‘Brute’ Force Attack on Windows Vista now ‘Moot’ Force Attack

Over the weekend we learned that the widely covered ‘Vista Brute Force Keygen’ turned out to be a hoax. It’s nice that the originator has come forward and is encouraging everyone to buy and use genuine copies of Windows Vista.

As you can imagine we receive reports of hacks every week. Many turn out to be ineffective, but to determine that we review and investigate every report. One of the first questions we ask ourselves with each reported hack is ‘does this represent a real risk to our customers?’ As we learned with XP, counterfeit software can be quite risky to obtain and run.

The next question we ask is ‘can this be commercialized’? Some hacks are highly technical to implement and can require significant engineering on the part of the end user. These are obviously interesting to us and we do spend time looking closely at them. At the same time it’s possible for a hack to be scaled and used by organized rings of counterfeit software traffickers to profit by exploiting innocent victims. Our priority is in evaluating against scalability and risk to our customers and working to help customers that might have been victimized.

I would also like to point out that people seem to get pretty excited at any reported possible hack. And while it’s always fun to have the attention, having worked on these issues for several years I’ve learned that it can take a while to learn how real a reported hack is…or not (e.g. the Brute Moot Force attack).

Comments (15)

  1. Anonymoususr says:

    It is great that you put such effort in protecting your investment. I saw Windows Vista in action, and, as a developer, I was extremely impressed.

    I think that DRM is a has a significant role in protecting honest consumers from fraud, and at the same time, it is essential to keep us from risking our jobs and positions due to revenue loss within the software industry. I do see that the consumer market is not fond of accepting DRM, but it seems like as there is no other choice, and DRM is here to stay – and rightfully so; content creators have every right to protect their intellectual property.

    I am following your blog closely, and it is a nice read. Keep up the good work.

    P.S. could you open up a WGA chat room?


  2. r3m0t says:

    That’s very nice, but since then, there’s been a new crack based on installing a device driver which emulates a chip on OEM machines – or something like that…?

  3. Anonymoususr says:

    To my knowledge, any software-based solution which is based on installing alien components on top of the operating system, be it illegally modified system libraries, on-the-fly patchers, or device drivers can be detected and dealt with – which, I hope, Microsoft will do soon.

  4. nicknowsky says:

    the new OEM hack is working and it is NOT a hoax.  Actually there are 2 versions of it Watch Out!!!

  5. rdamiani says:

    DRM was ‘here to stay’ in the late ’80s and early ’90s, too. It died out because ‘secure’ and ‘useable’ are not things that go well together.

    I am a reseller of software and hardware, and I work with a number of activation and licensing schemes. From the relatively simple dongle-based scheme that CNC Software and ART uses to much more complex multi-part license + dongle FlexLM schemes. Some work well, are simple to implement, provide some value (license management and metering mainly) and don’t impact the user experience too badly. I get few support calls about these schemes.

    Others – SafeDisc/C-Dilla, home-grown systems like the one Materialise uses, WGA 1.0 and 2.0,  – that depend on generated machine hashes and/or other ‘fingerprint’ schemes (writing a code to the boot track of the HD, ‘magic’ files or sectors, registry munging) are far more troublesome. The business of recalculating the fingerprint and comparing it to the auth sting over and over again introduces multiple opportunities for failure.

    To their credit, all the other developers that I work with (CNC Software, Dassault, Chief Architect, Macrovision, Adobe, Autodesk, Danware, McNieel, MecSoft, Cimco, Northwood, Materialise ect.) deal with failure of thier particular licensing schemes in much the same way they do with any other kind of software failure. They display an error that talks about licensing.

    Microsoft treats licensing failure – regardless of the reason – as a marketing opportunity. If AutoCAD won’t start becasue the request code changed, you get an error that talks about the license subsystem, and links to the registration site so you can get it sorted, complete with a repair code of the license system knows why it failed. If Vista’s calculated fingerprint changes, you get links to a web site that offers to sell you another copy of Vista and warnings that your software is counterfeit.

    Because Volume Activation 2.0 works the same way as retail activation, license failure there is also dealt with as a marketing opprtunity. Sure, Microsoft ‘gave’ us corporate users MKS, KMS, and Proxy Avtivation, but for our trouble in dealing with another license scheme, we *don’t* get metering or reporting tools that are worth anything.

    I am all for software developers getting paid for thier work. After all, people buying software from me is how I keep body and soul together. What I object to is trying to sell us on how this makes things better for us all.

    Windows Genuine Advantage is pure doublespeak. The only advantage is Microsoft’s as people are misled into re-purchasing software they already own (retail) or duped into thinking they are in compliance without any tools to usefully tell them one way or another (SMB and Enterprise). And don’t even get me started on the nonsense of enterprises needing to purchase Vista upgrades to get imaging rights for white-box hardware with OEM Vista.

    As long as Microsoft keeps hiding behind market-speak that dosn’t fool anyone, I’ll keep rooting for WGA to fail spectacularly. On the other hand, if Microsoft were to:

    – Offer useful errors on activation failure; ‘Not Genuine’ is worse than useless.

    – Stop treating license failure as an opportunity to sell software.

    – Offer SMB, Enterprise, and other open and select license customers useful compliance tools (not SMS server, unless you are gonna give it away).

    – Offer SA for OEM-licensed Vista so the white-box systems I sell to companies don’t have to have Vista + an upgrade to Vista.

    – Fix SA so that when there is a 5-year gap between versions all those early adopters that paid for 3-years of Software Assurance aren’t Assured that they could have burned $100.00 bills instead and gotten exactly the same benefit.

    Then I’ll stop rooting for the hackers.

  6. MSDN Archive says:

    rdamiani, I appreciate your articulate comments. Let me respond to a couple of points.

    – To the point about treating a validation failure as a marketing opportunity:

      – First, our program is targeted primarily at individuals who are in fact victims of counterfeiters and those who resell counterfeit including bad PC builders/resellers. After research and feedback from thousands of customers we have learned that messages that are simple, clear and are actionable such as ‘you have counterfeit software – you should get legal software instead – here’s how’ are preferred by customers and encourage more customer participation in solving the problem than messages about licensing services encountering an issue.

      – Second, we’re working hard to make sure that the scenarios we’re aware of that might be confusing or might be perceived as a false positive have support options and additional information available to help sort through the issues. Also, we do not want people who already have a legitimate license to purchase another one. As I have said before, if anyone has purchased a license unnecessarily because of WGA we will gladly refund the customer’s money.

    – On the point of Windows Genuine Advantage being doublespeak? I disagree. Aside from the additional downloads, WV Ultimate Extras and better support WGA provides a valuable service to users of Windows particualrly when the user is an unwitting victim. The fact is there are millions of victims worldwide. We have chosen to offer the communications and solutions we do through WGA what else should we do for them?

    Lastly, I appreciate your five suggested improvements and I believe SA is available for OEM licensed Windows.

  7. rdamiani says:

    When I call Microsoft’s licensing desk, I hear that SA can be purchased for OEM seats. My vendors (Ingram Micro and PC Mall) cannot provide me with the SKU for it. My customers are all schools, so our plan, at the moment, is to OEM Home Basic, upgrade to Vista Business (Open Academic), and use downgrade rights to install XP SP2 until Vista SP1 ships and/or I hear more about real-world experiences with proxy activation and KMS. Home Basic qualifies for that path for schools (not, as far as I can tell, for commercial licenses) according to the licensing site. SA on OEM Vista Business would probably be cheaper overall with academic pricing if I could get it. So would an Academic OEM SKU (I wish).

    Anyway, on with the counter points.

    – Targeting victims:

    WGA is not a scalpel. It’s a shotgun. Customers of loaders get what they maybe should see (plus a marketing message). But so do people who install the wrong software, aren’t connected to the internet, have failing RTCs, bad RAM, damaged hard drives, or overly enthusiastic delete fingers. They all see the same pitch.

    – Scenarios you are aware of:

    That really says it all, doesn’t it. One of my more popular applications is something called MasterCAM. In it’s market, it’s ‘da bomb. Folks pay tens of thousands for a single copy. World-wide distribution is under 250,000 seats. How many scenarios involving MasterCAM is Microsoft going to investigate? How about Techno-Isel CNC routers? Or Solidworks? I don’t have to guess, actually. Microsoft broke all of them at one time or another with service packs or security updates. And they are all broken on Vista because of OpenGL. Just a couple of months ago Microsoft broke Autodesk Inventor 9, 10, and 11 with a security update. On point there is your own post of 3/1/07 demonstrating WGA’s brittle nature. You only know about stuff that comes to your attention, and fixes aren’t gonna show up unless impact is measured in millions.

    – WGA doublespeak

    As a consultant and white-box OEM, I have to figure out how implement BIOS locking, sort my way through proxy activation, or figure out KMS before I can deploy Vista at client sites. BIOS locking, of course, only postpones the pain. I’ll be screwed when Vista+1 shows up if I go that route.

    But wait, theirs more. Because I’m a small 3-man shop who’s Microsoft sales are limited [2] And because I can’t justify getting 5 times the upgrade licenses I need, I can’t even test KMS until after I sell it to someone. Unless I sell SMS or something like it, I don’t even get useful reporting tools so I can tell if my usage matches my purchase.

    In exchange for these headaches I get access to the same stuff I had access to with XP (security updates and some utilities), plus Texas Hold ‘Em and maybe a screensaver (if, of course, I decide to compound my troubles, avoid the minimal tools I do get, and do Ultimate everywhere). Yeah, Microsoft promises that there will be more stuff. Microsoft promised me a magazine subscription when I registered Windows ’95. It’s been 12 years and I’m still waiting for the first issue.

    To sum up, Vista offers me complication and difficulties, plus licensing options that take away rights I had with XP. In exchange for this I get redneck poker and access to the same kinds of stuff I had access to with XP. The only Advantage I see in this is that Microsoft is more likely to get paid for someone else’s copy of Windows. That’s not helping me pay my bills.

    – What should you do for folks

    That is a good question. I’m gonna have to think about that and get back to you.

    [1] Where was the UAC team on that, anyway. Clicking ‘details’ and being presented with a GUID is kinda like this:


    With some of this:


    A feature that is so annoying that you disable it on day three is kinda useless…

    [2] I was gonna talk about my business, but that’s not really on point. Suffice to say that I don’t usually bother to sell stuff my clients can get at CompUSA unless I’m adding something unique to the mix. As Scott McNealy once said "The only value you can add to a banana is a bruise"

  8. rdamiani says:

    What to do about the victims of counterfeiting:

    Change your mindset. If the response from Microsoft wasn’t "you stole that software, didn’t you" then there would be no talk of ‘false positives’. By replacing ‘licensing error’ with ‘Genuine Validation Failure’ you are letting a lazy approach to writing error messages look like a value judgment, even though that’s not actually possible.

  9. Anonymoususr says:


    The OEM hack you’re talking about is nothing more than a device driver, which, besides consuming (although, a little) memory, potenitally introduces instability and security issues to a computer system. Also, this device driver could be easily detected programmatically, after which Microsoft could revert your computer to an unlicensed state. Nothing exceeds the quality of fully legal and licensed software. The OEM crack is working? -Good for you, enjoy it while it lasts. I surely hope Microsoft will take steps against this and that pirates won’t be able to make benefit of pirated Windows Vista x86 for so long, it is not so hard to detect such attacks and cut them short of working. Oh, and besides – this device driver is functional solely on the x86 editions of Windows Vista, as x64 editions have driver signature enforcement, preventing such forms of vandalism.


    Should piracy had been less common, software authors and companies would not have to worry so much for their pockets. Unfortunately, piracy is a common and global problem right now. Pirates don’t leave much choice to authors besides introducing strict DRM schemes to their software applications. Oh, and besides – "SafeDisc/C-Dilla" is an incorrect description.

    C-Dilla was a company producing the SafeDisc and SafeCast copy protection systems. SafeDisc has nothing to do with activation scheme which you describe, you are probably referring to the legacy SafeCast, which was included on TurboTax and other software products. Macrovision had later acquired C-Dilla. SafeDisc still lives and SafeCast was replaced by FlexNET Publisher.

  10. rdamiani says:

    C-Dilla was what it called itself when I first encountered it in student versions of AutoCAD released in ’98 and in 3D Studio MAX 4.0. Lots and lots of problems with that implementation. Autodesk removed all the branding from the tools when they decided to move to activation for all products in all markets with the ’05 family of releases, and squashed (most) of the major remaining bugs I am aware of in the ’07 family of releases. TurboTax introduced one of the more frustrating variants of those bugs. Frustrating because it pretty much only struck student systems. Those had such a low margin that if they had to call for support we lost money on the sale.

    When I was researching C-Dilla in an effort to find out how to fix hosed customer systems all the references I found referred to SafeDisc and SafeCast as two variations of the same product, one for CDs and one for installed software. I may have mixed up the names for them – it was a long time ago.

    Anyway, I ended up with a generalized cracking kit for the then-current version and found a number of other workarounds, some of which no longer work. Why was I doing this? Because the official ‘fix’ for students who wanted to extend an existing 3 or 6-month license or who wanted to go from a trial version to a student version started with ‘Replace the hard drive’. Probably because doing sector editing of the drive over the phone with a student who barely knows how to turn the computer on is not very much fun.

    DRM for software is pretty hit-or-miss. The scheme MS uses is nice and simple when it works, and in that regard its a much smoother experence than some of the brain-dead schemes I’ve had to deal with (Symantec’s scheme for Corporate AV, for example, is so irritating that I won’t renew it next year). My main issue with WGA is the assumptions that underlie all of it’s end-user interactions when it does fail. There just aren’t any good directions you can go when the first thing your customer asks is ‘why did you sell me counterfit software?’

    Some other license schemes I like are the ones used by MasterCAM (an updateable HASP HL that contains the license information) and Chief Architect (HASP HL again, but not updateable). Both of them take very little (or no) effort on the part of the end user and are extremely difficult to work around (no confirmed cracks for the release version of MasterCAM X or X2, though one of the X alpha builds from before the switch to HL was cracked). I nearly never have licensing issues with either scheme.

    Less enjoyable are the HL-based schemes that lock a particular install to a particular lock, so there is more end-user pain involved. Still work-with-able, but not as simple as the pure HL schemes.

  11. Anonymoususr says:



    While I do agree that DRM sometimes can be too strict for the end-user, developers learn from mistakes (See: TurboTax). I, personally, have never had a single problem with Microsoft schemes (Windows XP/Office XP/Office 2003/Windows Vista). All activated and worked perfectly. As for WGA, if the volume of false positives is as high as people here assume, it probably has to be fine-tuned; as far as I know, Microsoft already gives the benefit of the doublt when it is unable to determine, to a given certainty, that a given system runs counterfeit Windows. Dishonest users (e.g: potential customers) should be educated, while honest customers should be kept honest – DRM is in place to fill this gap.

    As a software developer, I can assure you – no one is aiming to introduce an extra burden on end users. That would be plain silliness. What software authors and publishers are aiming to do is to cover the (usually) very high expenses of software development, and make a buck or two on the way. Software creation has to be profitable, otherwise it will not be worthwhile to create high-quality commercial software, it will not be worthwhile to support that software with update patches, and extra-features, it will not be worthwhile to have support personnel in place should the end-user encounter any problems with the software;

    The volumes of today’s piracy are dreadful; from the home users not being aware of, or being ignorant to copyright and intellectual property, to organized crime gangs, commercializing software piracy, and making pirated distributions of software and/or other intellectual property content to the masses; just walk some districts in Russia, China, Thailand, South America, etc. and see the thievery in action. In order to maintain software creation profitable, in other words, in order to keep the software industry from collapsing, creators introduce DRM. I, however, do agree that DRM has to be fine-tuned, be fully transparent, and not impose any burden on the honest customer.

    Today’s software crackers seem to also compete whom breaks a piece of software first, and releases it over the internet. This is repulsive! The DRM market does not only aim at causual pirates, making copies of intellectual property for friends to use illegally; They aim to make reverse-engineering a very time consuming task. For example, there is one successful implementation of DRM product. The game Splinter Cell: Chaos Theory from Ubisoft, this is a popular game title on the PC; the title is protected with StarForce v3, a (in my humble opinion) powerful copy protection and anti reverse-engineering system. It took more than one year for a fully cracked copy to first appear on the internet – now that’s what I call DRM in action!, or an another PC game title, Beyond Divinity by Larian Studios – this game is in stores for over two years and was never cracked (although the publisher had recently released a patch which removes copy protection from the game), also using the same StarForce v3. I also believe that all the criticism aimed at StarForce was highly exaggerated. Pirates are willing to turn to any measures to thwart DRM systems – if they fail to crack them, they turn to social engineering. This is true artistry, being unable to defeat a protection system by technological means, out of being desperate, they try to take it on a DRM system at its other sore spot – PR, while other honest users actually believe the exaggerations, refusing software products with that particular copy protection system employed; it seems that StarForce had eventually lost their contract with Ubisoft.

    On the other hand, you have mentioned HASP HL in your post. This is one of my favourite forms of DRM, a hardware key (dongle). While most dongle implementations (HASP HL, Rainbow Sentinel, etc.) are nice, and do not impose much burden on the end user other than a consumed USB port (what if you need to use, say, five dongle-protected applications on a given PC? such a scenario would require the purchase of an USB hub), have you ever heard of cases where dongles fail by literally blowing up?

    There is no perfection in software, there are always going to be bugs. By the same token, there is no perfection in DRM. All the software industry can hope for is the minimization of DRM-related customer issues, or the obliteration of software piracy; Which of the two, in your opinion, would come first?

  12. mhornyak says:


    The criticism aimed at StarForce was not all exaggerated.  It caused serious harm and data loss to some systems, although not as many systems as the criticism would lead you to believe.

    The point is that software–that is purchase legally–should NOT introduce instability into a customer’s system, ever.  Customers do not buy chances to play Russian roulette–they’re buying something to use productively.  When software introduces instability to a customer’s system (possibly causing data loss) solely as part of a scheme to maximize profits through imperfect DRM, there’s a problem.

    I have no respect for StarForce, and especially not for their technical skills.  They don’t respect their end-user customers because they provide software that does inflict damage on some customers’ systems.  Any crappy hack programmer can create a copy protection system when 100% protection of end-user stability and data is not a goal.  

    Even data loss to ONE customer when that data loss comes from DRM or copy protection software is unacceptable.  That’s what StarForce caused.  For you to defend them is to say that it’s okay to ruin a customer’s system or cause dataloss.  I have to say that it’s good that we’re anonymous here, because I’d have to be sure to avoid software that you’re involved in developing.

    I’m a software developer too, but clearly I’m a more ethical developer than you are.

  13. Anonymoususr says:


    Pardon? can you prove, beyond any doubt, that the stability introduced to those systems was exclusively due to StarForce components? Can you provide a detailed analysis? I am yet to see any person to provide a detailed technical analysis on StarForce, besides some words by Sysinternals’ (nowdays Microsoft’s) Mark Russinovich:

    "I’ve taken a look at StarForce and other than some unorthodox ways of monitoring Cd-Rom traffic and intercepting the creation of all processes and threads, there’s nothing overtly unstable about its implementation."

    FYI, The software which I am involved in developing is a large-scale business application, and is worthless without our support – hence, there is no need for a copy protection.

  14. rdamiani says:


    "There is no perfection in software, there are always going to be bugs. By the same token, there is no perfection in DRM. All the software industry can hope for is the minimization of DRM-related customer issues, or the obliteration of software piracy; Which of the two, in your opinion, would come first?"

    Minimization of DRM-related customer issues should always come first, even if it enables piracy. The only thing that sucks worse than seeing a potential sale go unrealized is losing a customer you already had because you were trying too hard to screw with people who were never gonna give you money anyway.

    If you sell a time-sensitive product (e.g. a video game) or one that requires expert support (my CAD/CAM stuff or your large-scale business app), your clients gain some value by being ‘genuine’. If, on the other hand, all you have to offer is the status quo plus more headaches you are gonna get a lot of grief.

    Vista, with all it’s built-in warts, would be a very hard sell without DRM. With DRM, and the (lack) of value Microsoft has historically offered it’s subscription clients [1], it’s pretty much DOA.

    [1] That would be none. Lots of folks with SA paid good money for it only to see the agreements expire without any updates.

  15. mhornyak says:


    Interesting that the large-scale business app doesn’t need DRM.  One of the few DRM-protected applications that I agree with is using it to ensure compliance with a license quota for a high-end CAD tool for processor design.  A friend of mine works for a software company that has such a tool, and the license system provides a gradually stronger nudge to the customer to purchase additional licenses when the seat quota has been exceeded.

    I had some very detailed StarForce info around here somewhere.  If I can dig it up, I’ll reply here.