Jump to content


Photo

Recover Windows Product Key from non-boot drive


  • You cannot start a new topic
  • Please log in to reply
9 replies to this topic

#1 HyperSlug

HyperSlug

    Member

  • Member
  • 45 posts

Posted 24 September 2005 - 10:33 PM

I boot from a master drive. I have a corrupted slave drive attached. GetDataBack allows me to retrieve files off it. Is it possible to retrieve the Windows Product Key from the slave drive? (The owner has lost the COA.)

I know there's perhaps one file I can extract from a Windows dir that was rumored to bypass activation if installed on same hardware (though found to be not true). But if I repair the drive and reinstall the OS (with maybe a dummy OEM Product Key), will reapplying that file allow me to restore the true legitimate Product Key?

#2 rfarris

rfarris

Posted 25 September 2005 - 02:43 PM

Good question, Slug. Did you ever find out?

#3 HyperSlug

HyperSlug

    Member

  • Member
  • 45 posts

Posted 26 September 2005 - 09:35 AM

Not yet, but I did find the name of the file I was talking about:

%systemroot%\system32\wpa.dbl

#4 Nox

Nox

    Member

  • Member
  • 71 posts

Posted 26 September 2005 - 01:58 PM

Do MS collect all your details when you register with them? If so you may be able to get it from them.

Nox

#5 HyperSlug

HyperSlug

    Member

  • Member
  • 45 posts

Posted 26 September 2005 - 02:19 PM

The product key can be reverse engineered from the DigitalProductId found in the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

This registry key should be stored in the file C:\WINDOWS\system32\config\software" (no extension). I'm not sure if the registry is plaintext or hex. Looking at a .REG backup of the registry suggests a mix of the two.

Bytes 52-66 (0x34 - 0x42) of this key hold a 15 byte number.

In Hex, it's a 30 digit number:
A2 23 51 D0 2A 38 5D 22 C4 41 6B 87 43 C1 00

In Binary, a 120 digit number:
10100010 00100011 ... 11000001 00000000

Converted to base 24:
751AA001EHCCLAB3JH8KDIGAG

Mapped to Microsoft's custom base24 alphabet "BCDFGHJKMPQRTVWXY2346789" and a hyphen every 5 chars:
KHCQQ-BBCW2-TT7QR-F42M6-V3YQY

The above Product Key is fake (amusing if it works, though). Listed below is vbscript that performs this conversion, save as anything.vbs to test it:
'Author: gecko_au2003 
'Published: http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20832633.html

Public Function sGetXPCDKey()

    Dim bDigitalProductID
    Dim bProductKey()
    Dim bKeyChars(24)
    Dim ilByte
    Dim nCur
    Dim sCDKey
    Dim ilKeyByte
    Dim ilBit
       
    ReDim Preserve bProductKey(14)
   
    Set objShell = CreateObject("WScript.Shell")
   
    bDigitalProductID = objShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows 

NT\CurrentVersion\DigitalProductId")

    Set objShell = Nothing

    For ilByte = 52 To 66
      bProductKey(ilByte - 52) = bDigitalProductID(ilByte)
    Next
 
    'Possible characters in the CD Key:
    bKeyChars(0) = Asc("B")
    bKeyChars(1) = Asc("C")
    bKeyChars(2) = Asc("D")
    bKeyChars(3) = Asc("F")
    bKeyChars(4) = Asc("G")
    bKeyChars(5) = Asc("H")
    bKeyChars(6) = Asc("J")
    bKeyChars(7) = Asc("K")
    bKeyChars(8) = Asc("M")
    bKeyChars(9) = Asc("P")
    bKeyChars(10) = Asc("Q")
    bKeyChars(11) = Asc("R")
    bKeyChars(12) = Asc("T")
    bKeyChars(13) = Asc("V")
    bKeyChars(14) = Asc("W")
    bKeyChars(15) = Asc("X")
    bKeyChars(16) = Asc("Y")
    bKeyChars(17) = Asc("2")
    bKeyChars(18) = Asc("3")
    bKeyChars(19) = Asc("4")
    bKeyChars(20) = Asc("6")
    bKeyChars(21) = Asc("7")
    bKeyChars(22) = Asc("8")
    bKeyChars(23) = Asc("9")

    For ilByte = 24 To 0 Step -1
     
      nCur = 0

      For ilKeyByte = 14 To 0 Step -1
        'Step through each byte in the Product Key
        nCur = nCur * 256 Xor bProductKey(ilKeyByte)
        bProductKey(ilKeyByte) = Int(nCur / 24)
        nCur = nCur Mod 24
      Next
     
      sCDKey = Chr(bKeyChars(nCur)) & sCDKey
      If ilByte Mod 5 = 0 And ilByte <> 0 Then sCDKey = "-" & sCDKey
    Next
   
    sGetXPCDKey = sCDKey
     
   
End Function

Public Function Question()
Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim Ans

Ans = MsgBox("Yes = Write Windows XP Serial key to the C Drive and No = Prompt with Serial 

key",4)

If Ans = vbYes then

Set oOutFile = objFSO.CreateTextFile("c:\XP_Serial_Key.txt")

oOutFile.WriteLine sGetXPCDKey
else
wscript.echo sGetXPCDKey
End If
End Function

call Question

So it can be done. All I need is to write a script that can run through that 25MB file and extract the DigitalProductId, then use the rest of this script for the conversion.

#6 HyperSlug

HyperSlug

    Member

  • Member
  • 45 posts

Posted 26 September 2005 - 02:49 PM

Correction on the previous post: the 15 digital product key is stored in reverse, so it should be:
00 C1 43 87 6B 41 C4 22 5D 38 2A D0 51 23 A2

which yields a different Product Key, but the procedure is the same.

Do MS collect all your details when you register with them?  If so you may be able to get it from them.

Nox

View Post

Not sure if they collect your Product Key from you, or if this product was registered at all.

#7 Nox

Nox

    Member

  • Member
  • 71 posts

Posted 26 September 2005 - 04:09 PM

That script gave me the product ID (i think) I used.

Nox

#8 zipherbug

zipherbug

    Member

  • Member
  • 2 posts

Posted 25 October 2007 - 05:46 PM

I'd suggest a slightly different approach.

Go download or create a WinPE boot cd, like Sysinternals Rescue, BartPE or other.

Then visit this page: http://www.nirsoft.n...key_viewer.html and download produkey.

Put it on a USB stick or maybe put it in the PE cd before you burn it. (google)

Boot the machine containing the Windows installation you want the Product Key for and go to a command prompt.

Run the tool, produkey with the following parameters:

Produkey /windir C:\Windows (or wherever your unbootable installation is).

And BAM - you should have your key.

Works on 2000, 2000 server, XP and 2003 server.

ZB :)

#9 zipherbug

zipherbug

    Member

  • Member
  • 2 posts

Posted 25 October 2007 - 05:53 PM

I'd suggest a slightly different approach.

Go download or create a WinPE boot cd, like Sysinternals Rescue, BartPE or other.

Then visit this page: http://www.nirsoft.n...key_viewer.html and download produkey.

Put it on a USB stick or maybe put it in the PE cd before you burn it. (google)

Boot the machine from the cd you created, containing the Windows installation you want the Product Key for and go to a command prompt.

Run the tool, produkey with the following parameters:

Produkey /windir C:\Windows (or wherever your unbootable installation is).

And BAM - you should have your key.

Works on 2000, 2000 server, XP and 2003 server.

ZB :)


#10 _Rosco_

_Rosco_

    Member

  • Member
  • 1 posts

Posted 13 August 2008 - 04:34 PM

You can retrieve the password using Magic Jelly Bean Keyfinder. It now has the ability to retrieve passwords even from dead windows installs.

Download it from here:

http://www.proposeds...Office_Etc.html

Here's an extract from the site:

Load Hive option - allows you to load the registry hive of another Windows installation. To use, put the hard drive in a working machine (must also be Windows 2000,XP or Vista) or use Windows PE (not tested, should work) and click Load Hive. Then point it to the dead Windows install. If you're using Windows Vista, Administrator rights are required for this feature. You may have to right click on the Keyfinder and run as Administrator.

Hope this helps

~Rosco~ :D



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users