RE: Recovering the activation key from a Win2K installation

From: Steven Evans (steveat_private)
Date: Wed Jun 27 2001 - 05:20:23 PDT

Next message: Bryan Allerdice: "Re: Recovering the activation key from a Win2K installation"

Previous message: Cabezon Aurélien [iSecureLabs]: "Source code of the Sadmin Worm"
In reply to: George Bolton: "Re: Recovering the activation key from a Win2K installation"
Next in thread: Bryan Allerdice: "Re: Recovering the activation key from a Win2K installation"
Next in thread: Alexander Sarras (SEA): "RE: Valid characters on one o/s are invalid on another"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

that is like saying "goto system properties and write down the key there".
The question states how can you get the CD-Key from an installation, not the
product key.  The product key is the un-encrypted, version of the 25-digit
activation key.

From what i have seen through hacking through windows is that atleast 5
digits of that key constitutes a product code (ie Windows Server family key
or Windows Workstation family key), a upgrade or full install or Australian
"must register twice"/OfficeXP-registration-styled code (ie, if you have
office 2k premium cd upgrade, and use a o2k premium full version product
key, it acts like a full-version install), and then a unique id and quite
possibly checksums in there too.

Therefore, i dont think it is possible of reverse-compiling the code without
knowing what their key algorithm is :(

Cheers

-----Original Message-----
From: George Bolton [mailto:george.boltonat_private]
Sent: Wednesday, June 27, 2001 1:27 AM
To: vuln-devat_private
Subject: Re: Recovering the activation key from a Win2K installation


Short answer:  You're right.

Product ID keys can be recovered from the registry quite quickly.  I've
looked at this directly for Windows 95, 98, ME and 2kPro.  Can't speak with
authority on NT4 as I've not got one to hand.

Please excuse the step-by-step here.  Not wishing to question your
expertise, but is you're not familiar with the registry then it can become
quite a minefield.  Careless editing of the registry can cause serious
problems, so please be careful not to modify things, just look around.

From your Start Menu, choose Run, then type REGEDIT in the box and click OK.

You will see the Registry Editor start, it looks a bit like an Explorer
window.  On the left are the keys, on the right is the data.  The registry
can be navigated in much the same way that Explorer can, for example when
you see a little + sign next to a folder, click on it and the subfolders
will be displayed, select it and the contents of the folder will be shown in
the right hand pane.

For Windows 95, navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion and look for an
entry in the right pane called "ProductId"

In Windows 98 and ME, navigate to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion and look for an
entry called "ProductKey"

In Windows 2000, there are in fact two entries, both called "ProductKey",
one under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion and
another in HKEY_LOCAL_MACHINE\Software\Microsoft\WinNT\CurrentVersion.
Presumably the reason for the second entry is for backward compatibility,
but I'm not sure.


A way of introducing a limited form of protection for your key would be to
create a Windows policy which prevents access to the registry editor by all
bar the administrative users.  However, you should note that there are a
number of quick and easy ways of getting around Windows' Policies.  There
are many pieces of software on the market that will assist you in this,
should you wish to go down that road.  I have used "S to Infinity" from
Winvista with a great deal of success, but I'm sure that others will be able
to pass recommendations as well.

Regards

George Bolton
Network & Communications Manager
Digital Cinema Advertising Ltd
T +44 (0) 7050 697394
F +44 (0) 7050 665295



----- Original Message -----
From: "Juan M. Courcoul" <courcoulat_private>
To: "Vuln-Dev" <VULN-DEVat_private>
Sent: Monday, June 25, 2001 6:28 PM
Subject: Recovering the activation key from a Win2K installation


> Please bear with me, as I only pretend to have a limited knowledge of
> Windows internals enough to survive its use.
>
> A discussion arose as to the security of Windows 2000's activation key,
> aka the CD or Product Key. A colleague who handles Win2K installations
> insisted that once you have keyed in the 29-character string and
> activated the OS during a full new install, it is unrecoverable and
> hence safe to install in student labs, etc., without the risk of
> compromising the corporate license. She went so far as to claim that
> even a user with Administrator privileges couldn't get it back.
>
> My gut feeling is that this is bull and constitutes a prime example of
> "assumed security thru ignorance".
>
> Would you kind Windows gurus please tell me who's got it right this time ?
>
> J. Courcoul
>

Next message: Bryan Allerdice: "Re: Recovering the activation key from a Win2K installation"
Previous message: Cabezon Aurélien [iSecureLabs]: "Source code of the Sadmin Worm"
In reply to: George Bolton: "Re: Recovering the activation key from a Win2K installation"
Next in thread: Bryan Allerdice: "Re: Recovering the activation key from a Win2K installation"
Next in thread: Alexander Sarras (SEA): "RE: Valid characters on one o/s are invalid on another"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 08:50:51 PDT