Almost anything is hackable, given enough effort. Working around Microsoft Windows Genuine Advantage is somewhat easier than you might expect, however.

As I mentioned in Mitigating the privilege escalation threat, I ran across a vulnerability in MS Windows NT domains where a file that needed to be world-writable could be used to “trick” the task scheduler into giving elevated privileges to arbitrary user accounts. The key to that vulnerability, as with many such things in the MS Windows world, is complexity. Because of the focus in Microsoft development on constantly adding more features of various descriptions, unintended consequences often arise in the interactions between various features.

A reader named Matthew Hoelscher pointed out another such strange — and almost certainly unintended — capability to me recently. Kind of ironically, it is a work-around for Windows Genuine Advantage on MS Windows XP, and thus constitutes a vulnerability in what many have complained is a violation of their privacy, a potential source of security vulnerabilities, and a demonstration of Microsoft’s poor customer service attitude. While none of that is particularly mitigated by this work-around, the fact it can become a huge roadblock in the way of using one’s own computer can be solved in at least some cases this way.

When starting an MS Windows XP machine that requires activation, and the activation period has run out, it will not let you boot to the desktop. Instead, a Windows Product Activation dialog appears. The text in the dialog reads:

This copy of Windows must be activated with Microsoft before you can log on. Do you want to activate Windows now?

There are two buttons: “Yes” and “No”. Click “Yes”. At this point, the expected behavior involves following instructions to get your copy of MS Windows activated. It is possible at this point that you cannot do so in the typical manner. For instance, you may need to get into the desktop environment to configure your network connection so you can activate the system over the Internet, or you may need to access the system as part of a penetration test. If, for some reason, you cannot do so in the typical manner, there is a workaround for this.

First, open the Utility Manager and Narrator by holding down the Windows key and pressing the U key.

The Narrator may be minimized to the bottom of the screen. If this is the case, click the Restore button to bring up the Narrator window.

Right-click on the title bar of the Narrator window to bring up the application menu, and select the “About Narrator…” menu item.

The “About Narrator” information window will include a link that reads “Microsoft Web site”. Click on that to open Internet Explorer. It may complain that you need a network connection, and open a dialog box asking whether you want to set up a network connection; if that is all you need, go ahead and configure your network there, but if you need to access other configuration options you should exit out of that and click the “Microsoft Web site” link a second time. At this point, IE should open with an error: “The page cannot be displayed”.

Click on the address bar and enter c:\ then either press the enter key or click on the “Go” button in the browser.

Depending on the system, this may give you the MS Windows desktop. If not, you will have to do things the hard way, via Windows Explorer and the submenus at the left-hand side of the Internet Explorer window. For instance, clicking the “My Computer” option will change the left-hand menus, bringing up the “Control Panel” option, from which the most common system configuration tools become available.

Given the limitations that you would find in the friendliness of the MS Windows interface when using it this way, this work-around is no simple replacement for just using a fully activated install of MS Windows. Despite the fact it is in fact a work-around for Microsoft’s Windows validation system, there is little danger of this particular quirk in the system being used to avoid having to use a properly activated MS Windows. Ultimately, aside from using a cracked (and possibly malware infected) version of MS Windows, there is still no way to avoid having to use an activated install of the OS for general usage other than using an OS other than MS Windows.