Vulnerability Development mailing list archives

RE: Recovering the activation key from a Win2K installation

From: "Steven Evans" <steve () netwaynetworks com au>
Date: Wed, 27 Jun 2001 22:20:23 +1000

that is like saying "goto system properties and write down the key there".
The question states how can you get the CD-Key from an installation, not the
product key.  The product key is the un-encrypted, version of the 25-digit
activation key.

From what i have seen through hacking through windows is that atleast 5

digits of that key constitutes a product code (ie Windows Server family key
or Windows Workstation family key), a upgrade or full install or Australian
"must register twice"/OfficeXP-registration-styled code (ie, if you have
office 2k premium cd upgrade, and use a o2k premium full version product
key, it acts like a full-version install), and then a unique id and quite
possibly checksums in there too.

Therefore, i dont think it is possible of reverse-compiling the code without
knowing what their key algorithm is :(

Cheers

-----Original Message-----
From: George Bolton [mailto:george.bolton () digitalcinemaadvertising com]
Sent: Wednesday, June 27, 2001 1:27 AM
To: vuln-dev () securityfocus com
Subject: Re: Recovering the activation key from a Win2K installation


Short answer:  You're right.

Product ID keys can be recovered from the registry quite quickly.  I've
looked at this directly for Windows 95, 98, ME and 2kPro.  Can't speak with
authority on NT4 as I've not got one to hand.

Please excuse the step-by-step here.  Not wishing to question your
expertise, but is you're not familiar with the registry then it can become
quite a minefield.  Careless editing of the registry can cause serious
problems, so please be careful not to modify things, just look around.

From your Start Menu, choose Run, then type REGEDIT in the box and click OK.


You will see the Registry Editor start, it looks a bit like an Explorer
window.  On the left are the keys, on the right is the data.  The registry
can be navigated in much the same way that Explorer can, for example when
you see a little + sign next to a folder, click on it and the subfolders
will be displayed, select it and the contents of the folder will be shown in
the right hand pane.

For Windows 95, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion and look for an
entry in the right pane called "ProductId"

In Windows 98 and ME, navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion and look for an
entry called "ProductKey"

In Windows 2000, there are in fact two entries, both called "ProductKey",
one under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion and
another in HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion.
Presumably the reason for the second entry is for backward compatibility,
but I'm not sure.


A way of introducing a limited form of protection for your key would be to
create a Windows policy which prevents access to the registry editor by all
bar the administrative users.  However, you should note that there are a
number of quick and easy ways of getting around Windows' Policies.  There
are many pieces of software on the market that will assist you in this,
should you wish to go down that road.  I have used "S to Infinity" from
Winvista with a great deal of success, but I'm sure that others will be able
to pass recommendations as well.

Regards

George Bolton
Network & Communications Manager
Digital Cinema Advertising Ltd
T +44 (0) 7050 697394
F +44 (0) 7050 665295



----- Original Message -----
From: "Juan M. Courcoul" <courcoul () campus qro itesm mx>
To: "Vuln-Dev" <VULN-DEV () SECURITYFOCUS COM>
Sent: Monday, June 25, 2001 6:28 PM
Subject: Recovering the activation key from a Win2K installation

Please bear with me, as I only pretend to have a limited knowledge of
Windows internals enough to survive its use.

A discussion arose as to the security of Windows 2000's activation key,
aka the CD or Product Key. A colleague who handles Win2K installations
insisted that once you have keyed in the 29-character string and
activated the OS during a full new install, it is unrecoverable and
hence safe to install in student labs, etc., without the risk of
compromising the corporate license. She went so far as to claim that
even a user with Administrator privileges couldn't get it back.

My gut feeling is that this is bull and constitutes a prime example of
"assumed security thru ignorance".

Would you kind Windows gurus please tell me who's got it right this time ?

J. Courcoul

Current thread:

Valid characters on one o/s are invalid on another Kayne Ian (Softlab) (Jun 25)
- Re: Valid characters on one o/s are invalid on another Juan M. Courcoul (Jun 26)
  - Recovering the activation key from a Win2K installation Juan M. Courcoul (Jun 26)
    - Re: Recovering the activation key from a Win2K installation George Bolton (Jun 26)
    - RE: Recovering the activation key from a Win2K installation Steven Evans (Jun 27)
    - Re: Recovering the activation key from a Win2K installation Bryan Allerdice (Jun 27)
    - Re: Recovering the activation key from a Win2K installation meiso (Jun 29)
    - Re: Recovering the activation key from a Win2K installation Technical Support (Jun 30)
    - Re: Recovering the activation key from a Win2K installation Bryan Allerdice (Jun 27)
    - Re: Recovering the activation key from a Win2K installation Zow (Jun 27)
- Re: Valid characters on one o/s are invalid on another Sander Smeenk (CistroN Medewerker) (Jun 26)
- Re: Valid characters on one o/s are invalid on another Craig Boston (Jun 26)
  - Re: Valid characters on one o/s are invalid on another James Robbins (Jun 26)
    - Re: Valid characters on one o/s are invalid on another Meritt James (Jun 27)
    - Re: Valid characters on one o/s are invalid on another Craig Boston (Jun 27)

(Thread continues...)