Microsoft Pop Up saying I needed to Re-register XP

[Joe Wilkowski]

Folks, my home network consists of 6 machines behind a
Microsoft ISA server firewall. Yesterday, a popup window
appeared apparently from Microsoft indicating that due to
a significant amount of hardware changes on my machine
(new drives etc which I recently added)that I needed to re
register the XP operating system and that I had three days
to do it.

Anyone familiar with this ?

 

[Juan]

Greetings:

It's an attempt to take over or infect your PC, you can add all the hardware
you like and it won't make a difference to Microsoft.
If you have a legal version and have registered your Windows software you
have no reazon to worry about, worry about keeping your system secure by
taking these simple precautions:
.. Keep your Windows Operating System updated.
.. Make sure you have installed the latest critical security update
.. Keep your anti-virus software updated.
.. Keep your firewall enabled.
.. Make sure no one at home opens messages from unreliable sources, and only
opens enclosed files from known to be reliable sources.
.. Never click on pop-ups (just close them)
.. Frecuently delete all cookies and temporary internet files (in local
configuration folder).
.. Never use your true e-mail address when posting on news groups, use an
anonymous address like the one following.

Hope this helps.

------------------Original Message----------------------

 

[cquirke (MVP Win9x)]

On Thu, 8 Apr 2004 15:06:31 -0700, "Joe Wilkowski"

Folks, my home network consists of 6 machines behind a
Microsoft ISA server firewall. Yesterday, a popup window
appeared apparently from Microsoft indicating that due to
a significant amount of hardware changes on my machine
(new drives etc which I recently added)that I needed to re
register the XP operating system and that I had three days
to do it.

Anyone familiar with this ?

That's WPA (Windows Product Activation) raising its ugly head. You
are lucky you weren't using the original XP (pre-SP1) as that doesn't
give you three days; the denial of service starts immediately.

There are three WPA models used for XP:
- no WPA (volume licenses)
- BIOS-locked WPA (big-name OEMs)
- per-component WPA (everyone else)

Per-component WPA monitors 10 items that are supposed to be
"hardware", and if "too many" of these changed, the assumption is made
that XP is running on a different computer.

In XP SP1, one of these items is weighted as 3 votes; the LAN adapter.
Generally, if 4 or more items change (7 or more in SP1?) it's like
tilting the pinball machine. AFAIK, the monitored items are:

Processor type
Processor serial number [*1]
RAM range [*2]
IDE controllers, which are usually part of motherboard
SCSI, if present
First detected optical ("CD") drive [*1]
First detected HD
First detected HD volume serial number [*3]
Network adapter [*1]
Display adapter [*1]

Notes:

[*1] These can change even if the hardware does not, e.g. CMOS
settings that hide or reveal processor serial number, firmware
upgrades for CD writers or SVGA cards, EPROM-level changes to LAN
cards such as forcing a type of cabling etc.

[*2] AFAIK this is granular enough not to throw a fit if you change
your RAM allocation to built-in SVGA or make other CMOS changes.

[*3] This is not a hardware item - any time you format or convert to
NTFS, the volume serial number changes and you lose that life.

Chances are while you were swapping or adding HDs, you ran for a while
with no CD drive (one life lost), ran without your original HD in
place (second life lost) and formatted the HD (third life lost). So
you'd be one nudge from death, as long as that nudge didn't happen
over three months ago; after three months of "good behaviour" (no
hardware changes) your record is wiped clean again.

Malware can pricipitate this crisis if it kills your WPA data, and if
it were to spoof your "activation" to thier site... so I'd use the
telephone number offered by the activation dialog instead of doing
this via the Internet. Yes, I'm paranoid

Finally, don't confuse activation (obligatory, anonymous) with
registration (voluntary, privacy implications) and don't feel
pressurised to register if you don't want to.

The MS activation help line folks will have seen this problem often,
and should be quite helpful. In my own experience (building and
activating new PCs regularly) they don't push you into registering;

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Joe Wilkowski]

Thanks for the explanation. Man, in all my years of admin
of MS op systems both at work and at home, I have never
encountered this. Yes, I did call the hotline phone
number provided and chickened out at the end because I
still thought it was a hoax. What precipitated this was
the appparent installation of "Virtual Drive" software by
Farstone which added a ton of virtual drive letters that
can be accessed at will.

In any event, I feel much better now that I have the
answer. Thank you once again for providing me with peace
of mind.

/joe

-----Original Message-----
On Thu, 8 Apr 2004 15:06:31 -0700, "Joe Wilkowski"

Folks, my home network consists of 6 machines behind a
Microsoft ISA server firewall. Yesterday, a popup window
appeared apparently from Microsoft indicating that due to
a significant amount of hardware changes on my machine
(new drives etc which I recently added)that I needed to re
register the XP operating system and that I had three days
to do it.

Anyone familiar with this ?

That's WPA (Windows Product Activation) raising its ugly head. You
are lucky you weren't using the original XP (pre-SP1) as that doesn't
give you three days; the denial of service starts immediately.

There are three WPA models used for XP:
- no WPA (volume licenses)
- BIOS-locked WPA (big-name OEMs)
- per-component WPA (everyone else)

Per-component WPA monitors 10 items that are supposed to be
"hardware", and if "too many" of these changed, the assumption is made
that XP is running on a different computer.

In XP SP1, one of these items is weighted as 3 votes; the LAN adapter.
Generally, if 4 or more items change (7 or more in SP1?) it's like
tilting the pinball machine. AFAIK, the monitored items are:

Processor type
Processor serial number [*1]
RAM range [*2]
IDE controllers, which are usually part of motherboard
SCSI, if present
First detected optical ("CD") drive [*1]
First detected HD
First detected HD volume serial number [*3]
Network adapter [*1]
Display adapter [*1]

Notes:

[*1] These can change even if the hardware does not, e.g. CMOS
settings that hide or reveal processor serial number, firmware
upgrades for CD writers or SVGA cards, EPROM-level changes to LAN
cards such as forcing a type of cabling etc.

[*2] AFAIK this is granular enough not to throw a fit if you change
your RAM allocation to built-in SVGA or make other CMOS changes.

[*3] This is not a hardware item - any time you format or convert to
NTFS, the volume serial number changes and you lose that life.

Chances are while you were swapping or adding HDs, you ran for a while
with no CD drive (one life lost), ran without your original HD in
place (second life lost) and formatted the HD (third life lost). So
you'd be one nudge from death, as long as that nudge didn't happen
over three months ago; after three months of "good behaviour" (no
hardware changes) your record is wiped clean again.

Malware can pricipitate this crisis if it kills your WPA data, and if
it were to spoof your "activation" to thier site... so I'd use the
telephone number offered by the activation dialog instead of doing
this via the Internet. Yes, I'm paranoid

Finally, don't confuse activation (obligatory, anonymous) with
registration (voluntary, privacy implications) and don't feel
pressurised to register if you don't want to.

The MS activation help line folks will have seen this problem often,
and should be quite helpful. In my own experience (building and
activating new PCs regularly) they don't push you into registering;
although your context is different, MS policy is to "be

 

[cquirke (MVP Win9x)]

On Fri, 9 Apr 2004 08:24:36 -0700, "Joe Wilkowski"

Thanks for the explanation. Man, in all my years of admin
of MS op systems both at work and at home, I have never
encountered this.

Product Activation was prototyped here and there with Office 2000 in
some markets only, before the XP series of products inflicted it on
the world at large... you can imagine the discussions that raged
through usenet at that time! By it's nature, it tends to whack you at
times when you are already up to your elbows in trouble, e.g.
reduction testing (removing components) to tshoot flaky PCs.

Yes, I did call the hotline phone number provided and
chickened out because I still thought it was a hoax.

It's no hoax - if you ignore it, your system WILL deny you service.

So - please, make the call and beg to be allowed to use your PC again,
explain you aren't pirating it on a different PC and so on.

What precipitated this was the appparent installation
of "Virtual Drive" software by Farstone which added
a ton of virtual drive letters that can be accessed at will.

Just what we need - another software cause of inappropriate WPA attack
:-(

In any event, I feel much better now that I have the
answer. Thank you once again for providing me with peace
of mind.

Please; make the call, else *I* won't have peace of mind worrying
about it! If WPA's payload hatches, you may be forced to wipe and
start over, just as if you'd been koshed by malware.

-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.