My Vista product key can be easily dumped out?

[zxli]

Hello,

Today I tried SiSoftware Sandra under my Vista. I find it can dump my
product key out without any UAC warnings. Is it by design? Isn't it a
security hole? I'm really embarrassed...

Thanks!
zxli

 

[Todd Hudson]

Whats the security issue? It is stored in the registry like most other
settings.

 

[Chriss3 [MVP]]

I'm agree with Todd Husdon. This is not an security issue and doesn't have
anything to do with UAC.

 

[Kerry Brown]

Uac only prompts when writing to certain areas of the registry. Reading does
not cause a uac prompt.

 

[Zhenxin Li]

MS always tells us to keep the product key in a physically safe place. But
how to protect my product key(in clear text?) in the registry that everybody
including hackers know where it is? I can hide the physically printed
product key somewhere in my home or some other place. Even someone breaks
into my home, he will spend a lot of time to find where it is. But what if
someone intrude into my computer? He knows, the product key is right
there...

BTW, how many computers can be activated by one product key?

 

[Frank Saunders, MS-MVP OE/WM]

MS always tells us to keep the product key in a physically safe place. But
how to protect my product key(in clear text?) in the registry that
everybody including hackers know where it is? I can hide the physically
printed product key somewhere in my home or some other place. Even someone
breaks into my home, he will spend a lot of time to find where it is. But
what if someone intrude into my computer? He knows, the product key is
right there...

BTW, how many computers can be activated by one product key?

You need to keep it in a physically safe place so that you can access it
when the computer won't boot. That's why OEM machines put it right on the
box.

One key - one computer.

 

[Zhenxin Li]

I do know there are some special keys which can activate multiple machines.
It is a threat for those keys if the keys can be dumped out so easily.

If I get it correctly(I forget where I heard this), for XP keys, one key can
be used to activate another machine after some months when the first machine
was activated. Is that right?

 

[Jupiter Jones [MVP]]

Do not look for a software solution where there is none.
You need to control physical access to your computer.
See Law 3:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true

 

[John E. Carty]

Where did you find the product key in the registry stored as clear text???

 

[Zhenxin Li]

Maybe it's not in clear text. But it can be dumped to clear text easily...

 

[Zhenxin Li]

I'm not asking for a solution. I just want to know why it is designed like
this.

Of course I should not let the ones I don't trust access my computer. But no
one can guarantee he won't run malicious softwares accidentally or be
attacked by the hackers. Why the product key is stored as clear text or
similar to clear text in the registry. Why it isn't stored by some
non-reversible hash algorithm.

 

[Jupiter Jones [MVP]]

Why?
Because that is the way Windows is designed.

It is not a security issue at all since even if someone gets your key, you
still have no security issues on your computer.

"But no one can guarantee ..."
And no one but you can control that, it is called "Physical Security".

"run malicious softwares accidentally"
That is another reason why it is highly recommended to not run as
Administrator.
Hopefully you have others that use your computer set up as Limited Accounts
as well.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar
http://www.dts-l.org

 

[Frank Saunders, MS-MVP OE/WM]

I do know there are some special keys which can activate multiple machines.
It is a threat for those keys if the keys can be dumped out so easily.

If I get it correctly(I forget where I heard this), for XP keys, one key
can be used to activate another machine after some months when the first
machine was activated. Is that right?

Only if it's taken off the first machine.

 

[Robert Firth]

Why would someone steal your product key anyway? Remember, it is one key,
one computer. Therefore it would be useless to them because they will be
unable to activate it.

This isn't really something that someone would take advantage of. It would
be pointless.

--
/* * * * * * * * * * * * * * * * * *
* Robert Firth *
* Windows Vista x86 RTM *
* http://www.WinVistaInfo.org *
* * * * * * * * * * * * * * * * * */

 

[Jeffery Jones]

Why would someone steal your product key anyway? Remember, it is one key,
one computer. Therefore it would be useless to them because they will be
unable to activate it.

This isn't really something that someone would take advantage of. It would
be pointless.

What if they were looking to sell "Vista Ultimate for Download NOW
$89!!!"?

They would send out a virus, collect a bunch of Vista product keys
and sell one stolen key with each pirated download.

The hapless victim might have his key / activation revoked via WGA
check the following month and be forced to buy a new license to
continue to run the copy of Vista he bought in the first place.

 

[Jupiter Jones [MVP]]

Somewhat Ok until you said "...forced to buy a new license..."
Won't happen.
The "hapless victim" may mistakenly think that is needed, but it is
not.