Windows Service: to code a software security feature

Question

i want to implement a windows service that functions as a simple license security feature for a software X. The service is meant to run independently from software X.

The rough idea:

• The service is like a timebomb for a software Z installed on the machine...
• Whenever the user runs software X, the service pops up a window every 30 minutes to remind the user to register software X.
• If the user doesnt register the software after 1 month, the service will change the license code in a file and kill the software X process.
• On the next start up, software X will read the wrong license code and starts in demo mode.
• The service backs up the license code first before changing it.
• When the user do register, a exe or bat file will be given for the user to run. The file restores the original license file and permanently removes the service.

Additional info:

• Is it possible that if the user tries to kill the service, the service will automatically change license code and kill software X before being killed itself?
• If the user changes the license code manually in the file after the service changes it, then the service will automatically change it back and kill software X.

I'm quite the newbie in programming... so i wanna ask for advice first before jumping into the project... Any advice, tips or issues/concerns i should be aware of based on your experience?

I'll most probably code it in C++ but might do it in C#(never used it before) after reading the following discussion: http://stackoverflow.com/questions/593454/easiest-language-to-create-a-windows-service

Answer 1

Is it possible that if the user tries to kill the service, the service will automatically change license code and kill software X before being killed itself?

Not in general, no. If I shut down the process unconditionally (e.g. using taskkill /f command), it won't get any chance to react.

If the user changes the license code manually in the file after the service changes it, then the service will automatically change it back and kill software X.

It's possible - you can use ReadDirectoryChangesW function to watch the file and react to changes (or FileSystemWatcher class if your service is implemented in .NET). Of course, in light of the first answer above, user can just kill your service and then alter the file...

Answer 2

• Whenever the user runs software X, the service pops up a window every 30 minutes to remind the user to register software X.

This is not possible. A service cannot display a window due to being on another desktop then the user. (Since Vista this is mandatory, XP did allow for showing a window.)

• Is it possible that if the user tries to kill the service, the service will automatically change license code and kill software X before being killed itself?

No. A service is just another program running in the system, which can be killed at any point in time. (Only you have to be in the administrator group).

• If the user changes the license code manually in the file after the service changes it, then the service will automatically change it back and kill software X.

The conclusion is, that when you break your license check into 2 parts, you get another point at which the user can break your check. You cannot prevent the user from working around your service, if it is not mandatory for your program to work.

Answer 3

I'm quite the newbie in programming... so i wanna ask for advice first before jumping into the project... Any advice, tips or issues/concerns i should be aware of based on your experience?

The best advice I can give you is "newbies to programming should not attempt to write security systems". Developing a security system that actually mitigates real vulnerabilities to real attacks is incredibly difficult and requires years of real-world experience and both practical and theoretical knowledge of how exactly the operating system and framework class libraries work.

The second-best advice I can give you is to construct a detailed, accurate and complete threat model. (If you do not know how to do thread modeling then that'll be the first thing to learn. Do not attempt to rollerskate before you can crawl.) Only by having a detailed, accurate and complete threat model will you know whether your proposed security features actually mitigate the attacks on your vulnerabilities.

Answer 4

Hi,

Thanks for your replies

to clarify some important stuff i missed out:

• this project is not at all meant for distribution/sales now or ever... its just some simple internal development/assignment that i'm trying out
• software x is just an example.. as for this case i'm trying out on a third party software.
• the idea is to see whether a windows service has those capabilities and to try them out...

I'm by no means trying to attempt to write a complete security system :P

I'm just looking at all options... I thought a windows service would have those capabilities.

The case that was given to me was this:

• I have full access to a colleagues PC before giving it to him/her
• There is a particular software that the colleague have to use. Say software X.
• There is also a particular task that the colleague have to do. For example, the task is to text me on my cell.
• Until the colleague completes that task, everytime he/her runs software X, a windows service will keep poping up a window every 30 mins asking him to call me.
• If the colleague still doesnt text me after one month, then the service will change the license key of software X and kill software X.
• the service will backup the license key first.
• after the colleague texts me, i'll give him/her a file that'll restore the orginal license key and permanently remove that service.

The so called "security" feature that i'm trying to implement is something local to the PC. No connection to LAN or internet.

I'm just wondering if windows service is able to do it. Of course it doesnt have to be bullet proof. I'm just experimenting on how extensive can a windows service (or any other better method) implement that feature. This is not a commercial project T_T It's just something i want to try out...

Any comments/advice is greatly appreciated

Answer 5

NEVER make a service for something unless it's really a system service. If you are creating an application, then you have NO BUSINESS EVER running code on the system when the application is closed unless the user explicitly requested that operation. Ideas like this are the reason we (nerds) have to deal with so much crap when people ask us to "fix my computer, it's running so slow."

I would walk from a 6-figure salary before I would ever become a part of an abomination like that.

Edit: I suppose first I'd need a 6-figure salary... some day some day

Answer 6

Haiz.... Just forget it...

It's ending up to be a programming ethics discussion :P

This is not a commercial project... Its not meant to be distributed or anything like that... I just want to try it out to learn more about windows service and whether such a feature can be implemeted... yes of course there are way better projects to learn windows service... i just thought it might be interesting to try it...

I should have explained the nature of the project in the beginning... My bad.. I sincerely apologize...

Anyway... thanks for all your advice and comments. I did learn some interesting stuff today...

"Question CLOSED"