WPA

11/24/2001

WPA - Windows Product Activation (WPA) is an antipiracy technology incorporated in Windows XP in the Fall of 2001. WPA underwent substantial changes between the time of its announcement and the time of its release. Early descriptions may be inaccurate to varying degrees. Nonetheless, the following early paper is a good source of technical information on WPA and of diagnostic tools is:

http://www.licenturion.com/xp/

WPA applies only to home versions of Windows XP. OEM home versions reportedly may check only the motherboard ID rather than the full hardware suite.

The idea of WPA is to allow Windows to be reinstalled on a customer's PC and to allow reasonable product hardware upgrades while discouraging installation of one copy of Windows on multiple PCs.

The installation process seems to entail running a program called msoobe to produce a 50 (decimal) digit Installation ID. some of the digits are hardware dependent. The remainder are a security code. msoobe produces a different, valid, ID on each execution. This number is provided to Microsoft which returns a confirmation ID that is used to confirm the installation. If the installation is not confirmed in a reasonable time (30 days?) the PC will refuse to run. Once obtained, the confirmation ID can be used for subsequent (re)installations provided that the number of hardware changes does not exceed a threshold.

The fifty digit ID consists of 8 groups of 6 digits plus one group of two digits. The six digit groups actually consist of 5 digits plus a check digit that is used to detect typing errors in entering the installation ID at microsoft. The check digit is the remainder from the sum of all the digits plus the sum of digits 2 and 4, all divided by 7

The 41 (42?) decimal digits remaining after the check digits are removed easily contain 64 hardware data bits and 30 plus bits of security information. Ignoring some unused bits, the 64 hardware bits are broken down as follows:

Vol Serial Number of System disk (10 bits)
Network card MAC Address (10 bits)
CDROM ID string (7 bits)
Graphics ID (5 bits -- not used if dockable)
CPU serial number (6 bits)
harddrive ID (7 bits)
SCSI Host Adapter ID (5 bits -- not used if dockable)
IDE controller ID (4 bits -- not used if dockable)
Processor Model String (3 bits)
RAM size (3 bits)
Dockable (1 bit)

The stored bits are not the actual values of the parameters. They are codes generated using the actual value as a starting value

As originally proposed, WPA would have checked all 10 (excluding "dockable") values on every boot for non-dockable PCs and seven of ten for dockable PCs. It would have required reauthorization if more than three have changed. After many of the details of the scheme were reverse engineered and published by one company, and a second company published a scheme for defeating most of the hardware checks, Microsoft loosened the WPA scheme to allow first 4, then perhaps as many as 6 hardware changes and for time limiting the changes such that an unlimited number of changes are permitted provided that an excessive number are not made in any 60 (?) day period. It is not entirely clear what WPA configuration was shipped with Windows XP.

Details of TecCenter's scheme for circumventing WPA can be found at:

https://www.tecchannel.de/pc_mobile/windows/401701/windows_product_activation_compromised/index.html

As of November 2001 shortly after the XP release it is reported that hacks for WPA are widely available, and that Microsoft has somehow sold numerous legitimate copies of Windows XP whose WPAs are being rejected by Microsoft's confirmation mechanism.