I’ve been hanging out with a bad crowd lately.
In the interest of research, I’ve been digging into message boards and forums run by unabashed Windows enthusiasts who are intent on breaking Microsoft’s activation technology. I’ve had these forums bookmarked for years and stop in every once in a while just to see what’s new. This time I decided to drop by and actually try some of tools and utilities to see if I could become a pirate, too.
Unfortunately, I succeeded.
In this post, I’ll share my experiences, including close encounters with some very nasty malware and some analysis on how the latest showdown between Microsoft and the pirates is likely to play out.
You won’t find names or direct links here—although these guys seem like genuine enthusiasts, I have no intention of giving them any free publicity. But if you’re interested in tracking down the tools I tested you should have no trouble finding them using the clues available in screenshots and descriptions here.
If you do intend to try this stuff out for yourself, I recommend extreme caution. My hunt for utilities that bypass Windows 7 activation technologies led me to some very seedy corners of the Internet. First, I did what any red-blooded wannabe pirate would do and tried some Google searches. Of the first 10 hits, six were inactive or had been taken down. After downloading files from the remaining four sites, I submitted them to Virustotal.com, where three of the four samples came back positive for nasty, difficult-to-remove Windows 7 rootkits. Here's one example:
And that experience is borne out by at least one real-world experience, which was reported, ironically, in the Talkback section of that blog. After he wrote about Microsoft's most recent anti-piracy initiative last week, one commenter (a loud, proud Linux advocate) insisted that the update opened a secret back-channel, probably as part of a plot by Microsoft to covertly gain access to its customers' PCs. A day or so later, after checking with his Windows-using friend, he returned with this sheepish admission:
It turns out his iso was not a bona fide purchased copy [of Windows 7], but rather a cracked version off of the net. In all likelihood the iso was trojaned…
Indeed. Which is why I exercised extraordinary caution. For my hands-on tests, I used a fresh copy of Windows 7 Ultimate, installed without a product key. I then looked at two widely distributed tools that work in completely different ways.
Disabling Windows activation completely
A clever little tool called RemoveWAT not only disables Microsoft’s activation subsystem, it also installs the latest anti-piracy update from Microsoft and then disables it, too!
Fooling Windows by tinkering with the BIOS
Big PC makers get to install copies of Windows that don’t require activation. Naturally, pirates soon figured out how to make any PC look like it came from one of those big factories.
Microsoft versus the pirates
Pirates are clever and fast. Microsoft is highly motivated to keep its lucrative Windows revenue stream intact. Are customers going to get caught in the crossfire?
RemoveWAT first appeared last summer, around the time Windows 7 was released to manufacturing. The philosophy behind this small utility is simple: It disables the Windows Activation Technologies function while allowing the system to retain its Genuine status in every official check by Microsoft. The most recent version claims to work with all editions of Windows 7 and Windows Server 2008 R2. (It does not work with Windows Vista or Windows Server 2008.)
I downloaded the most recent edition of RemoveWAT (v2.2.5) and verified that it was clean. The single .exe file is small (less than 7MB), and the UI is simple:
After clicking the Remove WAT button and rebooting, I noticed a subtle but significant change in the System properties dialog box. The section describing my system’s activation status was gone. There was no sign of a Product ID or activation status. Nothing. Previously, a message in that section had told me that I had 30 days left to activate.
A close inspection of the
Windows\System32 folder explained why. RemoveWAT installed its own patched version of a crucial DLL file in the Software Licensing subsystem, Slwga.dll. Thoughtfully, the program’s developer had coded it to save a backup of the actual file so that it could be restored if necessary. (And when I tested the Restore WAT function, I found it worked just fine on my system.)
As far as Windows was concerned, the system was perfectly valid. I was able to download and install optional updates through Windows Update and successfully validated the system so that I could install products reserved for Genuine Windows customers. I was also able to install Microsoft Security Essentials, which performs a validation check during setup.
In a fitting piece of irony, the most recent version of RemoveWAT actually goes out of its way to install Microsoft’s WAT Update (KB971033-KB890830), which is designed to detect and remove tampering by programs like… well, like RemoveWAT. The pirate code remained working even when I ran the WAT update manually.