PSA: If you're using any KMS hacked activator, take precautions!

Discussion in 'Windows 10' started by fdmillion, Dec 25, 2016.

  1. fdmillion

    fdmillion MDL Novice

    Jul 10, 2013
    8
    7
    0
    This may sound obvious, but it actually happened to my friend. He was running a PyKMS server that was Internet-facing, but on a different port (not 1688). He would manually set the KMS host on his machines to his home IP address and port so he could keep activated.

    Only a week or so ago, he got a C&D letter from someone at Microsoft, forwarded to him by his ISP. It said that Microsoft had "become aware" of a KMS server running on his IP address, including the random port he chose, which "could be used to illegally activate Windows". The letter was quite ominous and actually said he was "required" to contact a specific person at Microsoft, with contact information, to "discuss the situation."

    Naturally, he closed down Internet-facing access to the KMS server and decided instead to investigate VPN solutions for activation. Nobody ever did follow up, so perhaps Microsoft was just having someone available just in case someone actually needed help understanding how and why to secure KMS.

    However, this got me a little nervous so I did some digging, and in fact it's true: Windows 10 systems report the IP address and port of the KMS server they are activating against to Microsoft. It's called "KMS Client AVS Validation". Microsoft calls it part of their "telemetry" services, but obviously they're doing quite a bit more with this data than "using it in a non-personally-identifiable way to improve services."

    Obviously, don't open your KMS server to the Internet and use a VPN is the best solution. However, and I make NO GUARANTEES about this, but there is another possible way - there's a Group Policy setting under Computer->Policies->Admin Templates->Software Protection Platform->Turn off KMS Client AVS Validation. Setting this to True indicates that the computer "will not report activation state" to Microsoft.

    Interestingly Microsoft is pretty determined to keep this quiet, as I can't find any actual examples online of C&D letters for KMS servers, nor is there any real discussion of the AVS Validation option anywhere. I'm guessing the GP option exists for policy compliance, e.g. if a business or organization is not allowed to send information about its network to any outside entity?

    My assumption is that Microsoft simply "tests" any non-private IP addresses that are being reported as KMS servers, and if they find one is responding affirmatively to the Internet, they go through the appropriate channels to contact the owner. Of course though, even though anyone who's using a KMS hack is probably using either a localhost-based hack or a hacked server on the LAN, Microsoft is likely still aware that it's happening, and they'd have your source IP address from the telemetry report.

    In either case, if you are choosing to use KMS hacks, be very, very cautious. Microsoft may be watching.
     
  2. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    17,384
    22,115
    340
    This doesn't apply on local KMS emulation, does it?

    And only applies to open online kms servers?
     
  3. MrMagic

    MrMagic MDL Guru

    Feb 13, 2012
    5,847
    3,946
    180
    I call BS, Microsoft would never request someone running an illegal KMS server to contact them regarding the matter lol
     
  4. Nucleus

    Nucleus MDL Guru

    Aug 4, 2009
    2,873
    2,932
    90
    #4 Nucleus, Dec 25, 2016
    Last edited by a moderator: Apr 20, 2017
    I agree with MrMagic regarding MS requesting contact! Also FYI, there has been discussion of the Group Policy setting several times, if memory serves me correctly I think it was abbodi who first noted its existence and posted advising us all of it. Over time I too have posted about it a few times.

    Disable KMS Telemetry: Group Policy Editor (gpedit.msc)

    Code:
    Computer Configuration > Administrative Templates > All Settings > Turn off KMS Client Online AVS Validation > Enabled
    Edit: abbodi - 01-Aug-15
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. wazzock

    wazzock MDL Senior Member

    Oct 22, 2016
    340
    185
    10
    makes you wonder what w10(or 7 and 8/8.1) are telling mother about doesnt it. if it has come to him via his isp, its gotta be kosher.

    it makes a strong argument to keep w10 offline(if you are using kms tools) and use linux for internet.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Enthousiast

    Enthousiast MDL Tester

    Oct 30, 2009
    17,384
    22,115
    340
    It's about running/using an online kms server, not about local kms emulations, afaik.
     
  7. wazzock

    wazzock MDL Senior Member

    Oct 22, 2016
    340
    185
    10
    #7 wazzock, Dec 25, 2016
    Last edited by a moderator: Apr 20, 2017
    Could this "fix" be acheived with a registry file, bat file or cmd file so it could be added directly to an iso or the setup? :g:

    Thanks Nucleus, i followed the link :worthy:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. wazzock

    wazzock MDL Senior Member

    Oct 22, 2016
    340
    185
    10
    Thats the thing, as far as you know, you cant be certain :confused:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Nucleus

    Nucleus MDL Guru

    Aug 4, 2009
    2,873
    2,932
    90
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. wazzock

    wazzock MDL Senior Member

    Oct 22, 2016
    340
    185
    10
    Your post disappeared for a while, so i edited my one above. :worthy:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    6,078
    13,649
    210
    #11 Mr.X, Dec 25, 2016
    Last edited: Dec 25, 2016
    On the other hand, if I'm NOT wrong, abbodi's KMS solution already handles that:

    Hopefully it handles for both 8.1 and 10 too, not just 10.

    Permalink for always updated version: http://forums.mydigitallife.net/thr...)-and-Office-2013/page151?p=838808#post838808
     
  12. Nucleus

    Nucleus MDL Guru

    Aug 4, 2009
    2,873
    2,932
    90
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    6,078
    13,649
    210
    I know. I was just pointing out abbodi's took care of the NoGenTicket thingy since version 4.
    Going to edit my previous post for anyone who could mistakenly download this outdated version.
     
  14. arseny92

    arseny92 MDL Secret Weapon

    Sep 22, 2009
    570
    1,260
    30
    The mentioned GPO doesn't exist on systems that are below Windows 10 or Server 2016
     
  15. fdmillion

    fdmillion MDL Novice

    Jul 10, 2013
    8
    7
    0
    I don't think they were accusing the KMS server itself of being illegal. What they were saying was "there's a KMS server, it's facing the Internet and accepts and validates unsolicited requests for activation, therefore the server could be used, even if it's legal, to illegally activate Windows for people who haven't paid for it."

    So the C&D letter was clearly written in a way to say "If you don't fix this, bad things can happen...but maybe you just have a misconfigured network, so call us and we'll explain to you what to do."

    I wish I had saved the actual text of the message, but I can't seem to find it in my history. If I come across it I'll post a redacted version.
     
  16. fdmillion

    fdmillion MDL Novice

    Jul 10, 2013
    8
    7
    0
    You are probably fine if you are using a KMS localhost-based activation hack. However, the fact that you used the hack could still be leaked to Microsoft (they'd get telemetry data showing that someone activated Windows using KMS with the KMS server being at 127.0.0.1), and you can bet that they are able to link that information to your IP address.

    My guess is that (at least for now) the system is automated, and issues a C&D letter after it discovers a public facing KMS server accepting unsolicited activation requests. However, this means it would be more than possible for MS to start looking at the IPs of people who are activating against 127.0.0.1 (because in practice, there should be very few if any KMS activations against a local client machine in a production environment).

    Best solution is to make sure you set the GPO to disable reporting to Microsoft in the first place, though. We obviously don't know for sure if that actually fully blocks it, but we can at least assume it does.
     
  17. Jacoub

    Jacoub MDL Member

    Aug 14, 2011
    107
    13
    10
    I'm running a genuine KMS Server and it was available on a public IP to activate my clients and it is true Microsoft contacted me through my ISP and requested me to bring it down or they will take legal actions. I had no idea how Microsoft can get the public IP but I think what you said sounds logical that KMS Server dials Microsoft at a certain point
    People running none KMS Activators like KMS Pico etc.. the one who created the app knows best but I don't think he programmed it to call Microsoft because it defetes the objective


    Thanks for clearing that or me
     
  18. fdmillion

    fdmillion MDL Novice

    Jul 10, 2013
    8
    7
    0
    By this, I assume Microsoft can't actually tell if the KMS sever is legit or not; they're only concerned with the fact that the KMS server is accepting unsolicited activation requests from the Internet. It's too bad that their letter has to sound so ominous (but maybe that's the only way to get the ISPs to actually forward it to their customers...?)

    The reporting behavior also appears to be new in Windows 10 (it might be being backported through those horrid telemetry additions though). My guess is this came about because there were already tons of places online to find lists of public-facing KMS servers. Microsoft basically wanted to close the loophole of anyone who can use Google and paste something into cmd.exe being able to activate Windows for free. Not to mention it is a legit statement that having servers which should be inside a private LAN exposed and responding to Internet requests is a security hazard.
     
  19. testtest322

    testtest322 MDL Senior Member

    Nov 20, 2016
    398
    72
    10
    That's why I never use KMS instead I use my own overlay remover with dll injection of course. :biggrin: