Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Need to get rid of XP activation hack

Posted on 2004-11-07
21
Medium Priority
?
115,291 Views
Last Modified: 2011-08-18
Hello experts -

I began working with a new client, and several of their machines have had an XP activation hack applied, a service running as reset 5. It seems as if each machine has individual, valid keys, and the hack was applied by a long-gone temporary guy "just in case" the OEM installations might have to be moved to different hardware "some day".

We need to make this right - get rid of the hack, and get these machines activated. Some have run over a year, with entries every day in the event logs complaining that they needed to be activated, but no other noticeable symptoms. WPA won't even start, so to simply activate them now won't work.

I've found several files and registry entries that appear to be related to the hack, and have done some preliminary testing at getting rid of it. I can get the files and services removed, and the registry entries removed so that it doesn't seem like the hack is running, but I cannot get the WPA to work, to go out and activate with MS. I probably have not found all of the files or regedits that this thing has done....

Does anybody know anything about this hack - reset 5 - and how to get rid of it??
0
Comment
Question by:TommaX
21 Comments
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12519209
Which Version of XP?  Are you an OEM or someone with limited number of licenses?  More is needed here to help you.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12519223
If this was a Hack, report it to Microsoft, please.  Listening further, since hacking information is now allowed here.
0
 
LVL 63

Accepted Solution

by:
☠ MASQ ☠ earned 1000 total points
ID: 12519304
The "Reset" hacks are pretty insidious. Had a similar issue to the one you're describing & eventually gave up and reinstalled XP.  MS were fine with the legit CD Keys but never got to the bottom of how exactly the hack prevented WPA. Reset 5.02 has been blocked by MS for SP2 apparently. In my case also ended up with two installations which turned out to have been installed from a "Corporate" version!
Reinstalls worked here & saved reinstalling user's software.

@astaec
<<hacking information is now allowed >> ?? I missed this, is there a link you can post??
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:TommaX
ID: 12520083
Thanks MASQUERAID - I really don't have the time right now to figure out how the thing works, either...I guess the sure fix is always to re-install, and that has saved my butt a few times, indeed. Thank God that's possible w/XP, but re-installing is a bit time-consuming and awkward, though, right now.

I have no interest in playing cops, astaec - but I will do the right thing and fix what's wrong once it's my responsibility.....this discussion is about that, and that only.

I'd like to leave this open just a little while for further comments or suggestions to get rid of this thing. If nothing else really comes up, then I'll award the points to MASQUERAID, and re-install.
0
 
LVL 11

Expert Comment

by:Paul S
ID: 12521232
what does this do:

Start Menu > Run > "%windir%\system32\oobe\msoobe.exe" /a
0
 

Author Comment

by:TommaX
ID: 12523289
msoobe.exe doesn't do anything....it refuses to run.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 12524173
TommaX -> I would not expect nor want any points here, so however you choose to finalize this is fine by me.  The reason I asked is to ensure Guidelines compliance as noted here: http://www.experts-exchange.com/Operating_Systems/help.jsp#hi100 
0
 
LVL 3

Expert Comment

by:cwalter9
ID: 12525963
Here is a little trick and some explenation but I'm not sure if this would save you anytime over re-installing. If all the machines are the same hardware and system type then you might just be in luck. If you move hardware components around and swap them in out out of machines you will force a re-activation of the system. You need to get the hardware vote below 7 for desktops:

Activation uses a voting mechanism. There are 10 hardware characteristics used in creating the HWID:

Display Adapter
SCSI Adapter
IDE Adapter
Network Adapter MAC Address
RAM Amount Range (i.e. 0-64mb, 64-128mb, etc)
Processor Type
Processor Serial Number
Hard Drive Device Type
Hard Drive Volume Serial Number
CD-ROM/CD-RW/DVD-ROM

Each characteristic is worth one vote, except the network card (NIC), which is worth three votes. When the current HWID is compared to the original hardware HWID, there must be a vote of 7 or more for the two HWIDs to be considered "in tolerance" on a desktop machine.

If the device is a laptop, additional tolerance is allowed and there need only be 4 matching points. Therefore, if the computer is a laptop and the network card is the same, only one other characteristic must be the same for a total vote of 4.

If the network card is the same, then only 4 additional characteristics must match because the network card is worth 3, for a total of 7 votes. This means, for a desktop system with both SCSI and IDE adapters, you can change five components. If you have only an IDE adapter, you can change four components, assuming you have all the others listed.

If the network card is not the same then, for a desktop machine, a total of 7 votes must be obtained from components other than the network card. So, if you have only an IDE adapter and no SCSI card, you can change one other component besides the NIC, assuming you have all the others listed.

You will also note that there is no mention of the motherboard or its chipset. Only the CPU processor type, serial number are considered, along with the IDE adapter if it is built-in to your motherboard, which is the norm with modern boards. This means that a simple motherboard change may or may not trigger a reactivation, depending on what else you change, such as taking the opportunity to go to a faster processor or add more RAM.

So as you can see if you take 2 or 3 systems and move say the NIC and hard drive from one computer to another even though the hardware is the same you would force a re-activation of XP.
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
ID: 12526246
@asteac -  Aha! <noT allowed> :)
This is not about hacking but removing a hack from XP to allow it to install legitimately.

@The_Computer_Guru_777/cwalter9
Not sure about TommaX's installation but Reset seems to prevent WPA accepting registration even if you try to invoke the Activation Wizard using "%windir%\system32\oobe\msoobe.exe" /a.

Interested to see if the hardware changes would do it although they should invoke the same process because of the database change & have to say changing enough hardware to do this might take more time than an unattended repair/reinstall.

Still listening ...
0
 
LVL 3

Expert Comment

by:cwalter9
ID: 12526748
The time of swapping was my main concern with recomendeding the hardware swap ;(

And like you said if it just kicks off the same old wizard nothing much would be different. Maybe though if the system thinks it needs to register maybe it would force it. If not then there isn't much that could be done in a short amount of time.

If you want to find out for sure what is changed with the hack you could copy all of the files from a clean system and then all from a hacked system over to a Linux or Unix box and run some diff and compares and see what was changed. But all roads lead to a good amount of time figuring out exactly what was changed by Reset.
0
 
LVL 6

Expert Comment

by:WhitePhantom
ID: 12526838
Put a WinXP CD in the drive that has integrated the same service pack as that which is installed on the computer, go to a command prompt, and type "sfc /scannow"  Let it replace all the files it finds that are different.

WP
0
 

Author Comment

by:TommaX
ID: 12527593
Thanks, all, who offered their assistance with this.

We started the in-place re-installs, have a couple of machines done and properly activated now.

Nothing seemed to force the WPA to run, though, so the re-install was the only way to deal with this....it is pretty insidious, as MASQUERAID mentioned.

Thanks again!
0
 
LVL 1

Expert Comment

by:Bill K
ID: 12629209
Most of the hacks working now replace/rewrite the bytes of winlogon.exe file.  Believe it or not but the hack "usually" slaps a bak extension on the original winlogon file upon replacement.     i wont say anymore...i like it here ;)


advice: find winlogon.bak on hacked pc or goto unhacked xp machine and copy winlogon.exe to the hacked machines :)

this will get wap up and going again

0
 
LVL 2

Expert Comment

by:orphicfireball
ID: 12650514
You could try installing service pack 2 on these machines.  Microsoft builds their service packs so that they repair activation cracks.
0
 
LVL 3

Expert Comment

by:jer2eydevil88
ID: 12714380
Two things you can try to do that are relatively simple and should work.

Reboot into safe mode and attempt to run the activation then (if the activation hack is killing the process then this would get around it)

Try to use the windows xp CD to repair the current installation.  This will fix it but the cost is you lose all the windows updates and possibly some drivers.  I suggest this as a last resort below a full clean restore.

Then again you could try and find the hack the old guy used (maybe contact him) and see if there is a remove feature :).
0
 

Expert Comment

by:Mooligan
ID: 12716313
For what it's worth I removed this from a clients computer recently.

After SP2 was installed he was receiving warnings that he had to activate, he ignored it until enough time had passed and he was locked out of his system. I was able to get back in by calling the MS activation phone number and activating using his XP OEM cd key located on the bottom of the laptop. While this did get me in and say that it was a successful activation, after a reboot I would be deactivated again.

To fix it I removed all references to reset5, to do so disable the service, run a search on your PC for reset5, and remove any files found. I beleive there were 2 dll's.

Next search the registry and remove all references, there were quite a number. After doing this the activation request was gone on startup and everything was back to normal.

0
 
LVL 7

Expert Comment

by:tonyteri
ID: 12738052
enter the valid key in the registry hive and then   activate it.
0
 

Expert Comment

by:stevent10993
ID: 12770295
Thanks to Mooligan for your advice; I too needed to get rid of this incideous hack and was able to using your suggestions. I deleted all the reset5 files, removed the registry reference, and ran the activation app fine. Further, many reboots later, all still seems fine.

One thing bugs me though. The reset service, disabled as it is, still shows uo in the services window. Looking further, I see it loads a file: srvany.exe located in the Windows/System32 folder.

Any idea how to get rid of this thing completely?

Thanks,

Steven
0
 

Author Comment

by:TommaX
ID: 12772298
@stevent10993

I found that reset5 creates entries for itself in three different locations in the registry - just do a search for reset5 from 'my computer' down, and hit 'find next' until all of its hiding places have been found. Deleting all of these registry entries  was enough to delete the entry from the services window in all of the infected machines that I found....
0
 

Expert Comment

by:stevent10993
ID: 12789077
I failed to find the other listing as I was only using regedit. When I used a new registry editor, Reg Work (which I just bought), I found a whole lot more.

I also traced the srvany.exe file back and deleted it, as well as another reset file in system 32.

BTW, what stumped me was your "reset5." When I looked at the services window, it read "reset 5."

What a difference a space makes <grin>.

Thanks again.

Steven
0
 

Expert Comment

by:Peter_in_oz
ID: 13369423
I have found with machines that have WPA hacks on them that installation of SP1 after the hack (or SP2 for that matter) will disable the WPA hack. Now I would suspect that not all WPA hacks are the same but some simply a couple of Windwos XP files and the Service PAcks overwrite these files with new ones thereby elimnating the hack and reenabling the need to activate.

At least that is what has happened when I have done it.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
Windows 7 does not have the best desktop search built in. This is something Windows 7 users have struggled with. You type something in, and your search results don’t always match what you are looking for, or it doesn’t actually work at all. There ar…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question