views:

1373

answers:

10

I'm not interested in getting version information. All I want to do is to make sure my application will only run on a legal version of Windows and not on a pirated version. Windows uses some trick to determine this but still allows pirated versions to continue to run, although with some limits.

So, is there a way to check if the application is installed on a legal, genuine Windows version? (Vista and better, at least.)


Let me clear something up: Microsoft isn't preventing users to use a non-validated or illegal version of their operating system. Thus I don't have any reasons to block my application on such a version either. But I do want my application to be aware of the illegal version and warn the user that his Windows version isn't validated. Maybe he forgot, maybe he doesn't want to validate. There could be plenty of reasons for this and I don't want to block them, just making them aware of a problem with their Windows version.

Also, when someone uses a non-valid version of Windows then I might want to do a more strict validation check of my own software, if it's a commercial product. In my free products, I just want an annoying popup, which will just appear once per day.

The main problem with non-validated Windows versions is that they might contain additional spyware and other malware and there's a chance that they don't get all required updates. These Windows versions have a weaker protection than validated Windows versions. Since several of my applications use sensitive data, I don't want any malware leaking away this sensitive data.

Plus, I consider pirated software harmful for any free alternatives. Linux and FreeBSD would have been much more popular if it wasn't for all those pirated Windows versions that are roaming around. People who use pirated software are unlikely to have bought the product in the first place but I would prefer them to use a free alternative instead. Pirated software does a little harm to Microsoft, but it does a lot more harm to the Free community since it keeps people connected to those commercial products...

+6  A: 

That's something for Microsoft to worry about. Not you.

wefwfwefwe
Thats an opinion, not an answer.
Frank Bollack
That's an opinion, not a comment.
wefwfwefwe
Actually, when users are involved in illegal software, they could also be pirating my own software. Thus it's my problem too!
Workshop Alex
But what I or anyone else does outside of our business agreements is none of your business.
wefwfwefwe
No, but if you use an illegal Windows version combined with one of my application, you might be sharing all your information with the whole World because your non-validated and outdated Windows version contains a bunch of malware. Not my problem, just want to warn you about this possible problem when you use a non-valid Windows version.
Workshop Alex
And that's something for me to worry about. Not you.
wefwfwefwe
Not if you use my application because then you might hold me liable if it's data is leaked.
Workshop Alex
You're <strike>fucking trolling</strike> kidding, right?
wefwfwefwe
even legal versions of windows contain a whole bunch of malware. <troll>even a fresh installation has a bunch of malware, we’re talking about windows after all</troll>
knittl
+2  A: 

The way I see it, I won't ever trust someone else's verification system to be accurate enough that I would be willing to lock people out of using my software.

I see where you're coming from, but I suggest having MS worry about Windows validation.

In addition, there's really no way to know the true legal status of an install through the machine itself. Sure, there's "validation" and all that jazz, but that's nigh meaningless in context of the truth.

phoebus
Microsoft is doing the validation, and I'm just interested in this result. Does Windows think it's legal or not?
Workshop Alex
Again, it's just a question of whether it's been validated or not. It doesn't come anywhere near the question of legality at that point.You need to stop conflating "illegal" with "not validated".
phoebus
Basically, it's a matter of trust. If someone uses a validated Windows version, I consider him more trustworthy. If Windows is not validated, there could be a legal reason for that. I don't need to block the user, just make him aware that his Windows version isn't validated yet. If M$ doesn't bother blocking non-validated Windows versions, why would I bother about that myself? Just annoying the user with an additional popup is already good enough.
Workshop Alex
Why do you think that annoying your users is a good thing? If they are not trustworthy, they won't buy your program anyway, especially not if you bug them with annoying popups that may or may not be legit. Trust your users instead, those that are willing to pay will pay you if your program is good and don't annoy them, the others won't pay whatever you do to them. All you will accomplish is turning users away from your program.
Runeborg
@Workshop Alex, as a matter of fact, I can easily buy Windows, it's $100, but your software is $2000, I'm way more likely to get an illegal copy if I can't afford it. A real example is Windows and Photoshop or even Creative Suite.
iconiK
I'm not worried about people using an illegal version of my software. They need a subscription to a secondary service to practical use it. Without the subscription, the user will just end up with outdated data and will be missing some important features. Still allows them to try the software and check if it's okay, though.
Workshop Alex
+18  A: 

It's an interesting question but wrong attitude. It is not your business checking the affairs of the user.

Or you might as well:

  • Require their tax declaration before selling your software to them

  • A written proof from police they have no criminal record (or they may be inclined to break the law again and pirate your software)

  • Check if they have any torrent software installed (of course it can be used legally but the very fact they have it implies they may misuse it)

  • Check if they have antivirus software installed (to raise their social awareness and to help fight spam bot networks)

  • A credit history report (to be sure they have promptly paid their bills and will also not forget to pay for your software)

  • A proof from their family doctor they have no terminal disease (a person feeling condemned may break the law and pirate your software)

You see where it's going right?

One of the key rules for developing software - your software should be useful, make the users happy and build as few barriers as possible.

Developer Art
It is something I worry about since a user who uses a pirated Windows version could also be pirating my own software.
Workshop Alex
@Workshop Alex: Who says we protest from using legal Windows? We protest against crappy software that imagines itself eligible to searching **my** computer!
Pavel Shved
Well, don't use that software! We're not holding a gun against your head and force you to use it. Go find a free alternative instead and continue to support free alternatives. When the free alternatives are winning, any commercial product will sooner or later go bust. Pirated software just keep those commercial products in business simply because of the increased usage...
Workshop Alex
+1 for reminding me that I can also check if they have antivirus software installed. :-) Basically, I want MY OWN application to be secure.
Workshop Alex
@Workshop Alex: You have a more serious problem than you think.
Developer Art
You're <strike>fucking trolling</strike> kidding, right?
wefwfwefwe
@New in town, you don't understand the Q. I don't care if the user uses a legal version of Windows or not. But my software handles sensitive data and I need the user to be aware of security problems! It already has several security measures but in this case users will be made aware of the risk and can continue to use my applications if they're willing to take the responsibility.
Workshop Alex
@Workshop Alex: You failed to communicate this need in your question. No need to blame us.
Developer Art
@Workshop Alex: Anyway, this level of checks by the application itself is very uncommon nor can be reliable. Try to think of it this way - what other software that you know works just as you wish? None? Right. There must be a reason for that.
Developer Art
(-1) This is a comment, not an answer. You haven't provided any help on accomplishing what he asked you how to accomplish.
I did update the Q two hours ago to clear it up a bit, even though I already had accepted the answer. And other applications that do the same? I know one, which happens to cost about $250.000 and which deals with a lot of security issues. It handles financial transactions for international locations of a single corporation, to reduce the number of foreign payments, favoring localized payments instead. (An in-house banking application.)
Workshop Alex
A company which uses a software costing $250,000 will probably not be interested in using a pirated copy of Windows. Even Windows 7 is for $299.
Alec Smart
Alex you should WARN the user that they should use legal versions etc. and make them tick a box that warranty will be void if they do not. You do not need to go ahead and do the check yourself.
Alec Smart
@Alec, that is part of the contract between us and the customers. In the B2B world, it's uncommon to see a user with illegal versions of Windows unless you're exporting to certain countries, mostly in Africa and Asia, where illegal software is more common. This serves as an extra reminder to them.
Workshop Alex
+7  A: 

You can't possibly know and you shouldn't care.

The legal status of an install is entirely unrelated to anything on the disk. The same install can be unlicensed now and licensed the next minute without any changes to the machine.

Kristof Provost
I care because I don't want my own software to be pirated either. And someone who pirates Windows is likelier to pirate my own products too.
Workshop Alex
But if someone has a pirated version of windows, but he buys a license for your software?
Ikke
If someone buys my software and has a non-validated Windows version, he just gets an additional popup warning him his Windows version isn't validated yet. That's basically all I want.
Workshop Alex
You can't know - but you can detect if windows has been activated etc. Surely it is up to the OP if he should care or not?
Kramii
+23  A: 

Answer not opinion

I think the article here will help you check the legitimacy of the Windows version using the Windows Genuine Advantage.

Just answering your question though. Not sure if I would want to do it with my own software.

Kindness,

Dan

Daniel Elliott
+1 and accepted! This is basically all I wanted. :-)
Workshop Alex
OK. And what happens when WGA fails on a genuinely licensed install?
wefwfwefwe
Then the application will still work, but tell you that your Windows version isn't valid.
Workshop Alex
And what's the point of that?
wefwfwefwe
Liability issues. If you continue to use my application on your insecure system then it's your own fault if data from your 5.000 clients leak all over the Internet. (Otherwise, my insurance is likely to cover the damages...)
Workshop Alex
Can you let me know where you get your legal advice from? Sounds like a good place to avoid.
wefwfwefwe
@Workshop Alex, I don't know of any piece of software license that provides any form of warranty. Heck, most licenses I've seen explicitly state that absolutely no warranty is provided and you are on your own if anything happens.
iconiK
@iconiK, even if they don't provide any warrenty, a software manufacturer can still be held legally responsible for any damage caused by his product. (At least in the Netherlands.) The only problem is that the user must provide the evidence that it was the software that caused the problem. Actually, a claim that they provide no warrenty is likely to nullify most of the license conditions since it's an invalid license claim. (Again, in the Netherlands.)
Workshop Alex
+4  A: 

Microsof offers a small API, but MSDN doesn't state anything about how the used DLL is installed at the client system. My guess is, that it comes with the SP2 or WGA utility from windows Update.

This is the MSDN page for the API.

Frank Bollack
It says how the API gets installed: "The WGA functions are available only on Windows Vista and Windows XP installations that have been validated by clicking Validate Windows on http://www.microsoft.com/genuine." Anyway, +1 for a good answer. Don't see why this had been downvoted.
0xA3
Ah, thanks, must have missed that. About the down vote, maybe some people don't like the way MS forces their users to validate their installed software. And so the also don't like people, making use of this technique.
Frank Bollack
+1, also a good answer! Useful for WIN32 development. The previous answer works on .NET, so both are now covered. :-) Too bad I can't split the answer...
Workshop Alex
@Workshop Alex: It goes without saying that you can use this also from .NET (using P/Invoke aka `DllImport`).
0xA3
The Q itself is controversial already since some people just don't like to pay for Windows. If more developers start to check the legality of Windows, those people will start to become very isolated. (Besides, I wonder why they just won't use Linux instead. If more people are blocked from using pirated software, Linux will only become more popular.)
Workshop Alex
@divo, of course. :-) But the answer gave me a solution that doesn't need DllImport or P/Invoke. Basically, both answers are good but he was first.
Workshop Alex
@divo: I downvoted this answer because it's incorrect (a fair reason, right?). The correct answer for the original question is "None of your business to check it!".
Pavel Shved
@Pavel: Do you mean wrong in terms of not fitting to your point of view???
Frank Bollack
@Frank Bollack: what's the correct answer to "Have you stopped hitting your wife every morning"? The correct one is "Go to hell!" That's what I'm talking about.
Pavel Shved
A: 

If you prevent pirating your own software (i mean prevent it running on pirated windows) then probably your software will not be as sucsessfull as it could.

Just make your client pay fair price for your software.

Janis Veinbergs
My clients do pay a fair price for my software. No complaints there. But some clients don't want to pay at all and I'm better off with them using a free alternative instead of something illegal. There are plenty of free alternatives for commercial software so why would anyone use pirated software? Just give more support to free software instead!
Workshop Alex
Well i mean just price your software accordingly. For games and other services that have to do something online, it's a good thing to just add extra value for paying the price. For example, you could provide only 1 client account per cd-key to do something online. In that way, it's more likely someone will buy your software.
Janis Veinbergs
Much of my software is cheap or even free. But it allows the user to handle data from other persons including creditcard information, social security numbers, NAW+DOB and much more. If this data is exposed then I might be held responsible, unless the application told the user that he has security problems. Popping up this warning will force the user to be aware of this security problem. If he ignores it and his data leaks out, it's his fault, not mine. (And yes, my software has plenty of other security measures.)
Workshop Alex
@Workshop Alex: there is where you are wrong. You can't be held liable for the users' machines security. By *doing* this validation you open yourself to that liability.
voyager
@voyager, I don't want to take any risks. Besides, liability differs per country. In some situations, companies can be held responsible for damage caused by their applications, especially when using weak or no encryption. Fortunately, my company is insured for any legal problems that can arise from the software we create, including possible legal damages. When talking to one of their advisors, I considered adding this feature, which he told me could even further reduce liability. I do consider this insurance agent an expert at this level.
Workshop Alex
+3  A: 

Why don't you also check to make sure they're not running a pirated version of Photoshop? Or Half-Life? How about Microsoft Office?

See where I'm going with this? I don't particularly agree with piracy checks as it stands - but in order to perhaps save you a headache, I would suggest that you only worry about whether your own software is pirated, using whatever means you wish (licence keys, phoning home, whatever nefarious and intrusive method you so desire!). So someone who pirated Windows MAY be likely to also pirate your software too. If you intend to block usage of your software if you detect they're running a pirated copy of Windows - well, that's just bad practice. What if the validation software is buggy, or incorrect, or reports that the software is pirated because SOMEBODY ELSE used this person's legitimately bought licence key?

Aside from it being none of your business, Windows in particular has been known to falsely report that a legitimate copy of Windows was pirated. You should not trust anybody's validation tools but your own (and even then you might have coded a crappy validation tool!). There are so many things that could cause an incorrect piracy report - I would steer way clear of this approach.

TomFromThePool
I understand what you're saying but all I want is to make the user aware that his Windows version isn't valid, which might also introduce security risks. I could also warn him if he's not using a virusscanner to keep his system secure. That might actually be my next Q. :-)
Workshop Alex
@Workshop Alex, I don't use an antivirus software as it slows down every disk access several hundred times; yet, I haven't had a virus problem in over a year (and that one minor) because I am careful about what software I use. If your software would nag at me I'd completely remove it without question.
iconiK
@Workshop Alex, and what about people running your software inside Wine? Wine doesn't validate as genuine Windows (as it isn't Windows!) and doesn't need antivirus programs (most won't even run anyway).
iconiK
@iconiK, Wine is not supported and will not be supported since the software uses some special Windows features that aren't supported by Wine.
Workshop Alex
@iconiK, not using antivirus software isn't smart, even if you only use Linux. Then again, experienced professionals will be able to keep their system clean even without antivirus products. But the users of my software are handling sensitive personal and financial data and they cannot take any risks with this data. (And some seem to have similar mental capabilities as a well-trained chimpanzee...)
Workshop Alex
+2  A: 

Not even Microsoft can do this reliably. It is a constant arms race as Microsoft updates WGA against people who seemingly have to do very little to bypass it. This is exacerbated by the needs of OEMs who (rightly) need to have preinstalled and prevalidated copies of OSs so they don't annoy their customers, whom may well be business customers. I think that a lot of the "hacks" around this have to do with OEM master keys.

Basically, pirating software (including Windows and your software) is a social problem not a technical one. The worst thing you can do as a software vendor (imho) is to annoy your legitimate customers in the quest to stop pirates to the point that you make your legitimate customers pirates. Example: some games have gone so far as to install rootkits as well as limiting the number of activations (eg Spore).

Limiting activations in particular is an evil practice. People have an innate sense of fairness about these things. If they have two activations of something, are running Windows XP and switch to Windows 7 RC and will then switch to a real version of Windows 7 when released then they've just gone over the limit. As in the case of Spore, you can request additional activations over the phone but this kind of thing just rubs people the wrong way. Some to the point that they'll feel quite justified in bypassing such restrictions.

As for downvoting your question, I suspect it's because people don't like your intent, probably for reasons that are similar to the ones I've listed above.

cletus
Basically, I just want my software to check how secure the OS is. If it has potential security problems, I warn the user, forcing him to acknowledge the security problem before he can continue. Takes away some of the liability. In no way do I want to block users. But some users don't understand this security aspect behind the Q.
Workshop Alex
But by doing the check, you open yourself to be held liable when a legitimate Windows copy with Norton Antivirus lets a spyware to release all of your app's data! Leave the computer's security to the computer owner.
voyager
Not in the Netherlands. But it also depends on the EULA and the contract between the clients and my organisation. Most are B2B contracts since the software has no features usable by consumers.
Workshop Alex
+1  A: 

Just asking the technical part, leaving out your reasons/philosophy would have given you direct answers.

ThisIsMeMoony
Without the reason, I'd never had an answer. It would be downvoted into oblivion...
Workshop Alex
We'll never know, *now*...
Shog9