Re: Fwd: Vista Reduced Function mode triggered

[Larry Seltzer <Larry () larryseltzer com>]

> > This was I believe part of a recently published way to circumvent the
licensing process where a VMWare image of a hacked licensing server was
used.

I'm sure it's irrelevant to the thread, but here's that story:
http://www.microsoft-watch.com/content/vista/another_vista_activation_cr
ack_appears.html 

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of kevin
fielder
Sent: Tuesday, January 02, 2007 6:15 AM
To: jammer128 () gmail com; full-disclosure () lists grok org uk
Subject: [Full-disclosure] Fwd: Vista Reduced Function mode triggered

 I have no idea if the below is expected behavior or not, but for
business / education etc usage you can set up a server that deals with
license management and activation - thus only that and not all internal
machines needs to be able to 'phone home'.  The internal machines just
need to be able to talk to the license management server (sorry can't
recall what M$ actually call this server).

This was I believe part of a recently published way to circumvent the
licensing process where a VMWare image of a hacked licensing server was
used.

cheers

K


 ________________________________

From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Jason
Miller
Sent: 02 January 2007 07:45
To: full-disclosure () lists grok org uk
Subject: Re: [Full-disclosure] Vista Reduced Function mode triggered


lol i want to see this happen in a .edu unit where you can only access
the internet by going through a limited HTTP proxy that does not allow
the connect function, think it would give humourous results. unless it
'phones home' by visiting a page and printing said info, which in that
case it would probably be simple enough to modify the server it goes to
and make it think its going to microsoft, in that event you could easily
get cd keys if thats how it verifies its a real vista copy.


On 1/1/07, Geo. <geoincidents () nls net> wrote:
> > It just can't be that simple. There has to be more to what happened 
> > to the guy. Lots of computers are offline for several days at a 
> > time, it's inconceivable that they didn't test that.
>
> Ok, as complete as I can be in the few minutes I have to post this.
>
> During those three days I did a lot of poking around, stopping and 
> starting services, switching from wired to wireless and back, trying 
> to view high def video (which I still am not able to do in any video 
> player except WMP for some reason) installing codecs and software, 
> running into the event ID 4226 tcp security connect limit, etc.
>
> However I never got any notification of deactivation or any problem of

> that sort. Then on the third day suddenly solitaire would not start up

> and I couldn't get into network properties. I did a bunch of rebooting

> and trouble shooting trying to figure that out but got nowhere.
>
> So I went back to trying to get high def video to work in Media player

> classic and figured perhaps it was trying to download a codec so I 
> removed the routes. It didn't help the video but I quickly found 
> network properties started working. So then I tried solitaire and it 
> worked. This was all directly after removing the routes, there wasn't 
> but a few minutes between letting it talk to the net and these apps
starting to work again.
> I decided this was probably reduced functionality in action but since 
> I had never seen it before I needed some way to trigger it so I could 
> compare since it would take 3 days to reproduce with route blocking. I

> disabled the software licensing service since it claims disabling that

> service will kick off reduced functionality mode. Nothing happened 
> immediately but 24 hours later solitaire and network properties (and 
> now control panel) would not start up. It was exactly the same apps 
> and behavior. I enabled and started the software licensing service and

> in seconds things returned to fully functional just like removing the
routes did.
> So it's possible the routes didn't trigger it, but removing them sure 
> cured it quickly so that is my guess at this point. Further testing is

> needed. I won't be testing it for a couple days as I need the laptop 
> connected to other networks to try some other software I need to test.

> (that tcp limit may prove a problem for network monitoring)
>
> Geo.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/