Home > Articles > Home & Office Computing > Microsoft Windows Desktop

This chapter is from the book

Product Activation, or Microsoft Product Activation (MPA) as it has become known, was not exactly a welcome addition in Windows XP. It was, however, not introduced in Windows XP, as it existed in late versions of Office 2000, all versions of Office XP, and Visio 2002. MPA works to stop casual copying of software by tying the hardware profile of a computer to software installation.

In the next sections, we are going to take a in-depth look at Product Activation, including the different activation scenarios that exist, how Product Activation works including what information it transmits to Microsoft, and how Product Activation will affect you.

When dealing with Product Activation, there are three scenarios that can occur. Without exception, you should fall into one of these three scenarios:

  • Retail box purchases

  • OEM installations

  • Volume licensing

Retail Box Purchases

Retail box purchases of Windows XP Professional present the most complex and confusing situation when it comes to dealing with Product Activation. Product Activation depends on submission of the Installation ID to Microsoft. The Installation ID is a unique number generated from two different pieces of information about a computer: the Product ID number and a hardware hash. The Installation ID has been designed to ensure anonymity in that no personally identifying information is ever transmitted to Microsoft. Instead, the Installation ID serves to deter and prevent software piracy by preventing installations of Windows XP Professional that violate its license.

The Product ID uniquely identifies one and only one copy of Windows XP Professional, and is created from the Product Key used during the installation of Windows XP. Each retail copy of Windows XP Professional has a unique Product Key, and thus every Product ID generated from a valid Product Key is also unique. Additionally, as in the past, the Product ID is used by Microsoft for support calls. You can view your Product ID (see Figure 3.28) by looking at the General tab of the System applet in the Control Panel (alternatively, you can access this applet by right-clicking on My Computer and selecting Properties from the context menu).

Figure 3.28Figure 3.28 Viewing the Product ID.

Product Keys and Product IDs

The practice of using Product Keys and Product IDs is not new to Windows XP. Microsoft, like many other software vendors, has been using Product Keys for many years to license software. Likewise, the practice of using a Product ID to validate an installed product has been around for a while as well.

The hardware hash is an eight-byte value that is created by taking information from 10 different components inside the computer and running this information through a mathematical calculation. The hash process is one-way and thus this information cannot be reverse-engineered to yield any specific details about the computer from which it was obtained. The hardware hash also only uses a portion of each individual component hash value, thus further increasing user anonymity and preventing Microsoft from collecting any personally identifying information during the process of implementing Product Activation. Hardware hashes will be discussed at greater length in the "How Product Activation Works" section later in this chapter.

OEM Installations

A large majority of users acquire Windows XP Professional in the process of purchasing a new computer. For these customers, since Windows XP Professional is pre-loaded onto the new computer already, no activation will be required by the consumer. OEMs can pre- activate Windows XP Professional as part of the setup and configuration process before the new computer ever leaves the manufacturer. The overwhelming majority of new computers that feature Windows XP Professional will be pre-activated by the OEM before shipping. The chief difference between how OEMs license Windows XP Professional comes in how they choose to implement Product Activation.

System Locked Pre-installation

Many OEM computers come with a system restore CD-ROM that allows the user to perform a complete reinstallation or repair of the installed software components, including the operating system. In this way a specific CD-ROM can be tied to a specific system BIOS, thus preventing the CD from being used to install Windows on any other computer. Although OEM CD BIOS locking is not new, it has been expanded and now features integrated Product Activation. This method of protecting the software product is called System Locked Pre-installation, or SLP.

When SLP is implemented, the information stored in the BIOS is what protects against casual piracy such as installing the product on another computer. No communication is required with the Microsoft activation center, and thus the hardware hash value is required to be calculated. This form of Product Activation relies entirely on the BIOS information matching the SLP information at boot time. Since no hardware hash is calculated, you could thus change out every piece of hardware in the OEM computer without the need for reactivation of Windows XP Professional. In cases where the motherboard must be replaced, this could also be done without reactivation as long as the replacement motherboard was from the same OEM and contained the proper BIOS. Should a different motherboard be installed in the OEM computer that has non-matching BIOS information, the Windows XP Professional installation would then require reactivation within 30 days via the Internet or telephone call.

Using Standard Product Activation

If desired, an OEM can also activate a Windows XP Professional installation in the same way that retail purchase versions are activated. OEM computer installations activated using the standard Product Activation methods have all of the same restrictions that retail purchase versions of Windows XP Professional do.

No OEM Product Activation

Some OEMs may choose to not activate Windows XP Professional at all. New OEM computers that are purchased which fall under this category will require Product Activation by the consumer using the standard Product Activation methods, either via the Internet or by telephone call to Microsoft.

Volume Licensing

The simplest of all scenarios occurs when dealing with Windows XP Professional licenses acquired through one of the Microsoft volume licensing agreements, such as Microsoft Open License, Enterprise Agreement, or Select License. Such installations will not require activation.

Windows XP Professional installations that are performed using volume licensing media and volume licensing keys (VLK) have no Product Activation, hardware checking, or limitations on product installation or disk imaging.

Licensing Lingo

For more information on Microsoft volume licensing and the various programs, see the article "Microsoft Licensing Madness" located at http://infocenter.cramsession.com/techlibrary/gethtml.asp?ID=1409 and also the Microsoft Licensing home page located at http://microsoft.com/licensing/.

How Product Activation Works

As mentioned previously, the hardware hash and the Product ID are the two parts that make up the Installation ID. The Product ID is directly tied to the Product Key that is supplied with the Windows XP Professional retail product. OEMs will usually supply the Product Key with media they ship with new computers. Of the Product ID and the hardware hash, only the hardware hash truly identifies a particular computer—enough so for Product Activation's purposes anyhow. Thus, the hardware hash is of some concern to us, as it ultimately controls how Product Activation functions and whether or not activation is required on an installation.

Table 3.1 lists the hardware components that are utilized in calculating the hardware hash and the length of the data (in bits) that makes up the hardware hash. The hardware hash value is comprised of two 32-bit double words, for a total of 64 bits (or eight bytes) worth of data.

Table 3.1 Hardware Hash Components

Component

Length of Hash Value (in Bits)

Volume serial number

10

Network adapter MAC address

10

CD-ROM/DVD-ROM/CD-RW identifier

7

Graphics display adapter

5

Amount of installed RAM (various ranges)

3

CPU type

3

CPU serial number

6

Hard drive serial number

7

SCSI controller serial number

5

IDE controller serial number

4

Docking capability

1

Hardware hash version (version of algorithm used)

3


The first four components make up the first double word value, with the rest of the list making up the second double word value. With the exception of amount of installed RAM and the hardware hash version, all other values are calculated using selected bits of an MD5 hash.

The value for a docking-capable computer also includes PCMCIA cards, as using either a docking station or PCMCIA cards can lead to hardware appearing and disappearing. This can lead to the appearance of devices being changed when they are simply not present at that time—such as when a portable computer is undocked.

The possible values for the installed RAM value are listed in Table 3.2. As of the time of writing, the hardware hash value is always set to a value of 001 decimal, which is a hex value of 0x01. If a component is not installed, such as a SCSI host adapter, then the value returned in the hardware hash will be a zero value.

Hex, Huh?

Hexadecimal, or more commonly Hex, uses the numbers 0–9 and the letters A–F to form a base-16 numbering system. The 0x in front of a Hex value simply notates it as a Hexadecimal value.

For a great primer on Hexadecimal numbering, see the Intuitor Hexadecimal Headquarters located at http://www.intuitor.com/hex/.

Table 3.2 RAM Amounts and Corresponding Hash Values

Amount of RAM Installed

Value

Less than 32MB

1

32MB–63MB

2

64MB–127MB

3

128MB–255MB

4

256MB–511MB

5

512MB–1023MB

6

More than 1023MB

7


As an example, the processor serial number is 96 bits in length. When Product Activation performs the hash calculation on that 96-bit value, it returns a 128-bit long value. Of these 128 bits in the hash value, only six bits of data is actually used in the hardware hash value that forms part of the Installation ID.

Six bits provides 64 different combinations (2^6), thus for the millions of computers in existence, only 64 possible processor hash values are possible. As only a fraction of the original data is used in the Product Activation calculation, the data cannot be reverse engineered, as previously mentioned. The processor serial number can never be determined from these six bits of data; the same holds true for all of the other components that Product Activation performs hashes on. In this way, the hardware hash has purposely been designed by Microsoft to ensure the user's privacy is respected at all times.

Perfect Privacy?

Although Microsoft has gone to great lengths to ensure that your private information stays private at all times, no process is perfect, and Product Activation is no exception. For more alternative views on the security of Product Activation, see the Fully Licensed FAQ on Product Activation at http://www.licenturion.com/xp/fully-licensed-faq.txt.

During the installation of Windows XP Professional, the hardware hash is calculated. This eight bytes of data, when combined with the Product ID (nine bytes) makes up the Installation ID. When Product Activation is conducted via the Internet, this seventeen bytes of data is sent to the Microsoft activation servers in binary format, along with header information, over a secure sockets (SSL) connection.

The activation process requires three steps when completed over the Internet:

  1. A handshake request, which establishes the connection between the Windows XP Professional computer and the Microsoft activation servers.

  2. A license request, in which the Windows XP Professional computer asks for a PKCS10 digital certificate from the Microsoft activation servers.

  3. An acknowledgement request, in which the Microsoft activation servers transmit a signed digital certificate activating the installation.

If the Internet activation succeeds then Product Activation is complete and will not again become an issue unless you exceed the maximum number of allowed changes, as detailed in the "Number of Changeable Items" section.

Should Internet activation not be feasible or desirable, telephone activation is possible as outlined in the following process.

  1. Locate the appropriate telephone number by selecting the country from which you are calling.

  2. Provide the 50 decimal digit Installation ID to the Microsoft representative.

  3. Enter in the corresponding 42 decimal digit Confirmation ID as supplied by the Microsoft representative.

NOTE

For more information on Product Activation, including how the hardware hash values are calculated for each hardware component, see the Fully Licensed Web site at http://www.licenturion.com/xp/.

Number of Changeable Items

Once Windows XP Professional has been activated, the hardware hash will be rechecked at every user logon event. This serves to reduce another prevalent form of software piracy—that of disk cloning. Disk cloning is an asset to administrators looking to quickly deploy multiple copies of Windows XP Professional, but is illegal without having the required Product Keys. In most legal cases, disk cloning is done using a volume license copy of Windows XP Professional using a Volume License Key, which does not require Product Activation in the first place.

When Windows XP Professional performs its hardware check, it is looking for changes in the hardware configuration of the computer. If a substantially different configuration is detected then reactivation is required. The actual number of components that will result in a reactivation scenario is discussed shortly. The hardware check at login is done after the SLP BIOS check should the SLP BIOS check fail. As long as an OEM computer is using a genuine replacement motherboard from the OEM containing the correct BIOS data, all other components in an OEM computer activated using the SLP BIOS method can be changed out without requiring reactivation of Windows XP Professional.

The number of hardware items that it takes to achieve "substantially different" (in Microsoft speak) is dependent upon two things: whether or not the computer has a network adapter at the time of Windows XP activation, and whether or not the computer is dockable (this also includes the presence of PCMCIA slots), as outlined in Table 3.3.

Table 3.3 Number of Changed Components to Require Reactivation

Network Adapter Status

Docking Capability

Number of Changed Components to Require Reactivation

None installed at the time of Windows XP activation

No

4 or more

Installed at the time of Windows XP activation and subsequently changed

No

4 or more

Installed at the time of Windows XP activation and not changed

No

6 or more

None installed at the time of Windows XP activation

Yes

7 or more

Installed at the time of Windows XP activation and subsequently changed

Yes

7 or more

Installed at the time of Windows XP activation and not changed

Yes

9 or more


To help explain Table 3.3, a couple scenarios might be helpful.

  1. A computer has a network adapter installed at the time of Windows XP Professional activation. You later change the motherboard, CPU, video adapter, and CD-ROM drive. Additionally, you add more memory and a second hard drive.

  2. Reactivation is not required in this instance because only five components have been changed: motherboard, CPU, video adapter, CD-ROM and RAM (amount). The addition of a second hard drive is not of significance to Product Activation. If you were to change six or more hardware components, reactivation would be required.

  3. A computer has no network adapter installed at the time of Windows XP Professional activation. You later change the motherboard, CPU, video adapter, and CD-ROM drive. Additionally, you add more memory and a second hard drive.

  4. Reactivation is required in this instance because five components have been changed: motherboard, CPU, video adapter, CD-ROM, and RAM (amount). When you change four or more hardware components, reactivation is required.

If a single device is changed repeatedly, such as a video adapter that is changed from the original one to new adapter A then later to new adapter B, this is evaluated only as one change. Either the current hardware is the same as when activation was completed or it's not. Windows XP doesn't care how many changes have been made in the interim. Adding components after activation that were not present at the time of activation also has no impact on the hardware hash and is ignored by Windows XP Professional during its check to determine whether reactivation is necessary. Microsoft has also built in two additional loopholes into Product Activation for power users who frequently reinstall Windows XP Professional or who frequently change the hardware configuration of their computers. Windows XP Professional can be reinstalled and subsequently reactivated on the same computer an infinite number of times. In cases where the hardware configuration has changed enough to require reactivation, Microsoft allows a maximum of four reactivations per year on "substantially different" hardware—this should be enough to keep most power users happy as they continually tweak their systems. Both of these reactivation events can occur over the Internet instead of requiring a phone call.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020