[Last Call] Learn how to a build a cloud-first strategyRegister Now


VFP Trial Software More Secure

Posted on 2012-09-16
Medium Priority
Last Modified: 2012-09-18
Hi all. I really need the help of some experts here.

I've been working off and on for nearly a week on a project that will require a user trial period followed by an optional registration.

I thought I had most everything worked out, with an added layer of security even.

Besides writing certain keys to the registry encoded, I also created a file in a 'secret' location on the users hard drive so that I could double check a few things.

First, how would I know if the user just went into the registry and deleted all the keys my software entered? I wouldn't. The file allows me to verify what might have been deleted from the registry, and vice-versa.

However, I just read a post that says under Windows Vista and above, you cannot write outside of the directory for the program that is being installed. In some cases even with admin privileges. So this will not work.

So then how do I stop a user from simply deleting my registry keys, which will in effect make the trial period start over again??
Question by:formadmirer
LVL 30

Accepted Solution

Olaf Doschke earned 800 total points
ID: 38403600
>you cannot write outside of the directory for the program that is being installed
1. At installation the installer process by definition is having highered privileges, otherwise an installer wouldn't be able to write to Program Files at all. And you can write anything you want
2. At runtime, yes, you're limited to certain allowed dirs, when you talk about system dirs, but outside you can write anywhere to C:\, D:\ .... Policies might hinder you to write to root C:, but you can write at many places. User profiles Docuemnts fodlers and Appdata folders are to be preferred.

But this limitation also let's users do less in the registry, unless they are also administrator.

To cut this short, the solution is very simple: You check for a key by trying to read it and if it's not there refuse to work. If a file is deleted or has wrong content, refuse to work.

There is never 100% security, but you can react to a missing license file or signature, you don't even have to hide it or it's content, because if it's altered the decoding will not result in the correct license, for example, or the signatur of a file or your exe itself won't verify correctly.

I already said it's not an easy job, use third party solutions and services and your software will easily have the industry standard of secured, copy protected applications. And these standards are high.

Bye, Olaf.
LVL 43

Assisted Solution

pcelba earned 400 total points
ID: 38403725
Any restriction has a work around.

To find what files or registry keys the application reads is very easy - you may use Process Monitor...

You could also produce new version every month and include the time restriction inside it. Then, of course, you'll need to check the app validity on internet or comparing the local computer time at least.

To create an evaluation version somehow restricted or with reduced functionality is maybe better but again experienced users can decompile it...

Well everything depends on your users. How many of them will try to cheat your restrictions? How much would you like to invest to make this possibility harder? Etc. etc.
LVL 27

Assisted Solution

CaptainCyril earned 400 total points
ID: 38403788
You can write in the following folders:

C:\ProgramData\CompanyName\ApplicationName Vista, 7, 8

or C:\Documents and Settings\All Users\CompanyName\ApplicationName XP

I suggest for security Sentinel SuperPro dongles if you opt for dongles.

Create a file and it's no problem if the user sees it. Fill it up with jibrish and write your stuff into known locations. Each time you read and write make sure the jibrish changes.

I personally have a DBF file with two fields: key and value and then I encrypt the DBF in a way that no user can figure out (n number of encodings) and rename it in another extension.
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

LVL 12

Assisted Solution

jrbbldr earned 400 total points
ID: 38405469
how do I stop a user from simply deleting my registry keys

The simple answer is - You can't!

But instead of writing a Registry value ONLY for Test/Trial runs, you should write a value for ALL instances.   One value for Test/Trial running and another for LIVE running.

And make the Key of that value have some non-intuitively recognizable name so that they users will not automatically find it.

Finally, as Olaf has indicated above,  if a user has DELETED they Key and/or its value - the application is prevented from running

Good Luck
LVL 27

Expert Comment

ID: 38406365
The user can track what registry keys it is accessing.
LVL 30

Assisted Solution

by:Olaf Doschke
Olaf Doschke earned 800 total points
ID: 38408356
If starting over the trial period is your main problem, there is no other real solution than to have the trial information (start date) not stored on the client computer at all.

The other solution is to make your application not work at all without a trial or purchase license, so don't make it so the deletion of a file unlocks something, make a file needed even to run for trial. For example DevForce from ideablade is giving you a trial software key.

Third party solutions you could use will perhaps also work with a registry key or a file. But you can't really prevent a user from restoring an image, and reinstalling. Or installling a virtual machine and installing your software, or turning back system time and much more efforts to extend a trial period.

Some of the things can be prevented, eg by getting time from a time server instead of the system. And of course a good measure is to know the customer by a registration from trial day 1 on. He can of course register as diverse users, but you can see if the registration is for the same hardware serial numbers and perhaps other characteristics.

Last not least another very frequent measure is a lockdown of functionality. IdeaBlade also does that.

Bye, Olaf.

Author Closing Comment

ID: 38409638
Thanks for all the information!!

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Visual FoxPro (short VFP) is a programming language with it’s own IDE and database, ranking somewhat between Access and VB.NET + SQL Server (Express). Product Description: http://msdn.microsoft.com/en-us/vfoxpro/default.aspx (http://msd…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month18 days, 14 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question