Sign in to follow this  
Followers 0
HyperSlug

Recover Windows Product Key from non-boot drive

10 posts in this topic

I boot from a master drive. I have a corrupted slave drive attached. GetDataBack allows me to retrieve files off it. Is it possible to retrieve the Windows Product Key from the slave drive? (The owner has lost the COA.)

I know there's perhaps one file I can extract from a Windows dir that was rumored to bypass activation if installed on same hardware (though found to be not true). But if I repair the drive and reinstall the OS (with maybe a dummy OEM Product Key), will reapplying that file allow me to restore the true legitimate Product Key?

Share this post


Link to post
Share on other sites

Good question, Slug. Did you ever find out?

Share this post


Link to post
Share on other sites

The product key can be reverse engineered from the DigitalProductId found in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

This registry key should be stored in the file C:\WINDOWS\system32\config\software" (no extension). I'm not sure if the registry is plaintext or hex. Looking at a .REG backup of the registry suggests a mix of the two.

Bytes 52-66 (0x34 - 0x42) of this key hold a 15 byte number.

In Hex, it's a 30 digit number:

A2 23 51 D0 2A 38 5D 22 C4 41 6B 87 43 C1 00

In Binary, a 120 digit number:

10100010 00100011 ... 11000001 00000000

Converted to base 24:

751AA001EHCCLAB3JH8KDIGAG

Mapped to Microsoft's custom base24 alphabet "BCDFGHJKMPQRTVWXY2346789" and a hyphen every 5 chars:

KHCQQ-BBCW2-TT7QR-F42M6-V3YQY

The above Product Key is fake (amusing if it works, though). Listed below is vbscript that performs this conversion, save as anything.vbs to test it:

'Author: gecko_au2003 
'Published: http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20832633.html

Public Function sGetXPCDKey()

   Dim bDigitalProductID
   Dim bProductKey()
   Dim bKeyChars(24)
   Dim ilByte
   Dim nCur
   Dim sCDKey
   Dim ilKeyByte
   Dim ilBit
      
   ReDim Preserve bProductKey(14)
  
   Set objShell = CreateObject("WScript.Shell")
  
   bDigitalProductID = objShell.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\Windows 

NT\CurrentVersion\DigitalProductId")

   Set objShell = Nothing

   For ilByte = 52 To 66
     bProductKey(ilByte - 52) = bDigitalProductID(ilByte)
   Next

   'Possible characters in the CD Key:
   bKeyChars(0) = Asc("B")
   bKeyChars(1) = Asc("C")
   bKeyChars(2) = Asc("D")
   bKeyChars(3) = Asc("F")
   bKeyChars(4) = Asc("G")
   bKeyChars(5) = Asc("H")
   bKeyChars(6) = Asc("J")
   bKeyChars(7) = Asc("K")
   bKeyChars(8) = Asc("M")
   bKeyChars(9) = Asc("P")
   bKeyChars(10) = Asc("Q")
   bKeyChars(11) = Asc("R")
   bKeyChars(12) = Asc("T")
   bKeyChars(13) = Asc("V")
   bKeyChars(14) = Asc("W")
   bKeyChars(15) = Asc("X")
   bKeyChars(16) = Asc("Y")
   bKeyChars(17) = Asc("2")
   bKeyChars(18) = Asc("3")
   bKeyChars(19) = Asc("4")
   bKeyChars(20) = Asc("6")
   bKeyChars(21) = Asc("7")
   bKeyChars(22) = Asc("8")
   bKeyChars(23) = Asc("9")

   For ilByte = 24 To 0 Step -1
    
     nCur = 0

     For ilKeyByte = 14 To 0 Step -1
       'Step through each byte in the Product Key
       nCur = nCur * 256 Xor bProductKey(ilKeyByte)
       bProductKey(ilKeyByte) = Int(nCur / 24)
       nCur = nCur Mod 24
     Next
    
     sCDKey = Chr(bKeyChars(nCur)) & sCDKey
     If ilByte Mod 5 = 0 And ilByte <> 0 Then sCDKey = "-" & sCDKey
   Next
  
   sGetXPCDKey = sCDKey
    
  
End Function

Public Function Question()
Set objFSO = CreateObject("Scripting.FileSystemObject")
Dim Ans

Ans = MsgBox("Yes = Write Windows XP Serial key to the C Drive and No = Prompt with Serial 

key",4)

If Ans = vbYes then

Set oOutFile = objFSO.CreateTextFile("c:\XP_Serial_Key.txt")

oOutFile.WriteLine sGetXPCDKey
else
wscript.echo sGetXPCDKey
End If
End Function

call Question

So it can be done. All I need is to write a script that can run through that 25MB file and extract the DigitalProductId, then use the rest of this script for the conversion.

Share this post


Link to post
Share on other sites

Correction on the previous post: the 15 digital product key is stored in reverse, so it should be:

00 C1 43 87 6B 41 C4 22 5D 38 2A D0 51 23 A2

which yields a different Product Key, but the procedure is the same.

Do MS collect all your details when you register with them?  If so you may be able to get it from them.

Nox

215634[/snapback]

Not sure if they collect your Product Key from you, or if this product was registered at all.

Share this post


Link to post
Share on other sites

I'd suggest a slightly different approach.

Go download or create a WinPE boot cd, like Sysinternals Rescue, BartPE or other.

Then visit this page: http://www.nirsoft.net/utils/product_cd_key_viewer.html and download produkey.

Put it on a USB stick or maybe put it in the PE cd before you burn it. (google)

Boot the machine containing the Windows installation you want the Product Key for and go to a command prompt.

Run the tool, produkey with the following parameters:

Produkey /windir C:\Windows (or wherever your unbootable installation is).

And BAM - you should have your key.

Works on 2000, 2000 server, XP and 2003 server.

ZB :)

Share this post


Link to post
Share on other sites
I'd suggest a slightly different approach.

Go download or create a WinPE boot cd, like Sysinternals Rescue, BartPE or other.

Then visit this page: http://www.nirsoft.net/utils/product_cd_key_viewer.html and download produkey.

Put it on a USB stick or maybe put it in the PE cd before you burn it. (google)

Boot the machine from the cd you created, containing the Windows installation you want the Product Key for and go to a command prompt.

Run the tool, produkey with the following parameters:

Produkey /windir C:\Windows (or wherever your unbootable installation is).

And BAM - you should have your key.

Works on 2000, 2000 server, XP and 2003 server.

ZB :)

Share this post


Link to post
Share on other sites

You can retrieve the password using Magic Jelly Bean Keyfinder. It now has the ability to retrieve passwords even from dead windows installs.

Download it from here:

http://www.proposedsolution.com/PS0009_Los...Office_Etc.html

Here's an extract from the site:

Load Hive option - allows you to load the registry hive of another Windows installation. To use, put the hard drive in a working machine (must also be Windows 2000,XP or Vista) or use Windows PE (not tested, should work) and click Load Hive. Then point it to the dead Windows install. If you're using Windows Vista, Administrator rights are required for this feature. You may have to right click on the Keyfinder and run as Administrator.

Hope this helps

~Rosco~ :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0