Windows Activation Technologies: an unauthorized inside look

Windows Activation Technologies: an unauthorized inside look

Summary: Last month, Microsoft rolled out a controversial anti-piracy update for Windows 7. Everything you've read about KB971033 so far, including my report last week, has been based on what Microsoft said it was going to do. But what does this update really do? I took a close look using my best CSI toolkit. Here are the details Microsoft doesn't tell you about.


Trust, but verify. That was good advice for dealing with the Soviet Union in its heyday, and it's equally sound policy today when dealing with that other Evil Empire. You know, the one in Redmond?

Last month, Microsoft rolled out an update to its Windows Activation Technologies (WAT) platform in Windows 7. Everything you've read about KB971033 so far, including my report last week, has been based on what Microsoft said it was going to do; in my earlier coverage, I gathered information from blog posts, published privacy policies, a Knowledge Base article, and some one-on-one interviews. But can you really believe everything Microsoft tells you about its new Windows Activation Technologies update?

Now that the update has been publicly available for a few weeks, I've been able to dig into it and determine exactly what it does. You don't have to take my word for it, either. You can download the same tools I used and check for yourself. (And don't miss my post from yesterday, Confessions of a Windows 7 pirate, which takes a similarly detailed look at the pirates' toolkit for cracking Windows activation.)

I tested on multiple PCs, running both x86 and x64 editions of Windows 7. To observe its activity, I collected traces using two tools:

  • Process Monitor is the flagship utility from, originally developed by Mark Russinovich and Bryce Cogswell. (The company was purchased in 2006 by Microsoft. The Sysinternals utilities are currently hosted on Microsoft-run servers but are still maintained and regularly updated by Russinovich and Cogswell, both of whom are now Microsoft employees. )  I used the most recent release of Process Monitor, v2.8, to save a trace of all file, registry, and process activity associated with the installation and operation of the WAT Update.
  • Wireshark is a free, open-source network protocol analyzer. I used version 1.2.6 with WinPcap version 4.1.1 to capture all network traffic while the WAT Update was running.

I installed the KB971033 update on multiple systems using both the downloaded version and the one delivered through Windows Update. I also uninstalled the update and observed what happened.

From a technical standpoint, I was able to confirm that the WAT update does what Microsoft says it does. I was not able to read the contents of the signed, encrypted packets going across the wire, but I did locate the stored information in the registry and compared it to Microsoft's published privacy policy.

You can see the full results of my tests on the next three pages. As I said, you don't have to take my word for it. I encourage you to do this for yourself so you can make your own decision based on your own evidence. If you see something different, let me know in the Talkbacks.

Page 2: What files does it install? What else does it do to your system? I was able to observe exactly which files it installed, and I also recorded changes it made to the registry and in Task Scheduler.

Page 3: What does the Windows Activation tool do when it runs? How does it communicate with Microsoft? I used details from the Process Monitor trace to identify which system licensing files are being checked, and I also confirmed that all communications with Microsoft servers were over secure connections.

Page 4: What information does it exchange? What happens when you uninstall it? I examined the privacy policy for the information exchange (and also verified a crucial certification for it). I also confirmed Microsoft's claim that the update can be uninstalled.

For details about what the installer does to your system, see the next page.

Page 2: What 's changed on your system? -->

<-- Previous page

What files does it install?

The KB970133 update creates a new folder called WAT under the Windows\System32 folder. It saves four files in this location.

The four files are all labeled with version 7.1.7600.16395:

  • WatAdminSvc.exe - Windows Activation Technologies Service
  • npWatWeb.dll - Windows Activation Technologies Plugin for Mozilla
  • WatWeb.dll - Windows Activation Technologies ActiveX Control
  • WatUX.exe - Windows Activation Technologies UX

The installer also adds a digitally signed catalog file to the system and makes some log entries to record its activities.

What else does it do to your system?

On the systems I tested, the KB971033 update adds a new Windows Activation Technologies key and several subkeys to the registry. It uses this location to store result codes and two hashed identifiers, MachineID and GGUID.

The installer also creates a new Windows Activation Technologies folder in Task Scheduler and adds two new entries to it. The first task is configured to run at the next restart and then to reset the task trigger so that it runs again 90 days later. The second task is configured to run a week after the first one. When the first task ran successfully on my test systems, the Next Run Time was set to a date 90 days in the future for the first task, and one week after that new date for the second task. (According to Microsoft, the purpose of the second task is to allow the update to run weekly after it detects and repairs a system whose activation files have been tampered with.)

Although the Windows Activation Technologies Service is installed and configured to run using the Local System account, its startup type is set to Manual. In my tests, it ran only when specifically called upon and exited when it had completed its work.

So what does the Windows Activation tool do when it runs?

Page 3: A close-up look at the WAT tool in action -->

<-- Previous page

What does the Windows Activation Tool do when it runs?

According to Microsoft, the WAT utility (which runs as a service using the Local System account) first checks the integrity of licensing files to ensure that they haven't been tampered with. In my Process Monitor trace, I saw what appeared to be multiple operations where the tool checked the properties of certain files against their signatures in the Windows digital signature catalog folders (catroot and catroot2).

In my testing, the following file names appear on this list of files, along with multi-language user interface files associated with each. The SL prefix indicates code that is part of the Software Licensing subsystem; SPP indicates the Software Protection Platform.

  • sppobjs.dll
  • sppc.dll
  • sppcext.dll
  • sppwinob.dll
  • slc.dll
  • slcext.dll
  • sppuinotify.dll
  • slui.exe
  • sppcomapi.dll
  • sppcommdlg.dll
  • sppsvc.exe
  • spsys.sys
  • spldr.sys

If any of these files are missing or tampered with, the system attempts to repair them. I did not see this repair behavior in operation on systems that were properly activated. When I forced the WAT Update to run on a system whose activation files had been tampered with using the latest RemoveWAT (v2.2.5), the utility was able to detect the tampering and flagged the system as non-Genuine. When I followed the online instructions and downloaded the components to try to repair the licensing subsystem, the download and installation appeared successful, but the activation components did not work. I had to use the Restore WAT button from the RemoveWAT tool to fix things properly.

Finally, the tool contacts a secure web site and runs a web service, where it downloads a list of signatures to identify known activation exploits. I was able to observe in the Process Monitor trace that the web service created a file in a secure Temp folder (presumably the template file containing exploit signatures) and then checked for the existence of a number of specific files. I saw checks that appeared to be aimed at specific activation exploits I've seen in my research, including those that create modified boot loaders and those that remove the WAT files. 

How does the WAT update communicate with Microsoft?

Microsoft says its Web service runs over Secure HTTP. In my case, the web service made secure (HTTPS) connections with and with a web service (sl_wga.asmx) at According to Microsoft, these connections download the latest template files containing signatures for known activation exploits and upload anonymized information used for aggregate reporting and analysis.

In my case, the entire transaction was completed in just under 13 seconds.

How often does it run?

According to the initial settings of the main Scheduled Task created during installation of KB971033, it is set to run at the next startup. After it runs successfully, it sets its Next Run Time to 90 days later.

Interestingly, I was able to adjust the settings of this utility so that it was set to run every 365 days, with the next run time set for one full year away. When I tried to set it for higher values (999 days and 730 days, or two years), the Task Scheduler refused to save my settings and gave me an error message instead.

Page 4: Privacy risks and uninstall details -->

<-- Previous page

What information does it exchange?

Because the connections are secure and therefore encrypted, it's impossible to see exactly what was in the packets that were exchanged. But it appears reasonable to assume that the uploaded information includes what is stored in the Windows Activation Technologies\AdminObject\Store key in the registry.

According to Microsoft's privacy policy, no personally identifiable information is exchanged and the IP address of the uploading machine is not associated with the validation upload and is discarded within 24 hours after validation completes. Microsoft's privacy policy, which was last updated in February 2010, specifically lists the following items of information that are collected as part of the validation activity and may be included in the ID hashes shown in the screenshot above:

  • Computer make and model
  • Version information for the operating system and software
  • Region and language settings
  • A unique number assigned to your computer by the tools (Globally Unique Identifier or GUID)
  • Product Key (hashed) and Product ID
  • BIOS name, revision number, and revision date
  • Hard drive volume serial number (hashed)
  • Whether the installation was successful if one was performed
  • The result of the validation check, including error codes and information about any activation exploits and any related malicious or unauthorized software found or disabled

If the validation check identifies an activation exploit, the following additional information is collected and will be transmitted to Microsoft's servers

  • The activation exploit’s identifier
  • The activation exploit's current state, such as cleaned or quarantined
  • Original equipment manufacturer identification
  • The activation exploit’s file name and hash of the file, as well as a hash of related software components that may indicate the presence of an activation exploit
  • The name and a hash of the contents of the computer's start-up instructions file (commonly called the boot file) to help [Microsoft] discover activation exploits that modify this file.

The Windows Vista Software Protection Platform received the European Privacy Seal from EuroPriSe in November 2008. EuroPriSe is an independent consortium funded by the European Commission in 2007 and  now led by the Independent Centre for Privacy Protection Schleswig-Holstein (Unabhängiges Landeszentrum für Datenschutz, ULD). A Microsoft spokesperson tells me a similar privacy certification process for the Windows 7 Activation Technologies began last summer and should be complete "within the next few weeks."

Update: Thanks to a commenter for providing this interesting recent overview of the EuroPriSe certification.

What happens when you uninstall the WAT Update?

When I uninstalled the update from the View Installed Updates portion of Control Panel, I observed its operation carefully. The uninstaller removed the WAT subfolder and its files from the Windows\System32 folder, thereby removing the Windows Activation Technologies Service. It completely removed the Windows Activation Technologies key and all its subkeys in the registry. It removed the two newly added scheduled tasks, but left behind a now-empty Windows Activation Technologies subfolder in the Task Scheduler library.

Topics: Windows, CXO, Microsoft, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What's your experience?

    As I said in this post, all of the results I collected here were done independently, using tools you can download.

    If you have performed similar tests, or if you have other experiences to report involving the latest activation technologies from Microsoft, please share them here.
    Ed Bott
    • RE OEM SLIC activation

      Did you test it against the BIOS SLIC mods that are out there to see if it detects those?
      • Yes, I tested, and no it does not (nt)

        Ed Bott
    • Screenshot...

      I tried around October 2009 to run the same tests with similar results with the exception of an old Dell that did not have SLIC2 and (at the time) no bios emulator was working. I have not tested this again.

      Just a small note off subject... Ed, the screenshot on page 2 of this article has a ragged torn-paper appearance. What application did you use to make it?
      • SnagIt, from TechSmith

        It's one of many effects they offer, really great program.
        Ed Bott
        • Now with a beta for Mac

          I've used SnagIt on Windows and it is excellent. I see they now have a
          SnagIt beta for Mac. Sweet. I think I'll give it a test run because I'd love
          this app on the Mac.

          You've written another well researched and detailed article, Ed. Good
    • Mystery keys what's up?

      I run Validation checks on the"cheap" keys and the product ID keeps changing.. whats with that?
      One of the values looks suspicious just like a computers address.
    • Well, I don't see the point

      First, hackers and pirates and such can work around anything MS does. But, in the realm of fairness, I can sympathize with a company wanting to protect their investment. However, I believe all this WGA stuff is crap.

      Ok, fine, activate windows, determine if it's legit. But, why does it need to continue checking? And, why should ANYTHING but "pass" or "fail" be sent back?

      I think it's a bunch of hogwash to say nothing personally identifiable is being sent. They know the exact configuration of my system. If that is not a fingerprint, what the hell is? Sure, it may take detective work, but, seriously. How hard can that be? But, my main concern is more over the stupidity of repeated verifications. Does my legit version suddenly become illegitimate after 90 days? Can it somehow magically become a pirated version? This all reminds me of when Gore tried desperately to make every vote go his way. There were people using magnifying glasses to try to see the slightest dimple to call it a vote for Gore. They recounted and recounted to alter the vote count. Gimme a break. Its the same thing here. And it's wrong, and should be not allowed. Once it's verified as legal, Microsoft should go hide in their closet and leave us alone. And, if something did get by, imo, that's just too bad.

      And that's why I will most likely go Mac next time. (Not that they don't or wont do something similar, so keep it quiet fanboys. This isn't a flame war message. It's an aggrevated with the whole WGA message).
      • Did you even read this post?

        If you had, you would see the answers to your questions.

        Why continue checking? Because hackers are continually creating new ways to bypass the legitimate activation systems. They did that with the RemoveWAT tool immediately after this update came out. Presumably the "fixed" hack will be detected in 90 days.

        Why collect other information? So that the activation proecss can be improved and made more accurate. Without collecting that information, the only way Microsoft knows there's a problem is when their support lines start to get overloaded with angry customers.
        Ed Bott
        • I did, but, I don't think we see things the same

          My biggest gripe is MS did the WGA thing on a continual basis; updating the software every month or so. It was not accurate, and it was a PITA.

          This "New and improved" version may or may not be better. Again, I get that MS wants to protect it's investment. But, once my software has been installed, and verified, that is it. They need to go away. My version does not suddenly become a pirated copy. So, they need to just go away.

          I also get it that some people are great pirates. That's not my problem. It seems to me, MS wants to find every way possible to make my copy illegitimate. If I buy a pair of jeans, does that company get to install chips to make sure it's still legit? Then neither should MS. (Ok, it is different scenario, but, the point is, other industries get faked and stolen too; but, they don't get to keep asking for receipts and proof of purchase. And, that's my point.)

          I'm cool with them verifying upon install, and every install. But, they need to leave me alone after that. That's all I'm saying.

          And as far as privacy goes; yeah, I'm a privacy advocate; somewhat paranoid, but, I'm not worried "Ohh, someone at MS is watching everything I do". I'd hope they have better things to do than watch what I'm doing. But, nevertheless, people do banking and other things, some not so innocent, and well, with them being able to identify everything, perhaps not so personally identifiable on the spot, with some detective work, yeah, things can be pieced together, if someone wanted to.

          But, hey, I love your articles, btw
          • They should check on every install...

            Which would mean every time MS comes out with a software update that an end-user installs, then MS would be justified in checking to see if the system was authorized to be updated.
            Sal McCarty
          • Here's what you're missing

            And it's not just a semantic issue. Let me turn around what you said:

            Once my pirated software has been installed, if Microsoft doesn't detect it, that's their tough luck. They need to go away. If my pirated copy can pass detection once, I get a free pass forever.

            That's the flip side of your argument. Where we agree is that their detection has to be as close to 100% accurate as is humanly possible, conflicts have to be resolved in the favor of the customer, and support has to be readily accessible.
            Ed Bott
          • Exactly backwards!

            This is how it SHOULD go.

            If Microsoft can't verify a system the first time, they shouldn't even be trying. Let alone making repeated attempts. Their customer's hardware does not belong to Microsoft, even if their software does.

            Hasten the day that SOME entity of substance challenge their EULAs in court. A court that doesn't belong to Microsoft.
            Ole Man
      • The future of software licensing...

        Is the annual/monthly validation checks for authenticity when the OS licensing model moves onto the same licensing format that the AV/Security Suites are on. M$ is ramping up and working bugs out for the future.
        • Yeah, but as I recall

          MS' activation process led to the AV software vendors doing this. Prior to, they did not. Which was bad for them.

          I do understand why an AV vendor would have subscription based services, however. MS, not at all. And then, there is a company, IOLO, I think, that does Drive Scrubber; it is an annual subscription? WHY? Who needs to scrub a drive annually (Well, besides me, lol)?

          As far as Windows goes, I just don't see the point to continual verification. They get away with it, because we accept it.
        • Just think, in the future everything requires activation and validation....

          once a month or twice a month. You have 10,000 programs on your computer. When are you supposed to get any work done between the validations? At the current rate that answer would be never your computer is a worthless hunk of metal at that point.
      • Re: Did you even read this post?

        Re: "Why continue checking? Because hackers are continually creating new ways to bypass the legitimate activation systems."

        Therein lies the fly in the ointment. The thieves always have the initiative. Microsoft's strategy is reacting to what the thieves do.

        To the thieves, Microsoft's efforts are an entertaining diversion. The people most inconvenienced are honest users caught in Microsoft's crossfire when Microsoft gets it wrong - which Microsoft has a very good history of doing.
      • RE: Windows Activation Technologies: an unauthorized inside look

        Activating a license and monitoring compliance are legitimate business requirements (in the trust but verify theme).

        The technical problem is with mass deployments (ie enterprise site licenses), recovery (ie motherboard just died), and virtualization (a whole new twist). In each of these scenarios, as a legitimate - paid in full - licensee, I have a need and a right to move os images/licenses from one computer to another.

        The problem is, legitimately copying an os image is indistinguishable from pirating an os image. With WAT/WGA Microsoft is taking the soft approach... Apple in contrast has taken the hardball approach (ie you may only run Apple OS on Apple hardware or else we sue you into oblivion).

        There are other license authorization and verification methods which are more cumbersome to use, but eliminate the entire problem of tracking bits & bytes.
        • Copyright verification

          A few years ago, Ubisoft came out with a new version of their Heritage of Kings game. It was impossible to play without an internet connection, and could not be played with an iffy internet connection because of requirements that it log on and verify that it was an authentic copy with a server at Ubisoft during play. The Ubisoft server was not reliable. I read the reviews and never bought a copy. I read the reviews and never bought the game. At a certain point, copyright protection becomes so cumbersome that it forces people to stop using the software involved. It is an easy choice to make with a video game, a more difficult one with an OS, but still a choice.

          Music copyright protection is becoming so cumbersome that it is forcing people to buy pirate copies where it is disabled just to be able to listen to their music on different devices.

          Honest people, and most people are fairly honest like to buy legal copies of what they use. It makes them feel good about themselves as people. Dishonest people prefer to buy dishonest copies. It makes them feel good about themselves as 'smarter' than the rubes.

          Dishonest people disable the protection software measures as fast as they are developed. So they do not suffere any inconvenience from them. Honest people find it harder and harder to use honestly acquired software.

          Greedy, paranoid, software and other companies look at every pirated copy as a loss in revenue and believe that if they stop piracy all those people will buy their software. This is not true. All the honest people are already paying an honest price for their software. The dishonest people will never pay an honest price for their software, because they take pride in being dishonest. They will spend three times as much to steal the software as they would have to to buy it honestly, because it makes them feel smart to be stealing it.

          Businesses, of course, do sometimes make these decisions on the basis of which is cheaper, pirated or legal copies. Regular people make the decision based on their self-image. All that copy protection software does is make honest peoples lives miserable and give dishonest people a chance to feel smarter than the programmers when they crack the protection.

          In the long run, copyright protection forces honest people to buy pirated software, because it runs faster and cleaner with the copyright protection disabled, and they can actually use it to do what they need the software to do. It costs the companies a lot of money to write, and costs them customers because of the problems it causes.

          Greedy paranoid companies keep adding this stuff to their products because they are dishonest people, and their self-image is based on being smarter than other people, not on giving an honest value for a dollar. So their pride is offended by the dishonest people who steal their software and these two clubs of lying thieves set on ripping other people off escalate a software war until regular people stop using the products in disgust.

          In the long run, and there are scientific studies to support this, this kind of protective policy is destructive of industry and trade and casues businesses and entire economies to fail.
          Stephen Huff
      • RE: Windows Activation Technologies: an unauthorized inside look

        @LegendsOfBatman My first thoughts here is that you have something to hide? Even without this verification tool, windows still sends data to microsoft whenever it validates for a legit only windows software installation, when data is sent, it is very specific about Windows itself, not about the user!

        If you are worried about being identified in this way, then I suggest you stop using the internet, as your computer leaves a trail of bread crumbs that leads straight to you!