It’s official: upgrade hack included in Vista SP1

It's official: upgrade hack included in Vista SP1

By Scott Dunn The new Service Pack 1 version of Windows Vista allows end users to purchase the “upgrade edition” and install it on any PC — with no need to purchase the more expensive “full edition.” The same behavior was present when Vista was originally released, but the fact that the trick wasn’t removed from SP1 suggests that Microsoft executives approved the back door as a way to make the price of Vista more appealing to sophisticated buyers.

Previous Windows version not needed for upgrade

Just after Vista was first released to consumers on Jan. 30, 2007, an article in the Windows Secrets Newsletter explained that the upgrade edition of the operating system could be installed on a “clean” hard drive. For whatever reason, Vista had been programmed to accept itself as a “qualifying product.” This eliminated any need for users to purchase the full edition of Vista or to upgrade Vista only over an older instance of Windows.

The Feb. 1, 2007, article by Windows Secrets editorial director Brian Livingston explained that the procedure is supported by several built-in dialog boxes. This indicates that the trick had been deliberately included by Vista’s developers.

To boost the sales of retail packages, Microsoft announced just over one month ago significant price cuts in Vista, beginning with Service Pack 1. The savings over the old prices vary among different Vista versions, such as Home Premium, Business, and Ultimate. In the U.S., the list price of the upgrade edition is at least $100 cheaper than the full edition. Smaller savings exist in other markets, such as Canada and the European Union, as shown in the table below.

The price reductions on the Service Pack 1 version of Vista are even more significant because the upgrade trick still works in SP1, rendering unnecessary the purchase of Vista’s full edition.

Shortly after the hidden upgrade method was published, Microsoft officials publicly stated that the procedure would violate Vista’s end-user license agreement. Section 13 of the Vista EULA (PDF version) says, “To use upgrade software, you must first be licensed for the software that is eligible for the upgrade.”

“We believe only a very small percentage of people will take the time to implement this workaround, and we encourage all customers to follow our official guidelines for upgrading to Windows Vista, which can be found at WindowsVista.com, instead,” said a Microsoft press representative quoted in a News.com article on Feb. 14, 2007. “Following these guidelines will allow customers to easily and validly upgrade to Windows Vista,” he continued.

Since that time, of course, Microsoft has had over one year to remove the upgrade back door before releasing the SP1 version of Vista. Livingston believes that the company must have consciously decided not to do so.

“The fact that the upgrade edition will still upgrade over itself in Vista SP1 proves that Microsoft executives knowingly support the upgrade trick,” he says. “I think the feature was deliberately included to make it unnecessary for more advanced and price-sensitive users to ever buy the full version. There is no ethical dilemma with people using a feature that Microsoft has specifically programmed into Vista.”

Ironically, the original release of Vista’s upgrade edition was disappointing to many consumers. They’d been told by Microsoft that the Vista upgrade process would no longer accept the insertion of a disc containing an older version of Windows as proof that Vista was upgrading over a qualifying product.

Instead, users heard from Microsoft that the Vista upgrade procedure must be launched while a copy of Windows 2000 or XP was actually running. The upgrade trick that Vista developers included, however, renders that requirement moot. A Vista upgrade disc will install and activate properly even on a blank hard drive that has never previously been used.

Installing software from an original distribution disc to an empty hard drive, which is called a “clean install,” is a best practice recommended by security organizations, such as NIST and US-CERT. Vista, unlike XP and previous Windows versions, doesn’t make a clean install easy.

The original Windows Secrets article contains step-by-step instructions on upgrading Vista in this way. In a nutshell, the procedure involves booting a PC from the Vista upgrade DVD. Next, a clean install is performed without the user entering the disc’s product key or downloading any patches.

Once this unactivated, trial version of Vista is running, the setup program is launched again — this time from within Vista. At this point, the “upgrade” option is selected, the product key is entered, and Vista can be activated exactly like the full edition of the product.

Upgrading Vista on a clean machine works in SP1

Once Microsoft released the SP1 version of Vista, I tested the upgrade trick again to see whether the company had removed the feature. I used an upgrade disc of Vista Ultimate SP1 that I’d ordered at retail from Amazon.com.

I repeated the original steps and found they work just as well on the SP1 version of Vista as they did on the old version.

For PC users who are thinking about installing Windows Vista, the upgrade technique has even more value than it did last year. There are two reasons:

1. Quality. Vista SP1 is arguably a better product than the old, gold version of the operating system. SP1 includes 551 bug fixes, according to a white paper available from a Microsoft.com download page. The company claims in a press release that SP1 addresses security, reliability, and performance concerns with the older version of Vista.

2. Price. Whether or not you believe Vista was overpriced before, it’s clearly a less-expensive product now than it was a year ago. As reported by Computerworld, the price cuts range from zero to 47%, depending on the country and the version of Vista.

Table 1, below, shows that the upgrade edition of Vista is always cheaper than the full edition of the same version (Home Premium, Business, and Ultimate.) The figures are based on documents provided to Windows Secrets by Microsoft’s public relations firm, Waggener Edstrom.

The following table shows Microsoft’s new suggested list prices and the percentage reduction from Vista’s original prices. Street prices for Vista SP1 currently average about 10% less than suggested retail.

Table 1. New Vista SP1 list prices and percentage reductions from the originals.

Vista upgrading over itself is no accident

After all the publicity, the fact that the upgrade back door is still present in Vista SP1 is a strong indication that the feature has at least the tacit support of Microsoft officials. Indeed, the upgrade label on Vista retail packages, then and now, states that a “clean install may be required.”

There’s no question that users who own a license for Windows 2000 or XP can legitimately save time and money by buying the upgrade edition of Vista and not having to first install the older operating system on a PC.

Although a clean install of Vista’s upgrade edition — without any prior purchase of 2000 or XP — may violate the Vista license, the result is clearly an installed copy of Vista that is indistinguishable from a full edition.

The upgrade edition’s lower cost, Microsoft’s overall price cuts for Vista, and the fact that Service Pack 1 need not be downloaded and installed separately make Vista SP1 a somewhat better value for users who didn’t buy the OS earlier.

Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

VirtualBox is an impressive VM contender

By Scott Dunn

My Mar. 27 lead story described Microsoft’s Virtual PC and VMWare’s VMWare Player as virtual-machine software that PC users should consider — but there’s a great alternative to both.

A few readers recommended VirtualBox, and my tests show that this open-source upstart includes the best features of both of its competitors.

Innotek provides a worthy virtual-machine option

Reader Dominic Sim was one of our subscribers who thinks there’s a superior way to run XP under Vista using a virtual machine:

• “I have tried both VMware and Microsoft VPC, but for overall compatibility with XP, Vista, and Linux OSes, I would recommend VirtualBox.

  “It works out of the box, and it’s (equally) free. Perhaps you could give it a try.”

The program comes from Innotek, a subsidiary of Sun Microsystems. I obtained a copy from the company’s download page, installed VirtualBox, and gave it a test drive.

Based on my trial, VirtualBox seems to me to offer the best features of both Microsoft’s Virtual PC and VMware Player.

Like VMware Player, VirtualBox supports access to USB devices (which Microsoft’s software does not). VirtualBox is, however, much easier to install and set up than VMWare Player. As with Virtual PC, you need to install some support programs (Innotek calls them “Guest Additions”) to get the full value that VirtualBox offers.

Note: The normal install procedure, pulling down VirtualBox’s Device menu and selecting the Install Guest Additions option, failed for me. I was, however, able to install the additions by accessing the VBoxGuestAdditions.iso file as a virtual CD drive. The installer puts the .iso file alongside the program in the same folder as VirtualBox. You don’t need to download anything separately.

VirtualBox has a few nifty features. One is the ability to change the resolution of the virtual machine, on the fly, as you resize its window.

Although I haven’t been able to spend enough time with VirtualBox to give you a complete review, my test drive with the product so far has been very promising.

You need more than virtual security for a VM

Fran Parker reminds us of a security issue in Virtual PC:

• “(It) might be good to mention the potential for vulnerability of things crossing the guest/host barrier.”

Parker says it’s important to note Microsoft security bulletin MS07-049. This bulletin points out that (1) if the system running as the guest inside the virtual machine is compromised, and (2) the guest user has administrator privileges, an intruder can run programs or execute code on the host operating system.

Avoid this serious problem by making users of the XP virtual machine log in to that VM as users without administrator rights.

Reader Victor Sacco points out another practical necessity for VM systems.

• “With regard to your article about Virtual Machines, I agree they are useful, however, I don’t think you talked enough about their limitations. For instance… the guest OS in a VM is vulnerable to malware just like the host OS, so it needs its own security software installed if it will be connected to the Internet.”

He’s right to remind users to install a security suite on the guest operating system, just as you’d do on the host OS.

Finally, on the topic of security, it should be mentioned that the “shared folders” feature of any virtual machine poses known security risks. Shared folders allow the VM and the host machine to share files and other data — a doorway through which more than just files can move.

Users need to balance these risk against the potential usefulness of the technique when they consider running virtual-machine software.

I’d like to credit the many readers who sent in suggestions to run Windows XP in a virtual machine within Vista. Their comments were in response to my Feb. 14 story on how to set up a dual-boot machine to run both Vista and XP.

David Gustafson was the first reader to recommend the VM approach, which is the concept that became the subject of my Mar. 27 article on virtual machines. Gustafson received a gift certificate for sending the comment that resulted in the article.

Run Virtual PC on XP Home and Vista Home Premium

A handful of readers pointed out that Microsoft’s Virtual PC download page makes no mention that the program will run under XP Home Edition or Vista Home Premium. Many readers assumed, therefore, that the program wouldn’t run under either OS.

I should have reminded readers of a previous article reporting that Virtual PC works just fine on XP Home and Vista Home Premium. That secret from readers appeared in an article on Aug. 2, 2007.

Running Virtual PC on either OS, however, goes against the terms of Microsoft’s license. To repeat a caution from the earlier article, if you run Virtual PC outside of the license terms, don’t expect any support from Microsoft.

Readers Sim, Parker, and Sacco will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

Video shows top 10 ways to break your server

The staff of Scalent Systems labor ceaselessly to quell your common computing woes — again and again. In this humorous 2-minute video, Scalent employees describe the 10 most common ways you can break your server. They assure us that, no matter how far you may “accidentally” throw the machine you love to hate, they’ll be able to bring it back! Rest assured, kind readers, that no software was harmed during the making of this video. Play the video

Use Vista's superior system font in XP

By Woody Leonhard My last column explained how to make Vista’s all-new application fonts (Calibri, Candara, Corbel, Cambria, Constantia, and Consolas) work for free on your Windows XP or 2000 computer. This week, permit me to show you how to install Vista’s new system font, Segoe UI, on your Windows XP computer — yes, legally — and use it as your WinXP system font.

What the heck is a Segoe UI?

Easy question. Controversial answer.

Segoe UI (pronounced “see-go you-eye”) is Microsoft’s system font for Vista, and it’s a font I like a lot. As with the six Vista fonts I told you how to get free in my Mar. 20 article, you can get Segoe UI for free — legally.

The controversial part of the answer requires a little background.

Few fonts have ever engendered such wrath — or billable hours for expensive lawyers. This much can be said for sure: the Segoe saga started with type company Monotype and its Segoe creator, typeface designer Steve Matteson.

Segoe bears a more-than-passing resemblance to a face named Frutiger Next, a contemporary classic from Linotype. This created a legal dustup in the European Union over whether Segoe truly qualified as a unique design. Microsoft holds the trademark to the name “Segoe,” a term that encompasses at least 27 different fonts (er, typefaces), but that didn’t settle the question of uniqueness.

Windows Secrets editorial director Brian Livingston covered part of the controversy in two of his Executive Tech columns on Apr. 18 and Apr. 25, 2006. Monotype subsequently acquired Linotype in August 2006, and little has been heard since then about any font-copying claims.

Segoe UI is one flavor of the Segoe font family. Microsoft had Segoe UI designed specifically as a system font — which is to say, the font used for window titles, menus, system message boxes, and the like. Windows Vista and Office 2007 both ship with Segoe UI ordained as the system font.

If you have either Vista or Office 2007, you already have Segoe UI. No need to jump through any hoops. For those of you with Windows XP and Office 2003 (or Office XP or Office 2000), Segoe UI significantly spiffs up the interface.

Segoe UI is an excellent system font for Windows XP — far better than Trebuchet, XP’s default for title bars, and Tahoma, which XP uses for menus.

Unlike Tahoma, Segoe UI has true italic and bold italic weights, making the new typeface ideal for your everyday documents. And my favorite distinguishing Segoe characteristic: it’s very easy to tell the difference between “1” (numeral 1), “I” (capital i), “l” (lowercase L), and “i” (lowercase letter eye).

To work well, Segoe UI really needs ClearType, Microsoft’s font-smoothing technology for LCD screens. ClearType runs automatically on Vista computers, but to enable ClearType in XP, you have to turn it on explicitly.

Note: If you’ve already tried ClearType on your XP computer and you don’t like it, don’t bother acquiring Segoe UI. The factors that make this font a delight won’t work for you without ClearType. For example, many people say ClearType, which is optimized for LCDs, makes text look fuzzy on a CRT screen.

How you can legally install a copy of Segoe UI

Here’s the trick: when you install Windows Live Mail, the program automatically installs Segoe UI.

Windows Live Mail is Microsoft’s online replacement for the buggy, ancient e-mail program known as Outlook Express in XP and Windows Mail in Vista. Windows Live Mail does have a few redeeming social values (it harbors fewer inscrutable bugs than its predecessors do), but I don’t recommend that you install Windows Live Mail to use its mail program. I do, however, recommend that you install it on XP machines to get the Segoe UI font, which comes along for the ride. Here are the steps:

Step 1. To install Windows Live Mail, go to the Live Mail site and click the button labeled “Get it free.” In this case, the “it” you get for free is a kitchen-sink installer program, WLinstaller.exe, which tries to install every Microsoft Live program under the sun (but I’ll tell you how to beat it).

Step 2. Run the downloaded program, WLinstaller.exe.

Step 3. The first screen in the installation process offers a link to a Microsoft Service Agreement that (apparently) governs Windows Live Mail. The current incarnation of this agreement says, “You may use the fonts installed by the service to display and print content. You may only embed fonts in content as permitted by the embedding restrictions in the fonts; and temporarily download them to a printer or other output device to print content.”

In other words, as long as you’re displaying or printing content (and what else would you do with a font?), I believe there’s no problem in choosing Segoe as your Windows XP system font.

Step 4. Unless you want to spend the rest of your life cage-fighting with little Live programs, uncheck boxes judiciously and limit yourself to installing just Windows Live Mail.

Step 5. When the installer’s done, you’ll find Segoe UI listed with all your other fonts.

Step 6. If you never plan to use Live Mail, you can uninstall it. This involves using Add or Remove Programs in XP, as explained in Microsoft Knowledge Base article 938275.

If you don’t have ClearType turned on, download Microsoft’s ClearType Tuner PowerToy, tune your LCD for the best font smoothing, and put on a happy face.

Turn Segoe UI into your main system font

With Segoe UI installed and ready to roll, making it your main system font is easy:

Step 1. On your Windows XP computer, right-click any empty place on the desktop and choose Properties. Click the Appearance tab, and then click the Advanced button.

Step 2. In the Item drop-down list, choose Active Title Bar. I recommend that you change the font to Segoe UI, make its size 10 point, and turn off the “B” (for bold) button.

Step 3. In the Item drop-down list, choose Menu. Personally, I like to set the font to Segoe UI 9 point, without bold or italic. You might prefer it at 8 point, though.

Step 4. Click OK twice.

When you get back out to Windows, try playing with your apps a bit. You may be surprised to find that many programs — including Office 2003 — automatically pick up your font settings for window titles and menus.

Windows XP never looked so good, eh?

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference for Dummies and Windows Vista Timesaving Techniques for Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He and Ed Bott also wrote the encyclopedic Special Edition Using Office 2007.

Powerful net monitoring: learn the whys and hows

By Ryan Russell This week, I’ll cover some of the benefits of using advanced tools such as Wireshark and give you detailed answers to some of your questions from my previous columns. Wireshark can reveal the stream of attacks your PC faces every day, so you can focus on the priority events you need to deal with.

Reason #1: expose invisible skullduggery

In my Mar. 20 article, I asked for feedback and, boy, I got it. I received more e-mails than I have for any other column I’ve written.

I said I’d give you examples this week of why you’d want to monitor your network traffic. Some concrete benefits of using a packet-capture utility such as Wireshark are:

• Monitoring outgoing traffic from your computer to determine if your PC has any infections;
• Detecting and removing overly chatty programs that you may not really need; and
• Debugging connection problems, both in hardware and in applications.

Here’s my single favorite use, and one I think you’ll find fun: watching the blizzard of attacks that pound on your Internet connection. Not everyone realizes just how many attempts to infect your PC are being made every hour.

A few years back, security consultant Kevin Mitnick and I did a study, as reported in USA Today, on how long it took unpatched, unprotected machines on the Internet to be compromised. Typically, it took only minutes.

With a packet-capture utility such as Wireshark, you can see the kinds of attacks we studied, but you’ll need to have certain prerequisites in place. Please note that what I’m instructing you to do in the next few paragraphs is educational and fun, but it does temporarily increase a PC’s exposure to malware.

The computer you’re using to capture packets must be on an open Internet connection. The PC must not have any external firewall (or NAT) between it and the Internet. It’s OK to have a software firewall on the capturing PC, though — you’ll still see a good portion of the traffic. The packet-capture utility examines each packet before the software firewall drops it; the firewall still keeps any baddies in that traffic from affecting your computer.

Start up Wireshark and let it run for a while with no filtering. You’ll be able to see what kinds of traffic (legitimate and otherwise) your system is receiving.

A typical Windows computer does a fair bit of chatting on the Internet. There’s a lot of NetBIOS name traffic, for example. (For more about NetBIOS, see The Network Encyclopedia and Microsoft Knowledge Base article 204279). And most users have multiple applications that periodically call home looking for upgrades.

As one example, I use Steam, a program that’s in frequent communication with the game and update servers at ValveSoftware.com. Also, my Amazon Video client checks periodically to see whether I’ve purchased anything new. And that’s just background noise, not the heavier load I’m generating when I’m actively surfing, chatting, or using e-mail.

Packet capture shows me some much more interesting traffic on my Internet connection.

I put in a quick display filter suitable for my machine that doesn’t completely eliminate the “known” traffic but does remove the majority of it. The filter I used was:

(!(tcp.port == 80) and !(udp.port == 27017))

TCP port 80 is Web traffic. UDP port 27017 is Steam.

I see traffic that the Wireshark packet-capture utility identifies as NetrSendMessage request. I know that’s the old Messenger service spam (not to be confused with the Messenger instant-messaging application).

When I click on one of the spam packets, Wireshark’s bottom pane shows me what I would have been spammed with. The spammer wants me to go to his site and download something. No, thanks.

I also see lots of predators trying to connect to TCP ports 135, 139, or 445. Those attempts are almost certainly worms or scripted attacks hoping to exploit my computer, as documented by KB article 823980.

For these exploits, the bad guys can’t send the actual infection unless I answer. That’s because TCP requires an answer before the client can send any data. Since I’ve got a firewall, there will be no answer to the attempt, so I can’t see the attack details.

I see traffic to TCP port 1433, which I happen to know is the default SQL Server port. Those probes are probably some vintage SQL Server worms still looking for victims, as described in the Slammer Security Response Team Alert.

I also see a number of ping attempts. These attempts are probably harmless, but it does make me wonder why so many people want to ping me.

Readers’ questions about Wireshark answered

Before I say more about using Wireshark, I’ll address a few of the many questions I received from readers.

First, some of you reported that Wireshark showed no network interfaces when you tried to capture packets. That usually means that Wireshark’s packet driver, WinPcap, was not able to supply a list of interfaces to Wireshark.

There’s a good WinPcap FAQ that addresses other possible problems. Note: the network interface test is FAQ question 4. Unfortunately, not every network interface that Windows can use works with WinPcap.

Many readers asked me how different network configurations and equipment affect the ability to monitor network traffic. Many of these questions and comments were triggered by experiences people had with “promiscuous mode” turned on. If you use that option, Wireshark attempts to monitor traffic beyond the packets your own PC is sending and receiving.

That’s one of the big reasons why I specifically asked you in my previous column to turn off promiscuous mode before experimenting with packet capture.

Wireshark can always monitor your own traffic as long as the utility is working at all. There’s no room here to cover the reasons for this in depth. Note, though, that if your network uses switches (as opposed to hubs), you won’t generally have success monitoring the network traffic of other machines. You can get some of the details from WinPcap FAQ question 22.

Within your own traffic, you may have noticed Wireshark complaining about invalid TCP checksums. This causes Wireshark to indicate an error by displaying those lines in black.

Wireshark flags those as errors because many Windows network-card drivers have special handling routines for calculating the TCP checksums. The routines do this at a point after WinPcap has made a copy of the packet. Those routines, therefore, can adversely affect how Wireshark decodes packets.

If you plan to capture traffic for the machine running Wireshark, I recommend you turn off Wireshark’s option to verify TCP checksums.

The Wireshark wiki includes instructions on setting options. Unfortunately, the TCP checksum setting is all-or-nothing. If you turn it off, Wireshark won’t check packets from other machines — packets that would not trigger a false alarm. I’ve found actual TCP checksum errors to be fairly unusual, so I almost always turn off Wireshark’s setting to check for them.

Filtering out network noise to focus on signal

I promised to tell you how to make packet analysis simpler by filtering out network traffic you don’t need to look at.

Wireshark actually has two filters you can use. There’s a capture filter, as defined in the wiki, which limits which packets are saved while you are capturing.

There’s also a display filter, which has its own definition. Wireshark uses the display filter to limit the set of packets the window presents to you.

Each filter makes use of a different syntax. Display filters are more flexible.

The biggest factor in determining which filter you should use is how much time you plan to spend capturing traffic.

If you’re going to leave Wireshark capturing for a long period, and you know what kind of traffic you’re looking for, use a capture filter. If you’re going to monitor for a relatively short period of time and you don’t know exactly what kind of traffic you’re after, then capture everything. When you’re finished capturing, use a display filter to narrow your focus.

You define a capture filter at the time you start capturing.

To define a capture filter in Wireshark, pull down the Capture menu and choose Options. You’ll see a field with Capture Filter to the left of it. The capture-filter link I provided in my previous column goes into more depth on this. Simple examples of capture filter expressions include port 80 for standard Web traffic, port 53 for DNS traffic, and host www.microsoft.com to filter by a host rather than by a specific port.

A key advantage of using a capture filter is that you’ll see the traffic only on the ports or hosts you specified. The disadvantage is that you might miss some traffic that turned out to be important.

For example, HTTP traffic doesn’t have to run on port 80. You could run across a URL in the http://hostname:81 format. Similarly, if you pull down a Web page from www.microsoft.com, not all of the page’s elements are going to come from that host.

I don’t like to miss anything, so I prefer to rely on display filters.

The disadvantage of display filters is that if you get a lot of packets stored up, the filtering operations can be maddeningly slow. You’ve already seen at least one display filter in action if you tried the Follow TCP Stream example from my last column. That example defined a fairly involved filter that shows off some of the power of the technique.

The display filters for the examples I provided earlier in this column are:

tcp.port == 80
udp.port == 53
ip.addr == www.microsoft.com

If you’re watching really closely, the DNS examples aren’t 100% equivalent. The capture-filter example does both TCP and UDP, while the display-filter example is UDP only. You can also build up arbitrary Boolean matches, match on byte offsets, and use regular expressions.

If you’re interested in pursuing packet capture to a more advanced level, I recommend checking out the display-filter definition link I provided above.

There’s a lot more fun we can have with packet capture and Wireshark. In response to the encouragement I got from readers, I’ll lay out in my next column more benefits you can get from packet capture.

The Perimeter Scan column gives you the facts you need to test your systems to prevent weaknesses. Ryan Russell is quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias “Blue Boar.” He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.