Like many other people in the world today, I decided to install IE7 on my computer. Now, I am a diehard fan of Firefox but I need to keep abreast of all different types of technology. This is why I was interested in installing Internet Explorer 7.
Now, imagine my surprise when I was asked to validate my copy of Windows before I continued to install Internet Explorer!
I fired up filemon and regmon from Sysinternals to see what it was exactly doing.
File and Registry Access
I put all of the results into an Excel file. Please note that I have changed some of the information to protect my anonymity.
Most of the access was pretty routine but it did look at some stuff that I thought was pretty strange. And some of which I thought was really none of their business!
File Access
There were some very odd things happening as far as file access is concerned. The first one that caught my attention was that it read information from C:\WINDOWS\system32\OEMInfo.Ini. This file contains all of the information about the manufacturer. In my case, I had a Dell system and it included my make, model, service tag, and express service code for my computer.
The other file that I thought was interesting was C:\WINDOWS\system32\legitcheckcontrol.dll. There were a lot of different file reads and queries to this file. When I looked at the file with a hex editor, I was able to find a huge list of hardware manufacturers along with a website address http://stats.update.microsoft.com/reportingwebservice/reportingwebservice.asmx. I can’t be certain but it looks like this file may be used to report hardware usage information back to Microsoft.
There were other web addresses embedded into this file. Most were links to certificate authorites but two others that looked rather suspicious were:
- http://www.microsoft.com/SoftwareDistribution/Server/IMonitorable
- http://www.microsoft.com/SoftwareDistribution/ReportEventBatch
A file that got a lot of attention during validation was one that was installed by the IE installer; ligitlibm.dll. Under a hex editor, it revealed different code, much of which would probably mean more to a real programmer. But, what did catch my eye was a reference to a webpage: http://go.microsoft.com/fwlink/?LinkId=33171&LegitCheckError=. Again, not being a programmer, I do not know the purpose of this link but it could definitely be used to report back to Microsoft.
Here is a list of some of this items the validation accessed in my registry:
- Certificate Information
- Machine Unique IDs
- Session Information
- System Architecture
- Processor Type and Model
- Logon Server
- Internal Domain Name
- Machine Name
- TCP/IP Setup
I don’t know about you, but I think that this may be a bit more than is required for validating my version of Windows, especially when it has been established that there are links in the software that it used for this validation that point back to the Microsoft website.
Reporting Back
While performing the validation, I ran Wireshark, an ethernet sniffer. It allowed me to see the data over the network in raw format as determine if there were any attempts to “call home”. I am happy to report that there did not appear to be any such attempts. But, that does not mean that Microsoft is off the hook.
There are other scenarious that I can think of where Microsoft would have called home:
- It found a pirated copy of Microsoft
- During the actual install to add to its count
- At a later time so as not to attract attention or during a Windows update
Conclusion
There are definitely some disturbing things happening behind the scenes on your computer when you need to validate Windows during the installation of IE7. This entire issue deserves some media attention and further research.
| Trackback link - http://www.dailycupoftech.com/is-internet-explorer-7-spying-on-me/trackback/ |
|
October 21st, 2006 at 9:39 am
Good reporting, and good to know what’s going on. Also, I’m new to this site, but I wanted to say thanks for including links to some of the programs you used so I can grab them as well.
October 21st, 2006 at 9:53 am
Thanks for the feedback, Kevin. I’m always interested to know what others think. Hope you stick around for a while and maybe grab an RSS feed or two.
As for the links, part of my “mission” is to enable others to do what I do. Part of that is helping them to fill their “toolbox”. Hope you find these to be useful.
Tim
October 21st, 2006 at 10:42 am
nice work
but this doesn’t strike fear into my heart - the info collected seems fairly innocuous. Its important that they state what they are collecting though - how does what was collected tally with the Privacy Statement from the installer?
October 21st, 2006 at 1:04 pm
Just for your information, most of the registry keys you’ve seen the verifier checking are the ones that are used to produce the unique machine identifier that is generated when you activate windows (and that stops you from activating the same copy on multiple machines).
These same keys are checked by Steam and most other registration system that want to tie stuff to a single machine.
The OEMInfo.ini is probably checked as any machines shipped by the large OEM’s tend to be activated in a slightly different way (especially if you have a volume license agreement).
As for whether all this is required for installing a web-browser, well that’s up to you in the end.
October 21st, 2006 at 1:38 pm
drew,
Here is the IE7 EULA exactly as it appeared in my installer:
And here is the link to the Microsoft Genuine Advantage Privacy Policy: http://www.microsoft.com/genuine/downloads/PrivacyInfo.aspx
Nowhere in there do I see anything about internal domain names, log on servers, or computer serial numbers.
October 21st, 2006 at 1:42 pm
Russ,
I understand that there are other applications that are out there that check similar files and registry keys. I would just like to see a bit more transparency from these applications that do this so that I can make an educated decision when I click “I Accept”. If I had known that I was going to have my system “probed”, I may have chosen to not install their “suppliment”.
Tim
October 21st, 2006 at 4:52 pm
I’ve re-written this post a few times, each not quite being able to say what I want in a way that couldn’t be taken in a wrong way, so I’ll say sorry in advance just in case.
I agree that random checks of system stuff aren’t nice, but Microsoft are being pretty clear what’s going on here I think. The link on the validation page clearly states that most of the information that you found was being read will be checked.
I don’t know this for sure but I’m guessing that this is how the whole system works….
1) When you activate Windows a unique hash is generated from the stuff that you’ve seen read and is sent to Microsoft along with the product key.
2) It stores this hash and the key and sends back an activation code.
3) Genuine advantage regenerates this hash (can’t trust anything stored on the machine since it could be faked) and asks the Microsoft servers if everything’ ok.
If not, it screams and says no, otherwise it works. This is the only way, I can think of, of preventing multiple installs of the same product key so something has to go back to Microsoft.
Not wanting to sound rude, but the transparency you ask for is there in the links. I admit that the session information and login server do sound odd, however if you were running this on a server under a terminal service license then it would need to be checked. Everything else checked seems to be accounted for on the linked page.
The IDN check is probably caused by the socket being opened to communicate with the Microsoft server, if not it’s possible that it’s doing a DNS query on the machine itself to check for domain membership. As I mention above, the logon server is could be to do with terminal server license checking or volume licensing.
As for the computer serial number it’s a bit tricky. If you’re assuming this came from the OEMInfo.ini then it’s very possible that Microsoft are keeping track of OEM installs and want to know who sold it to you, rather then who you are. It’s up to the OEM what goes in here.
Microsoft are in the business of selling software so they want a reliable way of making sure that people aren’t buying one copy and running it on multiple machines and generating a UID and recording it is the only way I can think of of doing this. Unless you have some crazy media that destroys itself after a successful install or something :).
As you say, you have the choice not to use it. The same as you did when you accepted the XP EULA that admits that information will be sent to Microsoft to perform activation:
‘ There are technological measures in this Software that are designed to prevent unlicensed use of the Software. Microsoft will use those measures to confirm you have a legally licensed copy of the Software. If you are not using a licensed copy of the Software, you are not allowed to install the Software or future Software updates. Microsoft will not collect any personally identifiable information from your Workstation Computer during this process.’
While you may disagree with the wording it is correct. At no point does WA or WGA collect ‘personally identifiable information’ from your machine. It knows your machine, but that’s it, it doesn’t know or care who is using it.
October 21st, 2006 at 6:23 pm
Russ,
To begin with, you never have to apologize for giving your opinions on DCoT. I value what everyone has to say, regardless if they agree or disagree with me.
I also want to thank you for the extremely well thought out and carefully crafted comment. I think you have probably found a very good balance with the issues.
I am not so concerned with Microsoft ensuring that the software they are selling is legal. What does concern me is turning a “free” application into a method of checking for this. It is the equivalent of me needing to show you proof of ownership for my car before you will sell me a muffler for it.
The other thing that concerns me is that they are looking for information that has nothing to do with the individual computer. Accessing IP address information, logon servers and internal DNS domain information does, in my opinion, constitute a breach of security. If any other program started recording that information without my knowledge, I would consider it spyware.
And, as I indicated earlier, nothing was transmitted. But, because we know that they have this information, there is nothing stopping them from transmitting it in the future.
Thanks again for the information and insight. I truly do appreciate it.
October 21st, 2006 at 8:39 pm
Hi,
Microsoft Genuine Advantage has nothing to do with IE7 except that it’s a prereq. The Microsoft Genuine Advantage Privacy policy that someone linked to above, and is linked in your screenshot, explains that they’re grabbing this info and what they are doing with it. Why don’t you complain about the info they grab during Microsoft Update, or when you install Photo Story. Both run MGA as well.
This doesn’t need media attention… the media already talked about this when MGA came out - and this is just MGA the exact same way it was before.
Scaremongering.
Matt
P.S. I don’t work for Microsoft, or any company associated with it.
October 21st, 2006 at 9:39 pm
Off course it is. Your’e naieve to think it isn’t.
October 21st, 2006 at 9:58 pm
Here’s my problem with this:
Say you buy a computer from Dell and it is cooked right after the warrentee is over. So, you buy a new computer yourself (hey since you have the operating system from your old computer). But when you try to install it, it will not install. It will only install on dell computers.
So, you take the copy you bought for another computer and install it. So, you have two copies of windows, but only one installed. This, is my problem with this solution.
Maybe it’s time to switch to another operating system.
October 21st, 2006 at 11:09 pm
In reply to quints:
When you buy a computer from Dell and get Windows XP bundled with it, you at not allowed to move XP over from a broken Dell machine to a new machine. A license key from the side of a manufacturer’s machine will not work with a cd that you bought at . When you buy Windows, the shiny piece of plastic doesn’t make it legitimate, the little sticker with your license key makes it legitimate. You -can- manage to make your Dell key install on another machine, but you need to find a copy of Windows that is referred to as OEM. Unfortunately, most of the time only system builders have this type of install cd. If you want to go to a different OS, feel free (to each his own, I run a few FreeBSD machines), but remember, EMACS and Photoshop are not games
October 21st, 2006 at 11:10 pm
Oops, looks like I used angle brackets forgetting about HTML’s rules… one of the sentences in my above post reads: A license key from the side of a manufacturer’s machine will not work with a cd that you bought at .
Where it should read
A license key from the side of a manufacturer’s machine will not work with a cd that you bought at [store here].
October 21st, 2006 at 11:38 pm
Something to consider per the statement above:
>>This file contains all of the information about the manufacturer. In my case, I had a Dell system and it included my make, model, service tag, and express service code for my computer.
I’m pretty sure that Dell and similar big makers use the service tag and express service code as UNIQUE identifiers for the user. If you buy a Dell/HP/etc. online and they send you a PC with the number, they are no doubt tying your unique service codes to you. If Microsoft accesses the code they know who owns the hardware (assuming that their agreements with Dell, et al allow them to track ownership of PC relative to the copy of Windows.
October 22nd, 2006 at 12:11 am
I think it is long over due to switch. I have used linux and windows. I hate to say, I am falling in love with linux. I don’t think I will run Vista, rather, move to OSX or pure linux, but MS isn’t getting any more money from me.
October 22nd, 2006 at 12:16 am
Heck, I don’t even use ie on my computers; firefox and opera exclusively. I prefer them so much more. I tried to play with the ie7 beta a few months back and it junked my system up. There was no turning back, I had to rebuild.
October 22nd, 2006 at 1:26 am
Anyone who doesn’t switch operating systems really is getting what they deserve at this point.
October 22nd, 2006 at 3:46 am
Your muffler analogy is nice, and I have to admit that when put that way it does sound a bit odd.
We each have our own ideas of what we class as private data and it makes sense for each of us to protect what we see as important.
As you said, things should always be made clear so we know as much as possible before clicking that ‘I agree’ button and I hope that we don’t have repeats of the Sony root-kit incident.
I’d also like to say that it’s great to have found somewhere where you can have a proper discussion about an issue without it degenerating into a ‘OSS vs Closed Source Software’ or a ‘Microsoft are evil’ flame war.
October 22nd, 2006 at 7:45 am
Last Friday, I have just upgrade to the latest release of Internet Explorer 7. So far, everything seems so good. But, to be on the safe side, I’d better run Firefox instead.
October 22nd, 2006 at 11:02 am
Just give me another reason NOT to install IE7, why don’t you Microsoft? At this moment, only 20% of our company is still on IE, 50% on Firefox and remainder are Macintosh users on Safari (though I’m preaching FF to them as well).
October 22nd, 2006 at 5:00 pm
there are so many alternatives to ie. I preach firefox to everyone I can. I may as well go door to door like a religous freak. Firefox IS the browser. It is available for Mac, Linux MS, am I missing anyone? Point is, you don’t HAVE to use IE, so don’t. We don’t all use the same car to get to work, like we don’t need to use the same browser to get to the content on the net. Let’s just boycott the IE like the H2 on the highway. Bloated, too much waste, not enough benefit for the cost of ownership. Honk if you love firefox!
October 22nd, 2006 at 9:10 pm
switch to LINUX…. M$ sucks!
October 22nd, 2006 at 9:19 pm
pourya,
The only reason I authorized your comment is to make a point. There are a multitude of different systems and users out there with as many different needs and requirements. There is a place for Linux. there is also a place for Windows and other Microsoft products.
When we make blanket statements about any operating system, program, etc., we draw black and white decisions in a work full of greys.
I am a huge fan of Linux and I use it regularly but I also use Windows just as much. There are certain task I will immediately turn to my Windows box to perform while others you would have to chop my hands off before I would do them on anything other than Linux.
The bottom line is, there is room for everyone here.
Tim
October 22nd, 2006 at 9:58 pm
I am down to use M$ but this is just getting out of control.
October 22nd, 2006 at 11:32 pm
Try to read their license agreement, after all.At very least, read your Win XP license carefully.Or, even better, Vista’s license.I do not get the clue.They wanna my moneys in decent amounts, but… wait a bit?Things written in their licenses are hardly can be classified as advantages :\.I see no advantage in being MS customer at all.Let’s look!
Should I consider WGA trojan horse as advantage?
Should I consider DRM updates as advantage?
Should I consider dozens of security holes and too late fixes as advantage?
Should I consider “AS IS” and “WITHOUT ANY WARRANTY” as advantage?
Should I consider MS doing whatever they want on my PC as advantage?
Should I consider IE7 which is spyware and a real dream of Big Brother as advantage?
In vista… should I consider kernel protection crap as advantage as well?This done to take away my freedom to use PC and to disallow me to access my hardware, making DRM bypassing harder.In no way this will protect me from hackers in efficient manner…
And their “protected processes” (in fact, rootkit).Why I should consider built-in rootkit as advantage?
So, for me it was enough.I will not use Vista even for free and even if MS will pay to me for doing it.I do not need a trojanized and bastardized system at all.I do not need PC which is not completely controlled by me but rather controlled by Big Brother and MS.
October 23rd, 2006 at 12:28 pm
I wonder if Microsoft realized that their little ‘*’-type icon (the one featured in the first image) is, within anime, traditionally used by characters that are pissed off/enraged.
It’s highly appropriate, in any event. ^_^
October 27th, 2006 at 10:11 am
Hi,
This is a great discussion going on here. But personally as far as I go I feel both browsers have it’s own advantages and I use both. Also incase you are interested I had posted an article on my blog today regarding the various vulnerablities about FF2 and IE7 that I happened to read from different sources across the internet.
Thx,
Vi.
November 1st, 2006 at 4:19 am
I just started to install IE7, I became concerned when it said to back up any important files! Now why would I need to do that just to install a browser if there weren’t KNOWN PROBLEMS with the application? ALERTED, I began to seek more information, I’ve had that warning from MS Software downloads before i.e., (Messenger). When I upgraded my browser, MS Messenger had to be reinstalled? Everything was lost from Messenger when I updated. Moronic if you ask me? The browser brought everything over. Messenger brings everything over from other SP’s but not earlier edition browsers. That’s a character defect if ya ask me. Just a little more money outta me is all it seems. Win XP was markedly better than prior versions of Windows, but not all it was cracked up to be. Highly over rated in my opinion, and largely more trouble than worth. Was looking forward to Vista until now! Reminded, but for the Trojans, the holes, the untimely updates, sigh. Aborting installation!
Why install expensive software that you have to buy additional software for to make up for the DEFECTS, OVERSIGHTS? It’s rediculous, I tell ya. Sigh again.
November 6th, 2006 at 2:05 pm
First off, I enjoyed reading your page. It just continues to validate my decision to stay with windows 2000 (at least as long as I can, or someone else comes up with a better option). I suspect that Vista is going to be even worse than XP and the whole .net idea is just another way for MS to keep track of what we are doing. I have no real issue with any company trying to protect their intellectual property, but all the evidence shows that MS is doing a lot more than that.
Call me paranoid if you wish, but at this point I have no real reason to move to XP or Vista.
A devoted Firefox User;
Tony
November 6th, 2006 at 2:20 pm
Tony,
I am hearing from a number of people that they would like to stick to their old software. Unfortunately, this means that you will be left out in the cold on your own because eventually Microsoft will not support you any longer. I understand where Microsoft is coming from with this because they need to focus on what people are using now and where Microsoft is heading.
But, I guess the other side of that coin is to ask, when was the last time you used Microsoft support? I think in the 10+ years that I have been in the IT industry, I have spoken with Microsoft support a grand total of once and that was for a pretty esoteric problem that had to do with a major network upgrade. I could probably have hired a consultant to do this for me.
Maybe being without Microsoft support isn’t all bad after all.
Tim
November 25th, 2006 at 11:52 am
hmm, an article about privacy. What about the click tracking java script built into this very page, does it not send very personal information like the exact location that I click on a page to a 3rd party (www.siteshots.com) without my authorisation?
Oh well I had fun clicking swear words into the page… Hope it gives someone a laugh when they view the heat shots
November 25th, 2006 at 1:20 pm
I think there is a big difference between me determining where people are clicking on the page to allow me to better design in and a collecting information that any company’s IP policy would not allow outside of the network.
But, this does present another question:
Do people consider the location that you click on a webpage to be personal information? I never did but I could be way off base on that!
Tim
November 27th, 2006 at 11:06 am
Hello. Yeah, this really smells like there are something rotten about it.
I also think it is the safest way to you the internet.
I really like to be a private user, so I just think i’m going to keep on using Fox!
November 29th, 2006 at 9:13 am
Hi
As an addition to your excellent description above.
I too am a devoted firefox user. Running XP sp2 on a Dell Laptop.
I use IE purely for Windows Update
Last week I installed IE7 as part of a Windows Update. No problem.
Today I reran Windows Update.
Showed me 6 optional updates.
I like to check the details of each before installing hence clicked the details link and a popup window appears.
On the third such popup my firewall (Sygate) pops up to say that IE has loaded a new dll (legitcheckcontrol.dll) and do I wish to accept this. I refuse and now my IE7 refuses to load.
Of course this all may be coincidence,
but it did seem to suggest that MS waits a while before phoning home.
Given that Windows XP came preinstalled on my laptop I see no reason to fear or to swap the OS. But I do strongly dislike software phoning home. That’s why I run a proper firewall.
In future it seems I will have to find an alternative to Windows Update that enables me to avoid using IE at all.
Kevin
November 29th, 2006 at 9:25 am
Kevin,
If you are looking for a replacement for Windows Update, there are some options in my article Windows Update Without Windows Update.
Tim
February 7th, 2007 at 7:43 pm
I’m just waiting for the day banking websites stop insisting on IE and Active[he]X in order to check your statement.
Then I will be able to delete the IE icons and pretend it never existed -_^
June 23rd, 2007 at 8:34 pm
Lately i’ve become very untrusting with microsoft, there’s only so very few programs i allow to connect through my firewall
I installed IE7 without thinking really and all it has done is caused me problems
Every 10-15 minutes, a new pop-up opens in IE7, sometimes 50 tabs will open up in IE7 in one go. I’ve banned IE7 and any of it’s components to access the internet but this hasn’t stopped it from randomly opening and trying to access the internet
One thing that shows something more sinister is occuring behind the scene with IE7 is the fact it somehow still has a connection to the internet and I regularly get viruses springing up when IE7 is loaded
It’s got to the point where i’ve had to uninstall IE7 (which now crashes my system on many occasions) and i’ve had to write a script in autoit to tell my virus scanner to auto heal any viruses found (if not healed them quarantine) when a pop-up occurs
All this started when I first used IE7
DON’T USE IT. Far too much risk for a pointless program. There are many programs out there that do the same job but better. I’m a big fan of Firefox and Opera and hate microsoft even more as the days go buy
If i could move to linux, i would
April 23rd, 2008 at 12:53 pm
Picture this;
A person comes in your house and steals a CD and takes it home and plays it on his stereo, the cops find it in his stereo playing and the guy lives alone and is there with nobody else around. How serious will his punishment be?
Now, if he wasn’t caught but YOU trespassed into his house, placed some BUGS, say a couple cameras and microphones, and started recording what you received. Then the cops found the wire tapping items in his house and then found the recordings in your house and the equipment in your house. Who is the bigger criminal, and who gets the stiffest penalty???
You do of course.
So why does Microsoft get off the hook? What gives any software company the right to trespass into your personal data, or any data for their records beyond that one little thing of “A Sale Was Made”, just a count, they do not have the right to know if you installed it, or left it in the package.
I have many unopened items which are years old. Those companies have no right to quietly seek information of what I did, or how I used or did not use the items.
Trespassing, is trespassing, and it does not matter if there is a law about computer trespassing, the computer is MINE!!! It is in my possession in my LOCKED home!!! I paid for it, I own it, and all the space on it is my space, they pay no rent, they have no right to be in my space!!!!
Peeping Tom laws cover the snooping, electronic surveylance laws cover the software data sniffers, etc etc.
WE DO NOT NEED NEW LAWS FOR COMPUTERS AND INTERNET!!!
When the Constitution was written, the term “SECURE” instead of privacy was chosen for the simple reason it was a STRONGER MEANING THAN JUST PRIVACY. The old terms were from the meaning of a ship being secure, a hatch closed so tightly water CAN NOT get in. A vault so secure no thieves can open it to get to anything inside, not just private, “SECURE”!!!!!
To any lame judge who thinks “privacy” doesn’t mean much in the Constitution, I say PUT A CAMERA ON HIS/HER TOILET AND A BIG SCREEN TV IN HIS/HER FRONT YARD!!!
March 25th, 2009 at 1:32 am
This is a really good reason to just use Ubuntu. Theoretically, you can go over all the source code, compile it yourself, and know what it’s doing. Even if that’s not practical, at least you aren’t paying someone to spy on you.
Give them a stick, and sooner or later, they will hit you with it.