is not correct and has reassured people that it does not use the tool to collect personal data.

But some people have complained of glitches with the WGA tool that means they are being told erroneously they are using a counterfeit copy of XP.

In its information for users Microsoft says that “validation failure is almost always caused by the use of a non-genuine Windows licence”.

Microsoft says it has successfully validated more than 150 million systems.


Ms Alexander said many of the problems stemmed from XP being installed incorrectly or if a machine had been sent for a repair and a new version of XP was installed with a generic key code.

“We are 100% adamant that key codes blocked by WGA are illegal,” she said.

Microsoft has also admitted that the tool can cause false positives and that a pass on the system initially could lead to a failure.

Once installed the tool checks the copy of Windows XP periodically.

Microsoft is determined to crack down on piracy before it releases its next operating system, called Vista, in January.

Why Microsoft would want WGA to phone home

As the debate over Windows Genuine Advantage rages on, Microsoft is attempting to rein in speculation that the antipiracy tool could be used put an abrupt end to the use of pirated versions of Windows. A spokesperson for the company firmly denied that the tool would be used in such a manner, saying that “No, Microsoft antipiracy technologies cannot and will not turn off your computer.” Confusion remains over just what WGA is designed to do.

Dislike for WGA and what it represents has been brewing for years, stemming back to the release days of Windows XP. At that time, Microsoft required new copies of the Windows XP operating system to “activate” over the Internet using Windows Product Activation (WPA), a process that required a user’s consent to send identifying information about their computer and OS to the company. While that information was essentially nothing more than an authenticity code coupled with select system specifications, many users were uncomfortable with the tactic. Still, it was much like a tetanus shot: one quick prick click, and it was over.

Piracy, of course, lived on, and WPA has largely been assessed as a victory only to the extent that it stopped many forms of casual piracy. With Windows Genuine Advantage, Microsoft is looking to improve on the anti-piracy tools of 2001, and WGA is best understood as the heir to WPA. Whereas the original tools only required activation once in the first 30 days of use, WGA is designed to constantly monitor a system’s licensed state. In very general terms, the idea is to make life as a so-called pirate difficult.

Check it out!