Confessions of a Windows 7 pirate
I’ve been hanging out with a bad crowd lately.
In the interest of research, I’ve been digging into message boards and forums run by unabashed Windows enthusiasts who are intent on breaking Microsoft’s activation technology. I’ve had these forums bookmarked for years and stop in every once in a while just to see what’s new. This time I decided to drop by and actually try some of tools and utilities to see if I could become a pirate, too.
Unfortunately, I succeeded.
In this post, I’ll share my experiences, including close encounters with some very nasty malware and some analysis on how the latest showdown between Microsoft and the pirates is likely to play out.
You won’t find names or direct links here—although these guys seem like genuine enthusiasts, I have no intention of giving them any free publicity. But if you’re interested in tracking down the tools I tested you should have no trouble finding them using the clues available in screenshots and descriptions here.
If you do intend to try this stuff out for yourself, I recommend extreme caution. My hunt for utilities that bypass Windows 7 activation technologies led me to some very seedy corners of the Internet. First, I did what any red-blooded wannabe pirate would do and tried some Google searches. Of the first 10 hits, six were inactive or had been taken down. After downloading files from the remaining four sites, I submitted them to Virustotal.com, where three of the four samples came back positive for nasty, difficult-to-remove Windows 7 rootkits. Here’s one example:
Exercise extraordinary caution. For my hands-on tests, I used a fresh copy of Windows 7 Ultimate, installed without a product key. I then looked at two widely distributed tools that work in completely different ways.
Page 2: Disabling Windows activation completely A clever little tool called RemoveWAT not only disables Microsoft’s activation subsystem, it also installs the latest anti-piracy update from Microsoft and then disables it, too!
Page 3: Fooling Windows by tinkering with the BIOS Big PC makers get to install copies of Windows that don’t require activation. Naturally, pirates soon figured out how to make any PC look like it came from one of those big factories.
Page 4: Microsoft versus the pirates Pirates are clever and fast. Microsoft is highly motivated to keep its lucrative Windows revenue stream intact. Are customers going to get caught in the crossfire?
Disabling Windows activation checks completely
RemoveWAT first appeared last summer, around the time Windows 7 was released to manufacturing. The philosophy behind this small utility is simple: It disables the Windows Activation Technologies function while allowing the system to retain its Genuine status in every official check by Microsoft. The most recent version claims to work with all editions of Windows 7 and Windows Server 2008 R2. (It does not work with Windows Vista or Windows Server 2008.)
I downloaded the most recent edition of RemoveWAT (v2.2.5) and verified that it was clean. The single .exe file is small (less than 7MB), and the UI is simple:
After clicking the Remove WAT button and rebooting, I noticed a subtle but significant change in the System properties dialog box. The section describing my system’s activation status was gone. There was no sign of a Product ID or activation status. Nothing. Previously, a message in that section had told me that I had 30 days left to activate.
A close inspection of the Windows\System32 folder explained why. RemoveWAT installed its own patched version of a crucial DLL file in the Software Licensing subsystem, Slwga.dll. Thoughtfully, the program’s developer had coded it to save a backup of the actual file so that it could be restored if necessary. (And when I tested the Restore WAT function, I found it worked just fine on my system.)
As far as Windows was concerned, the system was perfectly valid. I was able to download and install optional updates through Windows Update and successfully validated the system so that I could install products reserved for Genuine Windows customers. I was also able to install Microsoft Security Essentials, which performs a validation check during setup.
In a fitting piece of irony, the most recent version of RemoveWAT actually goes out of its way to install Microsoft’s WAT Update (KB971033), which is designed to detect and remove tampering by programs like… well, like RemoveWAT. The pirate code remained working even when I ran the WAT update manually
Fooling Windows by tinkering with the BIOS
The other popular approach toward cracking Windows activation takes advantage of the difference between retail and OEM copies of Windows. Retail copies have to be activated using a unique serial number. OEM copies from large system makers (Dell, Toshiba, HP, and so on, collectively known as Royalty OEMs) use a technique called System Locked Preinstallation (SLP). The preinstalled copy of Windows uses a single master product key tied to specific information in the system BIOS that is unique to that manufacturer’s systems. If the encrypted licensing information in the preinstalled copy of Windows matches the information in the BIOS, no activation is required.
Windows pirates figured out how to exploit this hack around the time Windows Vista was launched. The Windows 7 Loader program, which I used on a test system, looks at your PC’s BIOS to see whether it contains an ACPI_SLIC table with software licensing information (”markers” for the Windows operating system and the name of the computer maker). If the SLIC table is present, the tool installs the correct product key for your Windows 7 edition along with a digital certificate; the combination mimics a legitimate OEM preinstallation. For systems with a BIOS that doesn’t contain the proper SLIC tables (a scenario I didn’t test), it uses an alternate boot loader (typically some variant of GRUB) and installs BIOS emulation code to fool the system into thinking your system is a legitimate OEM installation. You can use the one-click installer or select from advanced options to personalize your PC by choosing a particular brand.
In this case, I had installed a retail copy of Windows 7 Home Premium on a relatively new system (purchased in mid-2009) that was originally licensed for Windows Vista. I didn’t enter a product key during setup, and I had gone more than 30 days without activating. Here’s what I saw when I ran W7Loader:
The installer correctly detected the brand (Dell) and Windows 7 edition. When I clicked the Install Certificate and Serial button on the right, I was greeted with this message:
The system, which had never been activated, had previously been nagging me with “non-Genuine” warning messages. As soon as the pirate tool completed its work, the watermark on the black desktop went away and the System properties dialog box told me I was activated with a Dell OEM product ID.
The Empire strikes back
The two exploits I describe in this post are certainly not the only ones out there. Indeed, Windows pirates have been playing a cat-and-mouse game with Microsoft for years. In the Windows XP era, pirates focused most often on stealing legitimate product keys, especially Volume License keys. Beginning with Windows Vista, Microsoft has begun building anti-piracy components directly into the operating system, and pirates have aimed their hacking skills at those components with increasing sophistication.
The latest salvo from Microsoft in the war against pirates is the Windows Activation Technologies Update (KB971033). In its default configuration, it performs an initial validation check and then repeats the process every 90 days, downloading new signatures to detect exploits that flew under the radar in the previous scan. When I initially wrote about this subject last month, the question I heard most often was, “Why does it need to keep checking? If I get validated, shouldn’t that be good enough?”
Unfortunately, the experiences I’ve written about here prove why that strategy doesn’t work. If you used a copy of RemoveWAT that was created in 2009, you were able to fool Microsoft validation servers with a 100% success rate. However, as the anguished cries of forum participants proved, the KB971033 update in February exposed all of those hacks, restoring the correct license files and causing the systems to (correctly) fail validation. As a result, the RemoveWAT developer modified his code and released a version last week that trumped the new update and once again allowed hacked machines to pass the activation test.
In the past, that would have been counted as a win for the pirates. But with its new signature-based system, Microsoft can improve its exploit-detection code and, at least in theory, identify the updated hacks in 90 days (or, in the worst case, 90 days after that). The point is that pirates can’t count on getting a permanent free pass on activation. If you’re a hobbyist obsessed with pirating Windows, you have to put up with the nuisance of updating your hacking tools every few months. But if you’re selling pirated software (in a box or preloaded on a system), you risk getting put out of business and maybe sent to jail when the systems you sold in March are detected as pirated in June or July.
The other question I hear on the subject is, “Why pick on legitimate customers? Why not go after the real pirates?”
There’s a common misconception that only diehard hackers mess around with pirated software. The reality is that anyone can be a victim, especially if they ever need help reinstalling Windows or repairing some sort of hardware problem. I have lost count of the number of times I have seen a PC that contains a pirated copy of Windows installed by a nephew or a neighbor or even a local computer tech who was trying to share the cool thing he found on the Internet. Back in 2007, I wrote about a firsthand experience with a PC repair tech for a major national chain who used a pirated copy of Windows to “repair” my friend’s PC.
In that case, I was able to spot the unauthorized copy quickly and help my friend undo the damage (and get his money back from the crooked tech). If that were to happen today, the tech might be lucky enough to get away with the deception for a few months, but he would eventually be caught out.
One thing I learned while researching this piece is the phenomenal determination of pirates. They’ve become increasingly sophisticated and are able to react extremely fast to changes from Microsoft. For Microsoft, responding to those fast-moving targets without inadvertently inflicting collateral damage on its customers is a tremendous challenge.
Views 249 times by 30 visitors
Blockbuster Goes Bust In Portugal, Blames Internet/Piracy
The famous chain renting out DVD, Blu-ray, and video games discs worldwide has announced it has gone bust in Portugal. Of course, it blames piracy.
Founded in 1985, Blockbuster is a well-recognized brand all over the planet with around 9,000 stores in around 25 countries worldwide.
A success for many years, the company started falling on harder times around 7 years ago with decreasing revenues, a trend that continues today.
The company licensed to operate the Blockbuster brand in Portugal has just announced it has initiated insolvency proceedings
“Our energies are now focused on trying to minimize the impact on our employees,” the company said in a statement.
Blockbuster is blaming its Portuguese demise on piracy and entertainment becoming available in new forms on the Internet.
Portugal’s Association of Audiovisual Commerce (ACAPOR) doesn’t spread the blame so thinly.
Spokesman Nuno Pereira said piracy was the main cause of reduced performance in the sector and accused the government of inaction in the face of “brazen and shameless theft.”
Neither company cite a failure to innovate as a reason for Blockbuster’s demise and will presumably continue trying to rent out plastic discs in other regions.
Related Blogs
- Related Blogs on Piracy
- Delaying eBooks will drive piracy and push down prices – eBook …
- New CD Printer to Curb Piracy – TMCnet | Digital Phones Reviews
Views 1187 times by 54 visitors
Pirate Movie Privacy Case Set For The Supreme Court
Should copyright holders be allowed to get the identities of Internet users behind an IP-address for private prosecutions, or should that ability be left solely with the police? That’s the key question behind a pivotal hit movie camcorder case which is set to move amid an unusual amount of secrecy to Norway’s Supreme Court.
Released in 2008, Max Manus is a Norwegian World War II movie based on the real-life events of resistance fighter Max Manus. Created at a cost of NOK 55,000,000 it was the most expensive Norwegian film production to date.
Shortly after the movie’s 19th December release date an illicit copy of the movie appeared on the Internet. According to producer John M. Jacobsen the recording was made in an empty theater, prompting suspicions that a projectionist was involved.
“I think this is totally reprehensible, and I wish we knew who is behind it,” Jacobsen told Norwegian media. “Anyway we will go after those who have done this quite mercilessly. There are ways to track these things down.”
An investigation was immediately launched by the Filmkameratene studio, to be handled by the Simonsen law firm with notorious pirate hunter Espen Tøndel at the helm. Technicians went to work, systematically going through every copy of the movie sent out to find a match – that meant checking 103 analog and 20 digital copies.
Their detective work paid off. Simonsen said they had not only tracked the correct copy but also identified the IP-address from where the movie was first uploaded to the Internet. They took the information to the police but were notified that the case would not be a priority for them. Simonsen responded by taking the case to the courts.
Simonsen, a law firm which since 2006 had held a license to monitor alleged pirates and collect their IP-addresses, demanded that the ISP connected with the IP-address hand over the identity of the subscriber, something it had thus far refused to do. The request had the support of the Norwegian telecoms authorities which in this case made a special exception to the country’s Privacy Act, enabling the person’s identity to be handed to a group other than the police – if the court agreed.
On May 5th 2009, Simonsen received the decision from the court but the verdict was kept a secret from the public. Espen Tøndel said this was to prevent the possibility of evidence being spoiled. This lack of transparency caused an uproar, with thousands of Internet citizens demanding to know the verdict in this important case. Many argued that if there was evidence to be spoiled, it would’ve been spoiled by now.
Today in 2010, the verdict is still a mystery to the public, but at least one of the parties is disappointed with the court’s decision.
“I can confirm that the case is being appealed to the Supreme Court, but I can not confirm which of the parties has submitted the appeal, as that may indicate what the results were in the previous hearing,” said movie industry lawyer Rune Ljøstad.
The Supreme Court will now have to decide if it’s acceptable for privately owned companies with financial interests in the outcome of a case to be given the power to obtain the identity of an Internet subscriber behind an IP-address, whether or not they committed the alleged offense.
Despite the leak, Max Manus did incredibly well in Norway, breaking all records. Its 2009 theater run yielded almost NOK 200 million across 1.16 million tickets and the DVD sold 400,000 copies in the same year. From recording a loss in 2008, movie company Filmkameratene made a profit in 2009.
“There is a dramatic change for the better for us in 2009,” said producer Sveinung Golimo. “So we are not now concerned about the future.”
Related Blogs
- Related Blogs on Pirate
- Commentary » Blog Archive » Pirate Payoff
- Pirate Ship Toys At Christmas, Pieces OF Eight! | A Blog About Money
- The Daily Rhyme › A Pirate's Song
Views 1233 times by 60 visitors
‘Piracy Isn’t Killing Music’ Radiohead’s Guitarist Says
In an attempt to take a stand against the labels, several well known artists including Radiohead formed the Featured Artists Coalition last year, a lobby group that aims to end the extortion-like practices of record labels and allow artists to gain more control over their own work.
Radiohead and others are unhappy with the fact that the labels, represented by lobby groups such as the RIAA and IFPI, are pushing for anti-piracy legislation without consulting the artists they claim to represent. Radiohead, who used BitTorrent to leak one of their songs, went as far as being willing to show up as a witness against the RIAA in court.
In a new MIDEM interview, Radiohead guitarist Ed O’Brien stands up for file-sharers once again, stating that piracy is not killing the music industry in his view.
O’Brien is no stranger when it comes to piracy. “There’s a very strong part of me that feels that peer-to-peer illegal downloading is just a more sophisticated version of what we did in the 80s, which was home taping,” he said, something the music industry strongly discouraged at the time.
“If they really like it, some of them might buy the records,” he said, adding that if they don’t buy the albums they might buy a concert ticket, t-shirt or other merchandising.
“I have a problem about it when people in the industry say ‘it’s killing the industry’, it’s the thing that’s ripping us apart’,” O’Brien said, adding: “I don’t believe it actually is.”
According to O’Brien the music industry is using analogue business models in a digital age. “You’ve got to license out more music, more Spotifys, more websites selling more music. You’ve got to make it slightly cheaper as well to get music in order to compete with the peer-to-peers.”
Radiohead’s guitarist says he’s surprised that the music industry is still struggling with the digital transition, and urges the labels to “move quicker” and get their content out there at a fair price.
Related Blogs
- Related Blogs on Piracy
- Delaying eBooks will drive piracy and push down prices – eBook …
- New CD Printer to Curb Piracy – TMCnet | Digital Phones Reviews
Views 1299 times by 76 visitors
Record Labels Demand Cash From Pirate Bay Founders
Universal Music, EMI Music, Sony BMG and Warner Music are demanding one million Swedish kronor from two Pirate Bay founders. A Swedish court banned them from operating the site last year, and the labels argue that they have failed to comply.
Last October, the Stockholm District Court ordered that two of the site’s founding members – Gottfrid Svartholm and Fredrik Neij – should cease to operate the site.
The verdict read that if they failed to comply with the court’s decision, this would result in fines of 500,000 kronor ($71,000) each.
The two were granted an appeal little over a month later, but the record labels do not intend to wait and are going after their money. They have sent the District Court a letter where they ask the authorities to collect the fines.
The labels argue that, since the site is still operational, Neij and Svartholm must be involved in the operation one way or another. Whether they or the authorities can back this up with evidence is highly doubtful.
Fredrik and Gottfrid
Both Pirate Bay founders currently live outside Sweden, and aside from their whereabouts, it will be hard to prove that either of them is still actively involved in the site’s operation without monitoring their every move.
Commenting on the announcement, Fredrik Neij said: “I am no longer involved in the operation of The Pirate Bay, so there is no opportunity for the penalty to be issued. I think the law is quite clear on this.”
Whether or not the fine will be enforced doesn’t matter that much to Neij, who already owes over 50 million kronor ($7 million) due to previous legal cases. He can’t pay the money anyway he said, adding “a few million more or less doesn’t really affect me.”
Views 1148 times by 64 visitors
Categories: P2P and Filesharing, Piracy Tags: pirate-bay
Record Label Stops Signing Artists Because of Piracy
Let’s be clear from the start. People who share music on the Internet actually buy more than those who don’t. The music library of the average music fan may have expanded a bit in the last decade thanks to file-sharing, but in the same time the number of sales have also skyrocketed.
Despite this, there will also be labels that perform badly for unrelated reasons. How convenient is it then, to blame evil file-sharers for your disappointing results. The Finnish hard rock label Lion Music is doing just that, with rather dramatic consequences.
Because of all the stealing and looting by Internet pirates, the label has decided not to sign any new acts until politicians have found a remedy.
“We are NOT able to sign more artists. No demos or masters you send us will be considered for release. We will NOT listen to any mp3 files or check out your websites and we will NOT respond to questions regarding releasing your album,” the label’s bosses write on their website.
“The illegal file sharing on the net is killing independent music. We are sorry about this situation but we are sure you are aware of what is going on,” the dramatic rant continues.
“Our demo policy will not change before our politicians have stopped the P2P sites. Illegal file sharing is not just about stealing from rich major companies. It is about killing independent music and making it impossible for many great musicians to have a chance to release albums and have a musical career even as a part time job.”
“Next time you consider downloading an album for free or adding new torrents please think of the impact you are having on the artists – would you like it if we came into your home and stole your pay check?”
The label’s bosses then go on to show various statistics of how many times the albums of their artists were pirated though an unnamed BitTorrent site, arguing that these downloads are responsible for their disappointing results.
To add to the drama the label has asked their musicians to write up their thoughts on piracy in a section called “The Murder of Music.”
One of the artists that penned up his thoughts on piracy is guitar hero Borislav Mitic. Mitic is just as gentle in his commentary as the label’s bosses.
“Just because you CAN download music for free today on the Internet doesn’t mean you SHOULD,” he writes. “You CAN also beat up an old lady on the street and steal her pension from her wallet … but somebody CAN beat you up too and do the same to you. Would you like this?”
According to Borislav, illegal downloading will lead to a “society of filthy, wild savages.” To those people who dare to continue stealing through BitTorrent sites he adds, “the blood will be on your hands…”
Those who have the courage to read the rest of the artist entries will be amazed at the hostile tone towards the readers, who they assume are pirates.
Don’t get us wrong. Despite research that points in the opposite direction, it could be that piracy is hurting the sales of Lion Music. But even if this was true, their way of bringing the message across is not going to help their cause, it will only alienate the fans.
A label taking completely the opposite stance, embracing both file-sharing and their fans, is Thorny Bleeder Records, who have just released the second volume of their free download series. Entitled Get Thorny 2, the album features new music from seventeen independent Canadian artists. (link to torrent on Mininova)
Views 1176 times by 54 visitors
Categories: Music, Piracy Tags: Lion Music
Despite Piracy No Longer Being a Threat, Microsoft Takes Action Against It
Earlier this week we wrote an article about a recent interview with the managing director of Microsoft Philippines Inc., in which he stated that Microsoft did not believe piracy was a threat any longer.
A few days later the same company launched “Consumer Action Day”, which is meant to warn users of the dangers of piracy and inform them of just how badly it affects the industry. Well… this is awkward
The software giant is hitting back the piracy that they claim poses no threat to them… hard. Microsoft will be putting out educational materials and launching ‘enforcement actions’ in over 70 different countries. They even have a hot-line where you can report any piracy you may come across. The number is 1-800 RU LEGIT. Seriously.
The source article for this story goes on for six or so paragraphs about how pirated copies of windows are more likely to get viruses. The exact same thing the guy said in the interview before except instead of denouncing piracy as not even a worry this time it is something important enough to warrant spending millions of dollars to inform the public about.
There is a news story here, but it is not the fact that Microsoft is launching this huge anti-piracy corporate holiday. Nor is it that they said piracy is no longer a threat. It is the fact that they did both in a four day span of time.
Views 38 times by 21 visitors
Categories: Piracy Tags:
Counterfeit Software on the Rise, Poses New Risks to Consumers
Q&A: David Finn, Microsoft’s anti-piracy enforcement chief, discusses consumer risks and how to take action if counterfeit software lands on your computer.
Consumer reports of counterfeit software, often riddled with viruses, have doubled over the past two years, and today Microsoft is holding a Consumer Action Day to highlight the risks of counterfeits and connect people with resources that can help them.
Most digital anti-piracy actions are driven by consumers, in cooperation with Microsoft and regional law enforcement agencies.
As head of global anti-piracy enforcement for Microsoft, David Finn leads a team of lawyers, paralegals, investigators and forensic specialists working with governments, businesses, partners and customers to ensure that people are protected from the perils of non-genuine software.
PressPass spoke with Finn leading up to today’s event to talk about the consumer risks of counterfeit software, and how a new wave of sophisticated cybercrime is motivating more people to take action against counterfeiters.
PressPass: What is Consumer Action Day all about? Why are you doing this?
Finn: During the past two years, consumer reports of counterfeit software, often containing malware and viruses, have doubled to more than 150,000. These are voluntary reports from people who have come to us via online Web sites, such as How to Tell, with powerful stories about the problems they’ve encountered with counterfeit software.
We’re seeing some sophisticated scams today, and consumers need to know, No. 1, there’s a serious risk to using counterfeit software, and No. 2, they don’t need to take it. Microsoft will help them. Consumer Action Day helps gets the word out and then backs it up with hundreds of educational and enforcement initiatives around the world — all aimed at protecting consumers.
PressPass: Do consumers really buy into the idea that counterfeit software puts them at risk?
Finn: Absolutely. More and more consumers believe they are at risk if they buy or use counterfeit software, and you know what? They’re right to be concerned.
Today it is all too common for software pirates to tamper with genuine code. Yet this can easily go unnoticed by the average software user. Indeed, the fact that you can’t see what is being added or removed by pirates underscores the insidiousness of the problem. Think about it — why wouldn’t a criminal syndicate that manufactures counterfeit software merely add a few lines of malicious code in order to compromise the security of your computer and victimize you a second time by stealing your identity or personal information?
Sophisticated packaging makes it difficult to distinguish the genuine product (right) from the counterfeit (left).
Having said that, we know a lot of people still think of software counterfeiting as a victimless crime. Yet I think we’ve hit a tipping point. The sheer increase in the rate of counterfeit software reports is remarkable. In fact, of the cases announced today, an overwhelming majority were the direct result of consumer reports. To file a report, which is completely voluntary, you need to fill out a Web form and provide some detailed information. Given how precious people’s time is, we know you have to be pretty mad to take the time to do that. And we’ve had 150,000 people around the world submit these reports in the past two years.
So there is just no question about it. Consumers are increasingly recognizing the reality: Counterfeit software puts them at risk. And people are seeing that friends and family members are struggling with the harm inflicted by counterfeit software: viruses, identity theft, lost time and productivity, lost business and financial data, you name it.
Continue: Counterfeit Software on the Rise, Poses New Risks to Consumers Q&A David Finn, Microsoft’s anti-
See Also: Microsoft and Consumers Take Action Against Global Software Piracy Initiatives to protect consum
Related Blogs
- Related Blogs on Counterfeit Software on the Rise, Poses New Risks to Consumers
Views 63 times by 24 visitors
