PC buyers face product deactivation

Buyers of new PCs will have to grapple with Microsoft Product Activation--the most controversial feature ever to appear in Windows.
Written by Matthew Broersma, Contributor
LONDON--Users who buy PCs with Microsoft Windows XP could find their machine disabled if they change or upgrade as few as four components.

Details of the Microsoft Product Activation technology, which is meant to be a copy protection measure, are contained in a document designed to debunk fears surrounding the technology. But some industry observers predict that the process could turn into a headache for users, forcing them to rely on either an Internet connection or a relatively complicated telephone transaction.

Microsoft insists the scheme will be unobtrusive. Windows XP doesn't use a hardware add-on like a dongle or a key disk, but instead is tied to a particular machine's configuration, and will stop working if that configuration is "substantially altered." Users can activate in one of two ways: They can connect directly to Microsoft over the Internet, something many are reluctant to do, or they can call a help desk and relay their "Installation ID" in exchange for a 42-digit "confirmation ID."

Businesses, at least, should not have to deal with the process at all: the version of XP sold with volume licences does not include product activation technology.

Most of the controversy to have arisen around MPA since it was first revealed this spring has revolved around the process by which Microsoft gathers information about the user's hardware configuration and the way it monitors alterations. In July a study by a German firm found that the process appears to protect user anonymity and allows for reasonable upgrades, but analysts say that users will have to be convinced.

At the time Microsoft wasn't giving details about how the process works, but recently the company bowed to user demand and revealed some of the technical details behind MPA.

Preinstalled activation:
When users buy a PC with XP preinstalled, they will probably not have to initially activate the operating system. Manufacturers have two ways of activating the software before consumers get their hands on it: they can either activate in the factory, using a process called System Locked Pre-installation (SLP), or can activate in exactly the same way that a retail end-user would.

SLP ties the software to information stored in a manufacturer PC's BIOS (basic input-output system), and therefore doesn't need to examine the PC's hardware. With an SLP-activated system, all hardware can be replaced. However, if the user replaces the motherboard, it has to be manufactured by the same OEM and must use the correct BIOS.

If the BIOS doesn't match, for whatever reason, the user would have to reactivate Windows XP via the usual retail method.

Retail customer activation:
Activating a boxed, retail version of XP involves two numbers: an "Installation ID", which the user submits to Microsoft, and a "Confirmation ID," which is used to activate the software.

If the user activates via telephone, he or she must read out the Installation ID--comprised of a 20-digit product ID and an eight-byte value generated by the hardware configuration--and receive the 42-digit Confirmation ID. If Windows is activated over a modem, the activation code is delivered as a digital certificate.

Microsoft is anxious to assure customers that the hardware identification portion of the Installation ID is completely anonymous and can't be used to determine what hardware the user is running. It is what is called a "hash," a number derived through a mathematical formula based on different, original values.

The mathematical transformation is supposed to be one-way, so that even if you know the formula, you can't work out the original values. In other words, the hardware hash is designed to be able to monitor changes in the hardware configuration, without being able, or needing, to know exactly what the components are. In fact, Microsoft says that two different PCs could conceivably create the same hardware hash.

For example, XP looks at the microprocessor serial number, a 96-bit number, and hashes it to create a 128-bit number. Six bits from this resulting number are used in XP's hardware hash.

The 10 devices used to create the hardware hash are:

1. Display adapter
2. SCSI adapter
3. IDE adapter
4. Network adapter MAC address
5. RAM amount range
6. Processor type
7. Processor serial number
8. Hard drive
9. Hard drive volume serial number

The hash also indicates the version of the algorithm used and whether the PC is "dockable" or not.

Hardware modifications:
In determining how much hardware can be changed, XP gives special weight to the network adapter.

Specifically, if a PC has a network adapter and the adapter is not changed, five of the other hardware values could be changed before reactivation were required. If the same PC never had a network adapter, or the network adapter were changed, only three other hardware devices could be altered.

Adding new devices doesn't alter the hardware hash, although adding or removing RAM memory would make a difference.

XP treats dockable PCs--for example laptops--more leniently. If a dockable PC has an unchanged network adapter, eight of the other values could be changed before product activation was required. If the network adapter were changed, only six other changes could be made. However, connecting or disconnecting from the dock could make alterations in the hardware hash.

Changing the same device several times counts as one alteration.

Microsoft's Internet clearinghouse system allows users who upgrade their hardware frequently to automatically reactivate the operating system up to four times per year.

Editorial standards