[YPPH]

>was normal for computers to auto-login and have no password

This persisted for longer than it should have on Windows! I remember on Windows XP Home Edition, you could just press Ctrl Alt Delete to drop to the classic winlogon.exe screen and then log in as "Administrator" with no password!

By that time, though, Microsoft had implemented product activation. To my knowledge, no one ever cracked the telephone activation algorithm. That is, there were no tools to get a confirmation ID from an install ID. At the very least, no tools were ever made widely available, and don't seem to be even to this day. I suppose there wasn't a lot of need, since pirates just distributed volume licenced versions that did not require product activation (FCKGW).

[metadat]

Devils0wn Windows XP Final serial key, yeah baby! Seared into my mind forever after entering it so much:

FCKGW-RHQQ2-YXKRT-8TG6W-2B7Q8

I used to reinstall windows anytime anything got weird, which was often because I was always messing with disabling combinations of system services in attempts to reduce OS memory consumption. Wtf is svchost.exe doing? I don't want it! Wireless Zero Config? I don't have Wi-Fi, too flaky and slow (remember, it's 2003). Distributed Link Tracker? Sounds cool, but what distributed links am I tracking? I don't think this is part of Napster or KaZaa.. DCOM Sockets.. <disable>, and so on, until the eventual: Oops, the network is messed up. What was this originally set to? Haha. Oh well, time to refresh and start anew..

Sigh. Those were good times. Eventually I got more memory and gave it all up and devolved all the way to allowing Win10 to indulge in it's wasteful memory ways and report it's telemetry about me or whatever the fuck else creepy shit it wants to do. It also helps that now we tend to have a bit more than 512MB total RAM.

[gvx]

I killed so many instances of svchost.exe back in the day! Never ran into anything bad that a reboot wouldn't fix. I remember figuring out by trial-and-error which instances were safe to kill by looking at their memory usage.

There was something exciting about stripping Windows XP to its bare essentials, and also it seemed necessary at the time, if you wanted to run it smoothly on an ageing laptop that was basically obsolete when it was new. Especially if you wanted to run such RAM and CPU hogs like The Sims 2! (Not to mention the 40 GiB disk space that just filled up so fast with save games and expansion packs.)

I wonder if Windows 10 still lets you use an alternative to explorer.exe for its desktop shell? I used to write my own little launchers and spotlight-esque programs.

[JackGreyhat]

Oh...my...god...

That CD key. I remember that one as well. Good times :) Thanks for bringing up these memories.

[thesh4d0w]

It's famous enough it's in wikipedia - https://en.wikipedia.org/wiki/Volume_licensing#Leaked_keys

[nunez]

RHQQ2. Wow. I was not ready for this throwback.

> Wtf is svchost.exe doing? I don't want it! Wireless Zero Config? I don't have Wi-Fi, too flaky and slow (remember, it's 2003). Distributed Link Tracker? Sounds cool, but what distributed links am I tracking? I don't think this is part of Napster or KaZaa.. DCOM Sockets.. <disable>, and so on, until the eventual: Oops, the network is messed up. What was this originally set to? Haha. Oh well, time to refresh and start anew..

ARE YOU ME?! I did all of that stuff! Friggin' svchost.exe man...

[ornornor]

> FCKGW-RHQQ2-YXKRT-8TG6W-2B7Q8

I still have a burnt disc somewhere with that key written on the jacket so I didn’t have to look it up every time.

Haven’t used the key in 15+ years but when I saw it in your post I knew exactly what it was. Funny how memory works.

[nobleach]

As soon as the parent mentioned memorizing keys, the FCKGW key came to mind!

[porbelm]

Very close to the key I had memorised, but now forgotten; although mine had RQ2D3 in the second part and something else at the last part (I think. But am positive about RQ2D3)

[metadat]

Win98 serial.

https://old.reddit.com/r/windows98/comments/6trdvf/working_w...

[userbinator]

At the very least, no tools were ever made widely available, and don't seem to be even to this day.

That's because discussions around them have been heavily censored by Big Tech in general; but that algorithm has been cracked, purely out of curiosity, in the late 2010s.

[l33t233372]

Where?

[userbinator]

There's some discussions about it on a site which goes by the acronym MDL.

[p1peridine]

https://forums.mydigitallife.net/

[winsid]

The activation process relies on public key cryptography. The private keys, held by Microsoft, are amongst their most well-protected assets. Much more so than their source code, for instance, which is developed with the expectation that it will be leaked in part or in whole.

[LocalH]

Imagine the shitshow that would happen if those keys leaked lmao. They've got to have a ton of them, across all their services.

It'd be cool to be able to build "legitimate" LIVE packages that would be usable on unmodified 360s lol

[userbinator]

For everything up to ~XP era MS software, the private key was cracked years ago. Beginning around Vista they started using a longer key, which AFAIK hasn't been (publicly) cracked yet.

Search for "MSKey README" if you want to read more... but as one interesting datapoint, the computational complexity of finding the private key was 2^31.

[mschuster91]

What stops people from just exchanging the public key that is used for verification?

(Not that it matters in a world where kmspico and dazloader exist, but still)

[metadat]

Given the length of Windows serial keys is not that long, why couldn't one extract the check function and run an iteration attack to generate valid keys?

Edit: @ale42: makes sense, thanks for putting this one to rest. 36^25 is approximately 8 x 10^38 which is a really, really big number.

[ale42]

There are 25 characters, each of which has 36 possible values. So 36^25 possibilities, and log2(36^25) = 129.2. There are basically 129 bits of entropy in there, so good luck bruteforcing it.

This makes me think of a shareware app (I think an icon editor) for Windows 3.1 back in 1994 or so... I could find a valid registration key by entering random numbers by hand in around 2 minutes. And I wasn't lucky as I tried and succeeded several times ;-) But the rule (figured out after I had 10 or so valid keys) was simple maths with the digits, no crypto behind.

[ilyt]

> There are 25 characters, each of which has 36 possible values. So 36^25 possibilities, and log2(36^25) = 129.2. There are basically 129 bits of entropy in there, so good luck bruteforcing it.

Kinda depends what is encrypted there. If it is just "magic number + SKU + licence ID" and there is no online check whether that combination is valid then you're "just" trying to hit one that's valid and that cuts few bits off equation as there is spectrum of keys that will be valid but not generated by Microsoft.

[aaronax]

Not used characters: 015AEILNOSUZ

So less possible combinations.

[scambier]

I get why some chars aren't used, but why the N and U?

[deznu]

Maybe to prevent certain words from being spelt? I have no idea though

[ale42]

Still 114 bits of entropy...

[AlotOfReading]

Not if their cryptography is done properly. Cryptosystems are designed to maintain their security even if the complete algorithm is known to the adversary. You'll commonly see this phrased as "don't rely on security through obscurity".

[staunton]

> don't rely on security through obscurity

Which doesn't mean you shouldn't also use obscurity. NIST recommends it [1], and the industry widely uses it. In practice "don't rely on obscurity" usually means "have enough security besides obscurity to give you a grace period to switch out the obscurity". That's for whole systems, you might get away with people knowing you use standardized primitives like AES.

[1]: https://csrc.nist.gov/news/2021/revised-guidance-for-develop...

[AlotOfReading]

Everything we know about the subject of this discussion (windows product key validation) comes from reverse engineering the relevant DLLs because none of it has been discussed publicly. I think MS is probably of a similar opinion regarding publishing unnecessary details.

[ranger_danger]

> don't rely on security through obscurity

if it's not obscure enough that it will be found, then you are correct.

but what's more secure than a password that you don't know? not knowing there is a password in the first place. if the answer is never found, how can it be insecure? I dub this schrodinger's security.

[wkat4242]

Yeah they're probably in a HSM at the very least.

[recursive]

I wish you still could. I resent being required to create a user account to use my own computer.