→Windows 8 至 Windows 10 11 月更新
正义羊-JRJSheep(讨论 | 贡献) (创建页面,内容为“{{hatnote|The information provided on this page is based on reverse-engineered code and may contain some speculation on specific functionality.本文提供的信息基于逆向工程代码,可能包含对特定功能的一些推测。}} thumb|250px|<code>[[winver</code> in Windows 8 build 8422 (fbl_woa), displaying a EULA hash and a confidentiality warning]] Since late 1999, Microsoft……”) |
|||
| 第 35 行: | 第 35 行: | ||
Throughout the development timeframes of [[Windows 8]] and [[Windows 10 November Update]], an updated version of the Windows Fingerprinting Service was implemented in a similar fashion to the unique identifier mechanism first included as part of [[Windows XP]], designed in such a way that the fingerprint be present in every leaked Windows build irrespective of the amount of times the build is repacked. | Throughout the development timeframes of [[Windows 8]] and [[Windows 10 November Update]], an updated version of the Windows Fingerprinting Service was implemented in a similar fashion to the unique identifier mechanism first included as part of [[Windows XP]], designed in such a way that the fingerprint be present in every leaked Windows build irrespective of the amount of times the build is repacked. | ||
Early implementations of leak prevention were initially present in the form of a simple wallpaper replacement and a warning in <code>[[winver]]</code> in [[Windows 8 | Early implementations of leak prevention were initially present in the form of a simple wallpaper replacement and a warning in <code>[[winver]]</code> in [[Windows 8 Build 7762.0.fbl_grfx_dev1.100613-1700|build 7762]], and was later iterated upon through the introduction of a fingerprint blob and a dedicated confidentiality warning between [[Windows 8 Build 7785.0.fbl_grfx_dev1.100721-1700|build 7785]] and [[Windows 8 Build 7875.0.fbl_grfx_dev1.101102-1700|build 7875]], which are shown on the [[桌面水印|desktop watermark]] and are displayed by the <code>shell32.dll</code> dynamic link library. The fingerprint is directly appended at the end of the <code>BuildLab</code> string (queried from registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion</code>) in the form of a build hash (officially named the "EULA hash"), computed by splitting the WFS blob into 8 arrays of 16 bytes and XORing each of the 16 bytes together. The EULA hash can then be derived in order to source build leaks to existing Microsoft affiliates; the visibility of the EULA hash and the confidentiality warnings depend on the presence of certain compiler flags. | ||
{{multiple image | {{multiple image | ||
| footer = Three different [[Windows 8]] builds. Left to right: [[Windows 8 | | footer = Three different [[Windows 8]] builds. Left to right: [[Windows 8 Build 8330.0.fbl_grfx_dev1.120425-1400|build 8330 (fbl_grfx_dev1)]] (left), [[Windows 8 Build 8375.0.winmain_win8rc.120504-1900|build 8375]] (center), and [[Windows 8 Build 8400.0.winmain_win8rc.120518-1423|build 8400]] (right).<br/> | ||
Note how the EULA hash is unique to different builds (or variations of the same build, such as a different CPU architecture or partner release/download source{{efn|As observed in [[Windows 8 build 8520]]; despite most language variations for its ARMv7 compile including an identical fingerprint, the one included as part of the Simplified Chinese language variation features a completely different fingerprint; likely the result of another Connect download or alternative partner release handed down to another individual or organization.}}), and how the visibility of the confidentiality warning and the EULA hash depend on the presence of specific compiler flags. | Note how the EULA hash is unique to different builds (or variations of the same build, such as a different CPU architecture or partner release/download source{{efn|As observed in [[Windows 8 Build 8520.0.fbl_eeap.120722-1632|Windows 8 build 8520]]; despite most language variations for its ARMv7 compile including an identical fingerprint, the one included as part of the Simplified Chinese language variation features a completely different fingerprint; likely the result of another Connect download or alternative partner release handed down to another individual or organization.}}), and how the visibility of the confidentiality warning and the EULA hash depend on the presence of specific compiler flags. | ||
| align = center | | align = center | ||
| footer_align = center | | footer_align = center | ||
| 第 49 行: | 第 49 行: | ||
}} | }} | ||
Fingerprinting data is now stored in both the registry and in the form of a file, respectively under registry key <code>HKLM\SYSTEM\WPA\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9</code> and as file <code>FP</code> in the <code>Windows\System32\config</code> directory. The registry key and the file must both exist in the Windows install, or the operating system will either refuse to boot or non-deterministically [[bugcheck]] with codes <code>KERNEL_SECURITY_CHECK_FAILURE</code> (during boot) or <code>CRITICAL_STRUCTURE_CORRUPTION</code> (if the periodic WFS check during runtime fails). Furthermore, most parts of the fingerprint data are now encrypted, and therefore require reverse engineering efforts to decode and extract the relevant information. These leak prevention measures were removed very early into the development cycle of the [[Windows 10 Anniversary Update]] (after [[Windows 10 build 11073|build 11073]]) due to the increased relevance of the [[Windows Insider Program]], a public initiative allowing volunteering beta testers (referred to as ''Insiders'') access to freshly-compiled Windows development builds from mainline branches. | Fingerprinting data is now stored in both the registry and in the form of a file, respectively under registry key <code>HKLM\SYSTEM\WPA\478C035F-04BC-48C7-B324-2462D786DAD7-5P-9</code> and as file <code>FP</code> in the <code>Windows\System32\config</code> directory. The registry key and the file must both exist in the Windows install, or the operating system will either refuse to boot or non-deterministically [[蓝屏死机|bugcheck]] with codes <code>KERNEL_SECURITY_CHECK_FAILURE</code> (during boot) or <code>CRITICAL_STRUCTURE_CORRUPTION</code> (if the periodic WFS check during runtime fails). Furthermore, most parts of the fingerprint data are now encrypted, and therefore require reverse engineering efforts to decode and extract the relevant information. These leak prevention measures were removed very early into the development cycle of the [[Windows 10 Anniversary Update]] (after [[Windows 10 build 11073|build 11073]]) due to the increased relevance of the [[Windows Insider Program]], a public initiative allowing volunteering beta testers (referred to as ''Insiders'') access to freshly-compiled Windows development builds from mainline branches. | ||
===Implementation details=== | ===Implementation details=== | ||
| 第 63 行: | 第 63 行: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<code>WPACertificateHash</code> is the encrypted WFS blob containing the actual fingerprint data. Contrary to popular belief, it is <u>not</u> related to the [[Windows Product Activation]] functionalities and is named such merely as cover. <code>Time</code> relates to the [[w:SHA-256|SHA-256]] hash of the <code>nt5.cat</code> security catalog, stored in <code>Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}</code> (also named such to confuse reverse engineers). The <code>Type</code> value appears to be a timestamp of sorts, presumably for the aforementioned security catalog. | <code>WPACertificateHash</code> is the encrypted WFS blob containing the actual fingerprint data. Contrary to popular belief, it is <u>not</u> related to the [[Windows 产品激活|Windows Product Activation]] functionalities and is named such merely as cover. <code>Time</code> relates to the [[w:SHA-256|SHA-256]] hash of the <code>nt5.cat</code> security catalog, stored in <code>Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}</code> (also named such to confuse reverse engineers). The <code>Type</code> value appears to be a timestamp of sorts, presumably for the aforementioned security catalog. | ||
=====WFS blob===== | =====WFS blob===== | ||
| 第 96 行: | 第 96 行: | ||
The <code>Nt5Hash</code> and <code>Nt5TimeStamp</code> values are used to ensure that the blob is only valid for a specific build, therefore preventing other individuals from using blobs from previously leaked builds on top of a newly leaked one. The timestamp does not include the seconds field in order to completely ignore rounding caused by switching between file systems. | The <code>Nt5Hash</code> and <code>Nt5TimeStamp</code> values are used to ensure that the blob is only valid for a specific build, therefore preventing other individuals from using blobs from previously leaked builds on top of a newly leaked one. The timestamp does not include the seconds field in order to completely ignore rounding caused by switching between file systems. | ||
Upon every boot, the Windows kernel checks for the existence of the fingerprinting blob on the disk and [[bugcheck]]s with code <code>KERNEL_SECURITY_CHECK_FAILURE</code> if not present, although it loads the one included within the Windows registry instead. Subsequent integrity checks against the fingerprinting blob present in the registry are made by the kernel at random times (once between 300 - 310 seconds) and will bugcheck with code <code>CRITICAL_STRUCTURE_CORRUPTION</code> if the data within the Windows registry is not valid. | Upon every boot, the Windows kernel checks for the existence of the fingerprinting blob on the disk and [[蓝屏死机|bugcheck]]s with code <code>KERNEL_SECURITY_CHECK_FAILURE</code> if not present, although it loads the one included within the Windows registry instead. Subsequent integrity checks against the fingerprinting blob present in the registry are made by the kernel at random times (once between 300 - 310 seconds) and will bugcheck with code <code>CRITICAL_STRUCTURE_CORRUPTION</code> if the data within the Windows registry is not valid. | ||
====Fingerprinting method==== | ====Fingerprinting method==== | ||
| 第 107 行: | 第 107 行: | ||
This form of fingerprinting is very effective as it is theoretically impossible to remove while keeping the OS functional. The fingerprint data could be completely removed, but doing so would result in an unbootable operating system image or periodic bugchecks due to inconsistent data. The fingerprint data can also not be modified as it is encrypted by a private RSA key. | This form of fingerprinting is very effective as it is theoretically impossible to remove while keeping the OS functional. The fingerprint data could be completely removed, but doing so would result in an unbootable operating system image or periodic bugchecks due to inconsistent data. The fingerprint data can also not be modified as it is encrypted by a private RSA key. | ||
A number of builds can be practically unfingerprinted due to the presence of generic fingerprint data in the <code>SYSTEM</code> registry hive and/or the [[Windows Recovery Environment]] WIM image. Some builds, in particular those sourced from public release branches, such as <code>th2_release</code> or <code>winblue_rtm</code>, are also built with the Windows Fingerprinting Service disabled through compiler flags, and will not bugcheck if fingerprint data is invalid or is otherwise absent. | A number of builds can be practically unfingerprinted due to the presence of generic fingerprint data in the <code>SYSTEM</code> registry hive and/or the [[Windows 恢复环境|Windows Recovery Environment]] WIM image. Some builds, in particular those sourced from public release branches, such as <code>th2_release</code> or <code>winblue_rtm</code>, are also built with the Windows Fingerprinting Service disabled through compiler flags, and will not bugcheck if fingerprint data is invalid or is otherwise absent. | ||
==Windows 11 开发版本== | ==Windows 11 开发版本== | ||
