Windows Product Policy Editor

Discussion in 'MDL Projects and Applications' started by kost, Nov 11, 2012.

  1. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    #1 kost, Nov 11, 2012
    Last edited by a moderator: Apr 29, 2018
  2. bootstap

    bootstap MDL Member

    Mar 25, 2012
    122
    40
    10
    #2 bootstap, Nov 11, 2012
    Last edited: Nov 11, 2012
    hi
    if u disable spp service windows will be deactivated. (within about 3 hours)
     
  3. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    I'm currently investigating side effects of disabling sppsvc
     
  4. bootstap

    bootstap MDL Member

    Mar 25, 2012
    122
    40
    10
    spp manage the hole activation process. disabling it no more activation is possible even if u restore the tokens.
     
  5. bootstap

    bootstap MDL Member

    Mar 25, 2012
    122
    40
    10
    spp is periodically (3 hours +/-) runned to check the activation state.
     
  6. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    I dont care much about activation.
    I care about things that can break because of spp disabled.
    I found several interesting values in ProductPolicy.
    "set black background if something bad", "nongenuine behaviour"
    If it does not set background and doesnt display any crap on the screen and everything runs then activation means nothing
    Btw,some values in product policy are about activation state itself
     
  7. bootstap

    bootstap MDL Member

    Mar 25, 2012
    122
    40
    10
    yes, retail version displays a bsoa and volume displays a watermark. all features needing activation are disabled. office 2013 will be deactivated too. as unlike 2010 it uses windows spp.
    however, there is a way to fool spp, but i guess it's forbidden to talk about it here. good night.
     
  8. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    880
    457
    30
    I run one edition more than a week with disabled spp. No nag screen or something else. This was activated before
    If you export the key and apply it to another windows, windows think its activated because of the one very long string.
    also it is genuie because of the localgenuie value.

    the system without activated windows applied with the values from activated windows will pop up the activation nagscreen after a while, this is caused because of some taks.

    If you run this commands
    schtasks /change /disable /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask"
    schtasks /change /disable /tn "\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon"

    the non-activated system MAY (haven't testend long enough) won't pop up anymore any activation screens.

    This hole thing is not about activation, it's more for testing (see here)

    thanks that you wrote the tool. i will test it tomorrow.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    I tested what happens with win7 OEM activated with sppsvc disabled.
    Did not see anything more than watermark in right-bottom corner
    Also all tools (Win+Pause) cannot display activation status.
    Windows Updates work without problem
    Watermark can be easily removed by tools availble on the net (RemoveWatermarkX64.exe. RemoveWatermarkX86.exe)
     
  10. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    After several hours of running I see nags when launching control panel.
    They can be dismissed and then all works.
    Not too beautiful solution but in some cases can help.
    (How often you go to control panel ? Not too often to be angry on nags)
     
  11. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    880
    457
    30
    In W8 I don't see anything. This is only because of the SPP-LocalGenuieStatus (or similar, to lazy to review now)
    If this value is 1 than no Watermark and no Nag screen. After several hours this is triggerd by the Tasks.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    #12 kost, Nov 16, 2012
    Last edited: Nov 16, 2012
    (OP)
    SIDE EFFECTS OF HAVING SPPSVC DISABLED
    --------------------------------------

    On win7 after ~3 hours of run you will notice some side effects.

    1) When launching control panel you will see non-genuine nag dialog.
    It can be dismissed with no consequences.
    2) When starting windows update you will also see some nag but windows
    update will work.
    3) When logging in you will see SLUI reminder and background will be set
    to black. This is the most anoying. To overcome it you can
    take ownership of file C:\windows\system32\slui.exe, change perms and
    rename it. This will prevent launch of slui on logon.
     
  13. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    880
    457
    30
    With disabled tasks and Security-SPP-GenuieLocalStatus 1

    1),2),3) won't appear.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10

    On windows 8. On win7 no scheduled tasks and nags appear
     
  15. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    880
    457
    30
    Ok, than this works really different than... um curious that W7 seems to be more watched than W8.
    Or it's not that much investigated from us (...I haven't messed around with my W7 machines)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    Fortunately its possible to run any today's windows system without activation and manual LocalGenuine status
    without any significant impact on functionality
     
  17. KNARZ

    KNARZ MDL Addicted

    Oct 9, 2012
    880
    457
    30
    Yes, thats why I love this!
    I did it by hand in RegEditor but this is a real pain. With the tool it gets much easier.
    With an valid activation string in the long entry (we discussed in PM), windows also thinks it is activated and doesn't bother you in any way.
    If there will be ever a way to move this values from the kernel used values to tokens.dat than spp could also keep on running. ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    Btw, we can move hacking of sppsvc to the kernel !
    Today i wrote simple driver capable of removing protection from any given process.
    By protection i mean protected process status. It disables opening process in any way other than SYNCHRONIZE and TERMINATE. Examples of protected processes are AUDIODG.EXE and SPPSVC.EXE on win8/2012.
    By changing one bit of EPROCESS memory process instantly becomes available as others.

    Many things can become much simplier in kernel.
    May be a way can be found to bypass ProductPolicy key guarding.
    If we do - we will nullify effect of sppsvc while it will be running and functioning !

    The main problem - driver signature enforcement on x64 systems.
    Now my driver can run only in testsigning mode.

    To sign kernel driver a kernel code signing certificate is needed.
    Any company can appy for such certificate. Several well-known CA issue this type of certs.

    So, the last step is obtain such a cert. May be someone willing to help with it ?
     
  19. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    Warbird

    Ppl, may be someone had any xperience hacking sppsvc and other software protection - based code ?
    pidgen may be

    By analyzing calc.exe (Yes, calculator !) code I found how user mode processes query ProductPolicy values.
    Scheme is the following :

    struct PVEncryptedQuery
    {
    const void *EncryptedQueryBlob; // WARBIRD code fills this
    void *EncryptedAnswerBlob; // Buffer for received data
    size_t QueryBlobSize;
    size_t AnswerBlobSize;
    } pvquery;
    NTSTATUS status = NtSetSystemInformation(134,&pvquery,sizeof(pvquery)); // kernel call possibly. Haven't dug deeper.

    status - C0000034 - policy value not found.
    C0000001 - unsuccessfull. returned if query blob is bad.


    EncryptedQueryBlob is constructed in very large function based on usage of C++ defines/inlines/templates.
    PDB tell this code is coming from class WARBIRD.
    WARBIRD code used in many dlls and procesess which need to have a hidden deal with software protection
    Same code probably used in sppsvc.

    Has anyone already reversed WARBIRD code ?
    If I could reconstruct query/answer blobs I'd hook NtSetSystemInformation and tampered with returned results.
    It would be very usefull.
     
  20. kost

    kost MDL Member

    Jan 22, 2011
    116
    211
    10
    I was able to reconstruct warbird encryption/decryption system in my code.
    See topic about sideloading crack for win8/2012. Source code is there.