Registry Hack Enables Continued Updates For Windows XP

DroidJason1 (3589319) writes "A registry workaround, which tricks Windows Update into thinking you are running Windows Embedded POSReady 2009, allows you to get free security updates until 2019. All you need is a simple 32bit or 64bit registry entry in order to make this work. POSReady 2009 is slated to receive security updates for another five years. Microsoft ended support for Windows XP on April 8th of 2014."

Excellent

[kefkahax]

Get it while it's good. There's quite a few critical security updates.

Re:Excellent

THERE ARE FOUR UPDATES!!!

Re:Excellent

[barlevg]

This is much funnier if you assume that ArcadeMan is all three ACs in this thread.

Re:Excellent

[Zocalo]

Even the older Slashdotters have a blinkered view of culture it seems. The original reference is from George Orwell's "1984", only it was fingers and not lights.

Re:Excellent

[ArcadeMan]

I'm not.

I'm also scared by the fact that this was aired 22 years ago.

Re:Excellent

[barlevg]

The new Battlestar Galactica began airing ten years ago.

9/11 was 13 years ago.

The Lion King was 20 years ago.

Face it: we're old.

Re:Excellent

[Skuld-Chan]

I think if your a company that relies on XP (not the POS edition) and you haven't isolated them on a special - no internet vlan - you have bigger issues than making sure your XP machine has security updates.

Re:Excellent

[uCallHimDrJ0NES]

There's a new Battlestar Galactica? Disney came out with their Kimba movie starring Matthew Broderick? Wow, the future is AWESOME! Did they bring back Dr. Who?

Re:Excellent

[93+Escort+Wagon]

I think if your a company that relies on XP (not the POS edition) and you haven't isolated them on a special - no internet vlan - you have bigger issues than making sure your XP machine has security updates.

I thought all editions of Windows XP deserved the monicker POS?

(Note to the humor-impaired: Chill out, dude. At least I'm not making jokes about your pretend girlfriend, right?)

Re:Excellent

[camperdave]

It was a Cardassian, and he was trying to get Picard to say five lights.

Sheesh!

Re:Excellent

[fahrbot-bot]

I thought all editions of Windows XP deserved the monicker POS?

(Note to the humor-impaired: Chill out, dude. At least I'm not making jokes about your pretend girlfriend, right?)

My pretend girlfriend runs Windows XP - sigh.

Re:Excellent

[Cytotoxic]

And if you remember watching the first moon landing.....

Re:Excellent

[Chelloveck]

I was born closer to the first moon landing than to today. That's because I was born on the other side of it. Hell, I was born closer to WWII than to today. And in another year I'll be able to say that about WWI.

Kids. Get off my lawn.

Re:Excellent

[mmell]

I guess remembering Star Trek, Lost in Space, and Land of the Giants fixes my age at just slightly less than dirt, eh?

Now you kids get offa my lawn - I wanna go watch Matlock!

Are you kidding me?

[ArcadeMan]

There's something called "Windows Embedded Piece Of Shit Ready 2009"?

Re:Are you kidding me?

[fuzzyfuzzyfungus]

Unfortunately, in the case of a lot of point of sale systems, the acronym does double duty. At least they are surprisingly expensive.

Re:Are you kidding me?

[sjames]

That someone thought making a cash register run WindowsXP was a good idea scares me, though.

And justifies the dual meaning of POS :-)

Re:Are you kidding me?

[sjames]

He said duty.

Re:Are you kidding me?

[ArcadeMan]

Cash registers have to be on networks these days. But on the Internet? Not a good idea.

If necessary, it should be POS -> server -> Internet.

Re:Are you kidding me?

[future+assassin]

Yes they are pretty expensive my current one ACE Retail was around $1400 for one computer. I looked at oithers and the prices were insane if you wanted anything not DOS looking like. I did go with ACE as this is what I was use to for the previous 4 years but its amazing how the same bugs have been in the system for the last 6 years and old bugs just pop up out of the blue even though they were suppose to be fixed.

I now have found a Linux based POS http://linuxcanada.com/ that seems quite good and will be testing it out shortly

Re:Are you kidding me?

[The+Snowman]

Considering how full of holes Linux based home routers turn out to be, do you think Linux based cash registers would be any better than XP cash registers? I am just flabbergasted that cash registers are on networks with internet access.

Up until a few months ago I worked for a Retail Point of Sale company for more than seven years as a developer. The typical topology goes something like this. Each store has a cable or DSL modem to get to the internet. They have it locked down so the only way in or out is through a VPN to the home office. This essentially gives them LAN access to shared resources such as centralized databases (this is why you can return at a store other than the one where you bought something, or check another store's inventory), payment system gateways, etc. This is a heavily secured and audited network segment due to the sensitive nature of the data. Any "regular" internet access from a register goes through that VPN and a firewall at the home office. Browsers are locked down on each register and regularly patched and updated remotely. They will sometimes use a whitelist of sites, sometimes not: JavaScript and other "features" are typically restricted as much as feasible.

This system works really well, despite having a lot of pieces geographically scattered. The VPN makes it easy to connect to any register in a retail chain since it is essentially a LAN. With the VPN and firewalls, you have a distributed yet secured network. The only times I have ever seen a network intrusion at any customer of my former employer was due to human error: a network technician forgetting to set something up right despite numerous checklists and test environments. Pretty rare in my experience working with 30+ retail customers.

Re:Are you kidding me?

[cusco]

I always like RKeeper's (large Moscow-based POS system) quick-and-dirty solution: make all the POS machines use NetBEUI. Can't route, the only way to get to the machines from outside is through remote controlling the server.

Re:Are you kidding me?

[mysidia]

That still counts as "on-the-internet" (unless you somehow have a dedicate line going from the POS to the server), so you're plenty vulnerable to spoofing and man-in-the-middle attacks.

There's this thing called a VLAN.

You can use a dedicated Layer 3 switch for your POS network. Setup a Private VLAN (PVLAN) to carry your POS network.
Setup a private promiscuous VLAN for your switch to perform L3 routing on.
Setup a private Isolated VLAN (PVLAN Isolated) for your POS terminals, and enable local Proxy-Arp on your isolated PVLANs.
Place your server on a Server VLAN.

Enable 802.1x wired port security for your POS ports.

Configure routing between your POS Subnet and your POS server's dedicated Subnet. Set it up with Route-maps or ACLs such that; every POS can talk to the server, and the server can talk to any POS terminal, but no two POS can speak to each other, and no other IP address can speak to a POS or the server.

No default route in the routing table of this Layer 3 switch.

No internet connectivity necessary.

Re:Are you kidding me?

[Hognoxious]

I've dealt with the output from them. Horrid. It was a while ago, but IIRC correctly it went like this: because the accursed things have so little storage everything is "compressed", and they were all designed before interwebs were invented so it has to keep the whole shift's crap in there. But not compressed like with gzip, no no no, because it hasn't the CPU or RAM to do that. It's just that every indicator (that tells you if it's a sale or return, or if it's meat or dairy or shoes or flammable or radioactive or whatever) is one char if you're lucky, and because there aren't that many chars to go round they all have multiple meanings that depend on each other.

Like JSON but with less readable tags and no punctuation and written in one unholy block with no fucking whitespace, why the hell would you want that already? Torture.

Still, look on the bright side - at least it didn't use fucking unicode.

Re:Will those patches actually WORK?

Windows POSReady 2009 is actually Windows XP though, just stripped down and a lot of stuff removed. The same system files exist in the same versions and thus they have the same exploits and can be patched with the same code.

POSReady 2009 is basically a different "distro" of Windows XP that Microsoft is supporting until 2009. By changing that one registry entry, you get Windows Update to realize you're running that special distro, and you get patches.

Re:This act is highly illegal

[TWX]

What's illegal about it? Is it illegal to use Microsoft's provided tools to edit my registry, browing to HKEY_LOCAL_MACHINE\SYSTEM\WPA, then creating a new key called PosReady, then creating a new dword in PosReady called "Installed" with a value of 00000001?

Digital:Convergence had much more claim to the cuecat scanner's security than this could ever command.

Re:This act is highly illegal

[gstoddart]

what is so illegal about changing a registry key or value, or creating a registry key?

In the loosest possible interpretation I can think of (and not one I agree with), you are committing fraud by misrepresenting something in order to get a good or a service.

But, if it's something as trivial as a registry key, which is available for users to update (and which sometimes MS themselves suggest) ... then I've got nothing.

I'm having a hard time believing it's perfectly legal to update one set of registry keys, while being illegal to update another. If they're so special and secret, they shouldn't be something you can update.

Security risk?

[erice]

Point of Sale systems usually operate under more controlled conditions than end user machines. Would these updates keep your XP machine plausibly secure or highly vulnerable to threats not considered serious to point of sale systems? What about vulnerabilities in components not present in POSReady 2009 but used in XP?

Re:Security risk?

[0123456]

No, updating to an actually supported operating system would be better.

Not if it's Window 8.

Re:Will those patches actually WORK?

[mysidia]

Windows POSReady 2009 is actually Windows XP though, just stripped down and a lot of bug-ridden exploitable and memory hogging code removed. Almost the same system files exist in the same versions and thus they have many exploits in common and frequently can be patched with the same code.

There, fixed it for you.

Re:This act is highly illegal

[fuzzyfuzzyfungus]

I'm honestly a bit surprised that MS didn't bother to tie point-of-sale status to XP's license authentication mechanism, even in some relatively trivial way.

They were certainly willing to do that with some updates (anything where good old 'Windows Genuine Advantage' popped up) and, while the suitably motivated generally bypassed that without too much trouble, I imagine that that sort of wicked, wicked, circumvention made their legal position markedly less pleasant if MS wished to push the issue.

If it's just a registry key, no ties to the activation system at all, the situation starts to look a lot more like spoofing a browser UA to encourage the server to send you the version of the page it sends to some different browser.

Re:are the people still running XP

[dargaud]

I develop on Linux, and for when I need Windows I use XP in a virtual machine. Plenty good enough for only runnign an IDE. Today I had to touch Win7 for the first time because one of my apps wouldn't install. It felt like being raped by Fisher Price.

Re:This act is highly illegal

[CurryCamel]

What's illegal about it? Is it illegal to use Microsoft's provided tools to edit my registry

... to get a service you don't have a license for. How is that not illegal?

Yeah not quite...

[craznar]

As someone who works with POS Ready 2009 a lot (I write Point of Sale Software), the catch with this idea is that many (a great many) of the components in normal XP just don't exist in POSReady.

SO you may, or may not get updates for some parts of your OS - because Microsoft will not be writing updates for the rest.

Re:are the people still running XP

Yes.

Because driver support for things like musical equipment and old SCSI devices often didn't get updated or supported after XP.

I have a fairly expensive SCSI scanner that can handle poster sized sheets but the only software I can find for it runs in XP. I have 3 Windows 7 boxes and one XP, and I'll keep running XP until I can get all my devices off it (MIDI controllers, instrument packages, old scanner, etc)

It's not my fault these old components have no driver upgrade path, so I'm stuck with one XP box probably until I upgrade about $5k worth of stuff that just works

Re:This act is highly illegal

[Jmc23]

It'll void your warranty and then you won't be able to get anymore security updates!!

New Critical XP Update...

[The+Mysterious+Dr.+X]

"This patch removes an exploit that caused some machines running Windows XP to apply updates for other operating systems. To learn more about the update, read this knowledge base article..."

Re:New Critical XP Update...

[wonkey_monkey]

Yo dawg, I... can't be bothered.

Re:This act is highly illegal

[TubeSteak]

I'm having a hard time believing it's perfectly legal to update one set of registry keys, while being illegal to update another. If they're so special and secret, they shouldn't be something you can update.

Since Microsoft offers paid updates for WinXP (at least for corporate customers),
it's not very hard to argue that the registry hack (at least for corporate customers) would qualify as theft of service.

For non-corporate users, Microsoft could argue "unauthorized access," but I can't see them taking the trouble to sue random home users.

Re:This act is highly illegal

[TWX]

I'm actually surprised that there isn't something else checking versioning in the compiled stuff that can't be readily changed. That it's a registry entry blows my mind. That's so lazy on their part that I have zero sympathy for them if people extend support for their OSes this way.

Re:are the people still running XP

[YrWrstNtmr]

It felt like being raped by Fisher Price.

Comparisons to Fisher Price was one of the main initial complaints about XP.

Re:Will those patches actually WORK?

[Zocalo]

And there-in lies the problem, "just stripped down and a lot of stuff removed" means that you almost certainly won't be getting patches for the stuff that has been removed, which is just as likely (if not more so) to be the parts that really need patching when the next 0-day comes along. Also, unless all the system files present truly are identical, then replacing random system files on a desktop XP system for a "stripped down" version might, and probably will, cause some functions to stop working. I can see two not necessarily mutually exclusive outcomes from this; people who deploy this are going to end up with a very false sense of security and a lot of systems are going to get hosed because of an update that isn't compatible with desktop XP.

In fact, I wouldn't put it past Microsoft to "accidentally" push out bad patches to deter this behaviour. I'm pretty sure they'd rather XP just cease to exist at this point given all the bad security press it's got them, and any opportunity to ram another nail into the coffin isn't exactly going to be unwelcome.

Re:This act is highly illegal

[gstoddart]

That it's a registry entry blows my mind. That's so lazy on their part that I have zero sympathy for them

You know, some of us have felt this way about the registry as long as it's been around.

It has always seemed like a cheap hack done by lazy people.

It's not secure or safe, it has always been subject to corruption and hacks, and looks like something which was grafted on by someone under time constraints that once it was in the wild they couldn't get away from.

Re:This act is highly illegal

[fph+il+quozientatore]

what is so illegal about changing a registry key or value, or creating a registry key?

What is so illegal about changing 0 to 1 and 1 to 0?

Re:This act is highly illegal

[I'm+New+Around+Here]

But whose anus?

Re:Windows Server 2003?

[fizzer06]

I installed Windows Server 2003 to VMWare Player just yesterday. The activation server won't work anymore, so I had to make the dreaded call. The Pakistani sounding guy named "Phillip" was helpful but it would have been easier with Internet activation. He was very curious as to WHY I wanted to install Windows Server 2003.

Windows Update wouldn't work until I downloaded SP2 and installed it. Then I was able to "enjoy" several hours of downloading and installing updates via Windows Update

What I wonder about is, when I accepted an update and rebooted there were several patches to the updates. Why doesn't MS build the patches into the update?

Re:Just buy a new computer !!!!!

[amiga3D]

It's not about you. You fail to understand your place as a consumer. You spend money and they fuck you. I can't make it any simpler for you.

Re:Windows Server 2003?

[Billly+Gates]

I installed Windows Server 2003 to VMWare Player just yesterday. The activation server won't work anymore, so I had to make the dreaded call. The Pakistani sounding guy named "Phillip" was helpful but it would have been easier with Internet activation. He was very curious as to WHY I wanted to install Windows Server 2003.

Windows Update wouldn't work until I downloaded SP2 and installed it. Then I was able to "enjoy" several hours of downloading and installing updates via Windows Update

What I wonder about is, when I accepted an update and rebooted there were several patches to the updates. Why doesn't MS build the patches into the update?

That is because the certificates were replaced. Remember back in 2011 about one of the root CA servers being compromised. It was only one of the keys used to sign and not the full master but still MS updated its certificates to be safe.

You can download an update (forgot which KB) for both XP & Server 2003. Even XP out of the box wont run updates either without the fix. There is a fixit too that will change them for you.

Re:This act is highly illegal

[BilI_the_Engineer]

I wouldn't be surprised if it is illegal, considering how broken our 'justice' system is.

If editing some data on your own equipment is all it takes to get Microsoft to give you service, and that's illegal, then something is indeed wrong.

Re:Just buy a new computer !!!!!

[jbeaupre]

Yeah, unless you've got thousands of dollars of software that are locked to that PC configuration (hardware and software). Then you're looking at a major expense and hassle of upgrading everything just to do exactly what you were before.

Re:Just buy a new computer !!!!!

[ciroknight]

Or install Linux, since it's free and you can continue using your existing hardware. Then you can just virtualize and continue using your XP license in a nice, safe cocoon.

Re:For all of XP?

[drinkypoo]

Smaller footprint means fewer files. What ever is cut out of POSReady won't have any issues fixed.

OK, let's figure out which parts those are, so we can not use them, and replace them with OSS alternatives. Some of us need XP for various applications for which there are no replacements.

Re:This act is highly illegal

[brantondaveperson]

Why do slashdotters find these issues so hard to understand. The law is all about intent. If you intend to access services to which you are not entitled, the ease with which you do so is entirely irrelevant to the discussion of whether or not your actions are legal.

You can type in eighteen "plain text" keystrokes (whatever that means - aren't all keystrokes plain text? Anyway) and log into the Attorney General's gmail account. Well, if you knew the password you could. But the action is trivially simple. And that doesn't matter. And why would it? Would you want the law to be based on how difficult an action is to undertake? It's pretty easy to pull a trigger you know...