Registry Hack Enables Continued Updates For Windows XP

DroidJason1 (3589319) writes "A registry workaround, which tricks Windows Update into thinking you are running Windows Embedded POSReady 2009, allows you to get free security updates until 2019. All you need is a simple 32bit or 64bit registry entry in order to make this work. POSReady 2009 is slated to receive security updates for another five years. Microsoft ended support for Windows XP on April 8th of 2014."

Are you kidding me?

[ArcadeMan]

There's something called "Windows Embedded Piece Of Shit Ready 2009"?

Re:Are you kidding me?

[fuzzyfuzzyfungus]

Unfortunately, in the case of a lot of point of sale systems, the acronym does double duty. At least they are surprisingly expensive.

Re:Are you kidding me?

[sjames]

He said duty.

Re:Are you kidding me?

[future+assassin]

Yes they are pretty expensive my current one ACE Retail was around $1400 for one computer. I looked at oithers and the prices were insane if you wanted anything not DOS looking like. I did go with ACE as this is what I was use to for the previous 4 years but its amazing how the same bugs have been in the system for the last 6 years and old bugs just pop up out of the blue even though they were suppose to be fixed.

I now have found a Linux based POS http://linuxcanada.com/ that seems quite good and will be testing it out shortly

Re:Are you kidding me?

[The+Snowman]

Considering how full of holes Linux based home routers turn out to be, do you think Linux based cash registers would be any better than XP cash registers? I am just flabbergasted that cash registers are on networks with internet access.

Up until a few months ago I worked for a Retail Point of Sale company for more than seven years as a developer. The typical topology goes something like this. Each store has a cable or DSL modem to get to the internet. They have it locked down so the only way in or out is through a VPN to the home office. This essentially gives them LAN access to shared resources such as centralized databases (this is why you can return at a store other than the one where you bought something, or check another store's inventory), payment system gateways, etc. This is a heavily secured and audited network segment due to the sensitive nature of the data. Any "regular" internet access from a register goes through that VPN and a firewall at the home office. Browsers are locked down on each register and regularly patched and updated remotely. They will sometimes use a whitelist of sites, sometimes not: JavaScript and other "features" are typically restricted as much as feasible.

This system works really well, despite having a lot of pieces geographically scattered. The VPN makes it easy to connect to any register in a retail chain since it is essentially a LAN. With the VPN and firewalls, you have a distributed yet secured network. The only times I have ever seen a network intrusion at any customer of my former employer was due to human error: a network technician forgetting to set something up right despite numerous checklists and test environments. Pretty rare in my experience working with 30+ retail customers.

Re:Are you kidding me?

[cusco]

I always like RKeeper's (large Moscow-based POS system) quick-and-dirty solution: make all the POS machines use NetBEUI. Can't route, the only way to get to the machines from outside is through remote controlling the server.

Re:Are you kidding me?

[mysidia]

That still counts as "on-the-internet" (unless you somehow have a dedicate line going from the POS to the server), so you're plenty vulnerable to spoofing and man-in-the-middle attacks.

There's this thing called a VLAN.

You can use a dedicated Layer 3 switch for your POS network. Setup a Private VLAN (PVLAN) to carry your POS network.
Setup a private promiscuous VLAN for your switch to perform L3 routing on.
Setup a private Isolated VLAN (PVLAN Isolated) for your POS terminals, and enable local Proxy-Arp on your isolated PVLANs.
Place your server on a Server VLAN.

Enable 802.1x wired port security for your POS ports.

Configure routing between your POS Subnet and your POS server's dedicated Subnet. Set it up with Route-maps or ACLs such that; every POS can talk to the server, and the server can talk to any POS terminal, but no two POS can speak to each other, and no other IP address can speak to a POS or the server.

No default route in the routing table of this Layer 3 switch.

No internet connectivity necessary.

Re:Will those patches actually WORK?

Windows POSReady 2009 is actually Windows XP though, just stripped down and a lot of stuff removed. The same system files exist in the same versions and thus they have the same exploits and can be patched with the same code.

POSReady 2009 is basically a different "distro" of Windows XP that Microsoft is supporting until 2009. By changing that one registry entry, you get Windows Update to realize you're running that special distro, and you get patches.

Re:This act is highly illegal

[TWX]

What's illegal about it? Is it illegal to use Microsoft's provided tools to edit my registry, browing to HKEY_LOCAL_MACHINE\SYSTEM\WPA, then creating a new key called PosReady, then creating a new dword in PosReady called "Installed" with a value of 00000001?

Digital:Convergence had much more claim to the cuecat scanner's security than this could ever command.

Re:This act is highly illegal

[gstoddart]

what is so illegal about changing a registry key or value, or creating a registry key?

In the loosest possible interpretation I can think of (and not one I agree with), you are committing fraud by misrepresenting something in order to get a good or a service.

But, if it's something as trivial as a registry key, which is available for users to update (and which sometimes MS themselves suggest) ... then I've got nothing.

I'm having a hard time believing it's perfectly legal to update one set of registry keys, while being illegal to update another. If they're so special and secret, they shouldn't be something you can update.

Re:Excellent

THERE ARE FOUR UPDATES!!!

Security risk?

[erice]

Point of Sale systems usually operate under more controlled conditions than end user machines. Would these updates keep your XP machine plausibly secure or highly vulnerable to threats not considered serious to point of sale systems? What about vulnerabilities in components not present in POSReady 2009 but used in XP?

Re:Security risk?

[0123456]

No, updating to an actually supported operating system would be better.

Not if it's Window 8.

Re:are the people still running XP

[dargaud]

I develop on Linux, and for when I need Windows I use XP in a virtual machine. Plenty good enough for only runnign an IDE. Today I had to touch Win7 for the first time because one of my apps wouldn't install. It felt like being raped by Fisher Price.

Yeah not quite...

[craznar]

As someone who works with POS Ready 2009 a lot (I write Point of Sale Software), the catch with this idea is that many (a great many) of the components in normal XP just don't exist in POSReady.

SO you may, or may not get updates for some parts of your OS - because Microsoft will not be writing updates for the rest.

Re:Excellent

[barlevg]

This is much funnier if you assume that ArcadeMan is all three ACs in this thread.

Re:Excellent

[Zocalo]

Even the older Slashdotters have a blinkered view of culture it seems. The original reference is from George Orwell's "1984", only it was fingers and not lights.

New Critical XP Update...

[The+Mysterious+Dr.+X]

"This patch removes an exploit that caused some machines running Windows XP to apply updates for other operating systems. To learn more about the update, read this knowledge base article..."

Re:New Critical XP Update...

[wonkey_monkey]

Yo dawg, I... can't be bothered.

Re:Excellent

[ArcadeMan]

I'm not.

I'm also scared by the fact that this was aired 22 years ago.

Re:This act is highly illegal

[TubeSteak]

I'm having a hard time believing it's perfectly legal to update one set of registry keys, while being illegal to update another. If they're so special and secret, they shouldn't be something you can update.

Since Microsoft offers paid updates for WinXP (at least for corporate customers),
it's not very hard to argue that the registry hack (at least for corporate customers) would qualify as theft of service.

For non-corporate users, Microsoft could argue "unauthorized access," but I can't see them taking the trouble to sue random home users.

Re:Excellent

[barlevg]

The new Battlestar Galactica began airing ten years ago.

9/11 was 13 years ago.

The Lion King was 20 years ago.

Face it: we're old.

Re:are the people still running XP

[YrWrstNtmr]

It felt like being raped by Fisher Price.

Comparisons to Fisher Price was one of the main initial complaints about XP.

Re:Will those patches actually WORK?

[Zocalo]

And there-in lies the problem, "just stripped down and a lot of stuff removed" means that you almost certainly won't be getting patches for the stuff that has been removed, which is just as likely (if not more so) to be the parts that really need patching when the next 0-day comes along. Also, unless all the system files present truly are identical, then replacing random system files on a desktop XP system for a "stripped down" version might, and probably will, cause some functions to stop working. I can see two not necessarily mutually exclusive outcomes from this; people who deploy this are going to end up with a very false sense of security and a lot of systems are going to get hosed because of an update that isn't compatible with desktop XP.

In fact, I wouldn't put it past Microsoft to "accidentally" push out bad patches to deter this behaviour. I'm pretty sure they'd rather XP just cease to exist at this point given all the bad security press it's got them, and any opportunity to ram another nail into the coffin isn't exactly going to be unwelcome.

Re:This act is highly illegal

[gstoddart]

That it's a registry entry blows my mind. That's so lazy on their part that I have zero sympathy for them

You know, some of us have felt this way about the registry as long as it's been around.

It has always seemed like a cheap hack done by lazy people.

It's not secure or safe, it has always been subject to corruption and hacks, and looks like something which was grafted on by someone under time constraints that once it was in the wild they couldn't get away from.

Re:Excellent

[Skuld-Chan]

I think if your a company that relies on XP (not the POS edition) and you haven't isolated them on a special - no internet vlan - you have bigger issues than making sure your XP machine has security updates.

Re:Excellent

[93+Escort+Wagon]

I think if your a company that relies on XP (not the POS edition) and you haven't isolated them on a special - no internet vlan - you have bigger issues than making sure your XP machine has security updates.

I thought all editions of Windows XP deserved the monicker POS?

(Note to the humor-impaired: Chill out, dude. At least I'm not making jokes about your pretend girlfriend, right?)

Re:Excellent

[camperdave]

It was a Cardassian, and he was trying to get Picard to say five lights.

Sheesh!

Re:Just buy a new computer !!!!!

[amiga3D]

It's not about you. You fail to understand your place as a consumer. You spend money and they fuck you. I can't make it any simpler for you.

Re:Windows Server 2003?

[Billly+Gates]

I installed Windows Server 2003 to VMWare Player just yesterday. The activation server won't work anymore, so I had to make the dreaded call. The Pakistani sounding guy named "Phillip" was helpful but it would have been easier with Internet activation. He was very curious as to WHY I wanted to install Windows Server 2003.

Windows Update wouldn't work until I downloaded SP2 and installed it. Then I was able to "enjoy" several hours of downloading and installing updates via Windows Update

What I wonder about is, when I accepted an update and rebooted there were several patches to the updates. Why doesn't MS build the patches into the update?

That is because the certificates were replaced. Remember back in 2011 about one of the root CA servers being compromised. It was only one of the keys used to sign and not the full master but still MS updated its certificates to be safe.

You can download an update (forgot which KB) for both XP & Server 2003. Even XP out of the box wont run updates either without the fix. There is a fixit too that will change them for you.

Re:This act is highly illegal

[BilI_the_Engineer]

I wouldn't be surprised if it is illegal, considering how broken our 'justice' system is.

If editing some data on your own equipment is all it takes to get Microsoft to give you service, and that's illegal, then something is indeed wrong.

Re:Excellent

[fahrbot-bot]

I thought all editions of Windows XP deserved the monicker POS?

(Note to the humor-impaired: Chill out, dude. At least I'm not making jokes about your pretend girlfriend, right?)

My pretend girlfriend runs Windows XP - sigh.

Re:Excellent

[Chelloveck]

I was born closer to the first moon landing than to today. That's because I was born on the other side of it. Hell, I was born closer to WWII than to today. And in another year I'll be able to say that about WWI.

Kids. Get off my lawn.