VFP Trial Software More Secure

Posted on 2012-09-16
Last Modified: 2012-09-18
Hi all. I really need the help of some experts here.

I've been working off and on for nearly a week on a project that will require a user trial period followed by an optional registration.

I thought I had most everything worked out, with an added layer of security even.

Besides writing certain keys to the registry encoded, I also created a file in a 'secret' location on the users hard drive so that I could double check a few things.

First, how would I know if the user just went into the registry and deleted all the keys my software entered? I wouldn't. The file allows me to verify what might have been deleted from the registry, and vice-versa.

However, I just read a post that says under Windows Vista and above, you cannot write outside of the directory for the program that is being installed. In some cases even with admin privileges. So this will not work.

So then how do I stop a user from simply deleting my registry keys, which will in effect make the trial period start over again??
Question by:formadmirer
    LVL 29

    Accepted Solution

    >you cannot write outside of the directory for the program that is being installed
    1. At installation the installer process by definition is having highered privileges, otherwise an installer wouldn't be able to write to Program Files at all. And you can write anything you want
    2. At runtime, yes, you're limited to certain allowed dirs, when you talk about system dirs, but outside you can write anywhere to C:\, D:\ .... Policies might hinder you to write to root C:, but you can write at many places. User profiles Docuemnts fodlers and Appdata folders are to be preferred.

    But this limitation also let's users do less in the registry, unless they are also administrator.

    To cut this short, the solution is very simple: You check for a key by trying to read it and if it's not there refuse to work. If a file is deleted or has wrong content, refuse to work.

    There is never 100% security, but you can react to a missing license file or signature, you don't even have to hide it or it's content, because if it's altered the decoding will not result in the correct license, for example, or the signatur of a file or your exe itself won't verify correctly.

    I already said it's not an easy job, use third party solutions and services and your software will easily have the industry standard of secured, copy protected applications. And these standards are high.

    Bye, Olaf.
    LVL 41

    Assisted Solution

    Any restriction has a work around.

    To find what files or registry keys the application reads is very easy - you may use Process Monitor...

    You could also produce new version every month and include the time restriction inside it. Then, of course, you'll need to check the app validity on internet or comparing the local computer time at least.

    To create an evaluation version somehow restricted or with reduced functionality is maybe better but again experienced users can decompile it...

    Well everything depends on your users. How many of them will try to cheat your restrictions? How much would you like to invest to make this possibility harder? Etc. etc.
    LVL 27

    Assisted Solution

    You can write in the following folders:

    C:\ProgramData\CompanyName\ApplicationName Vista, 7, 8

    or C:\Documents and Settings\All Users\CompanyName\ApplicationName XP

    I suggest for security Sentinel SuperPro dongles if you opt for dongles.

    Create a file and it's no problem if the user sees it. Fill it up with jibrish and write your stuff into known locations. Each time you read and write make sure the jibrish changes.

    I personally have a DBF file with two fields: key and value and then I encrypt the DBF in a way that no user can figure out (n number of encodings) and rename it in another extension.
    LVL 12

    Assisted Solution

    how do I stop a user from simply deleting my registry keys

    The simple answer is - You can't!

    But instead of writing a Registry value ONLY for Test/Trial runs, you should write a value for ALL instances.   One value for Test/Trial running and another for LIVE running.

    And make the Key of that value have some non-intuitively recognizable name so that they users will not automatically find it.

    Finally, as Olaf has indicated above,  if a user has DELETED they Key and/or its value - the application is prevented from running

    Good Luck
    LVL 27

    Expert Comment

    The user can track what registry keys it is accessing.
    LVL 29

    Assisted Solution

    by:Olaf Doschke
    If starting over the trial period is your main problem, there is no other real solution than to have the trial information (start date) not stored on the client computer at all.

    The other solution is to make your application not work at all without a trial or purchase license, so don't make it so the deletion of a file unlocks something, make a file needed even to run for trial. For example DevForce from ideablade is giving you a trial software key.

    Third party solutions you could use will perhaps also work with a registry key or a file. But you can't really prevent a user from restoring an image, and reinstalling. Or installling a virtual machine and installing your software, or turning back system time and much more efforts to extend a trial period.

    Some of the things can be prevented, eg by getting time from a time server instead of the system. And of course a good measure is to know the customer by a registration from trial day 1 on. He can of course register as diverse users, but you can see if the registration is for the same hardware serial numbers and perhaps other characteristics.

    Last not least another very frequent measure is a lockdown of functionality. IdeaBlade also does that.

    Bye, Olaf.

    Author Closing Comment

    Thanks for all the information!!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Microsoft Visual FoxPro (short VFP) is a programming language with it’s own IDE and database, ranking somewhat between Access and VB.NET + SQL Server (Express). Product Description: (http://msd…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now