Some Research into Windows Product Keys

The content below is taken from the original (Some Research into Windows Product Keys), to continue reading please visit the site. Remember to respect the Author & Copyright.

To most of us, Windows product keys are just an intransparent sequence of characters and numbers.

If you have never seen a product key before, they look like this example, which is a KMS client key for Windows 10 Enterprise 2016 LTSB N[1], now:

QFFDN-GRT3P-VKWWX-X7T3R-8B639 

However, we'll be looking at their history to better understand what is going on.

Please note that this post is incomplete and I am not an authority on product keys. If you know more than I do, please feel free to contribute and I'll update the post accordingly.

MS-DOS, Windows 1, 2, 3, NT 3

There may be serial numbers somewhere on the packaging for MS-DOS, Windows 1, Windows 2, Windows 3.0 through Windows For Workgroups 3.11 and Windows NT 3.1 through 3.51, but I have never seen them.

Most of these operating systems don't prompt for a serial number during installation. Others do, but the entered value is not validated in any way.

Windows 95, NT 4.0

Starting with Windows 95 and NT 4.0, product keys ("CD keys") started to be used and validated during installation. There are two kinds of keys:

  1. OEM (original equiment manufacturer, e.g. Dell) keys
  2. retail keys

This same system appears to have been used by other products from the same era, such as Microsoft SQL Server 7.0.

Both kinds of keys are actually validated during the installation procedure.

OEM Keys

OEM keys look like this:

12345-OEM-0012345-12345 

The leading zeroes after -OEM- are always there for some reason. That part must start with at least one zero, though. The second zero might just be a side-effect of monotonically incrementing the serial number, never reaching sufficiently large values.

These are used for preinstalled versions of Windows.

It's unknown what the individual parts stand for, other than the part right after -OEM- referring to the serial number; the first zero is not part of the serial number.

The validation of the serial number is the same for OEM and retail. It is absolutely trivial.

Retail Keys

Retail keys look like this:

123-4567890 

The retail key is visibly separated into two parts:

  1. site identifier (site ID)
  2. serial number

The site identifier appears to refer to the site where the respective product was manufactured. The serial number is exactly that: a serial number.

Windows 98, 2000

Starting with Windows 98 and Windows 2000, today's format of product keys has been introduced, which means 25 characters.

The keys are encoded in base 24 using this alphabet:

BCDFGHJKMPQRTVWXY2346789 

They look similar to the example I gave initially, but missing N from the encoding alphabet.

A DLL called pidgen.dll is used to validate the keys and generate installation IDs. It varies between different editions of the operating system and between OEM and retail.

Windows XP

Windows XP follows the same encoding as Windows 98 and 2000.

According to a paper by Fully Licensed GmbH[2], the base 24 encoding stayed the same.

The decoded product key (i.e., the raw binary of the key, converted from base 24) contains two parts:

  1. a composite number
  2. a digital signature over the composite number

From the paper's example, the product key FFFFF-GGGGG-HHHHH-JJJJJ-KKKKK gets decoded (after some rearrangement and a bit shift) to a composite number of 583728439.

The paper also states that an installation ID for that product key would look something like this:

55034-583-7284392-00123 

This looks very reminiscent of the Windows 95 OEM key format, except "OEM" was replaced with "583". It thus appears reasonable to assume that the format of the site ID was kept and the composite number indeed is the same as the CD key for retail in 95 and NT 4.0.

Therefore, the decoded product composite number contains:

  1. site identifier (site ID)
  2. serial number

At some point, the site IDs became called "channel IDs" instead[3].

Looking at a few keys available to me for XP, it appears that the validation of the serial number itself works still the same as in 95 and NT 4.0, too.

This highly suggests that Windows 98, 2000 and XP all share the same product key validation algorithm. Windows XP also includes a file called pidgen.dll.

The signature over the composite number appears to be a Schnorr signature[4] over a truncated SHA-1 hash of the composite number.

Windows Vista and 7

Windows Vista introduced a new handler for product IDs called pidgenx.dll. Instead of shipping a different pidgen.dll for each operating system distribution, a file called pkeyconfig.xrm-ms is used to determine what edition a product key belongs to and its SKU (stock keeping unit).

The concept of digital signatures has been kept, but each group of product keys can potentially have a different signing key to sign the composite number.

The validation of the serial number component is still unchanged from Windows 95 and Windows NT 4.0.

Either Windows 7 or Windows Vista started using bcrypt as hash function for the digital signature.

It is unknown whether Schnorr signatures continued to be used since Vista or if a different algorithm was picked for signing.

Windows 8, 8.1 and 10

Going by the characters in the KMS client keys[1], Windows 8 and beyond changed the product key alphabet. It now appears to be base 25 with the following alphabet (the newcomer being N):

BCDFGHJKMNPQRTVWXY2346789 

The pkeyconfig.xrm-ms system has been kept from Vista.

The validation of the serial number component appears to have changed for the first time since Windows 95 and Windows NT 4.0. It is unknown whether the validation was dropped entirely or the algorithm changed.

It is unknown if the bcrypt hash has seen continued use or if a different function has taken its place. The same uncertainty about Schnorr signature as for Vista and 7 applies here.

Starting with Windows 8, the format of installation IDs has changed, but the core system of a site ID and serial number has not changed.

Questions

If you have any questions, feel free to ask, though I may not be able to answer them as my own knowledge is very shoddy and I have hit a wall on my research.

References

[1] http://bit.ly/2rx3XxK

[2] http://bit.ly/2s2i2qB

[3] http://bit.ly/2rx51C3

[4] http://bit.ly/2s2bcRP