Retrieve/decrypt Windows 7 product key from Linux

windows-7 linux windows-registry product-key decryption

22,289

Solution 1

There is a great tool available for Linux called chntpw. You can get it easily on Debian/Ubuntu via:

sudo apt install chntpw

To look into the relevant registry file mount the Windows disk and open it like so:

chntpw -e /path/to/windisk/Windows/System32/config/software

Now to get the decoded DigitalProductId enter this command:

dpi \Microsoft\Windows NT\CurrentVersion\DigitalProductId

Solution 2

For those who are not shy to do a little bit of coding.

I found an algorithm about 10 years ago and implemented it in C# (See below)

If you just want to run it on Windows

I took the liberty to convert it to a powershell script:

$dpid = Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "DigitalProductId"

# Get the range we are interested in
$id = $dpid.DigitalProductId[52..(52+14)]

# Character table
$chars = "BCDFGHJKMPQRTVWXY2346789"

# Variable for the final product key
$pkey = ""

# Calculate the product key
for ($i=0; $i -le 24; $i++) {
    $c = 0

    for($j=14; $j -ge 0; $j--) {
        $c = ($c -shl 8) -bxor $id[$j]

        $id[$j] = [Math]::Floor($c / 24) -band 255

        $c = $c % 24
    }
    $pkey = $chars[$c] + $pkey
}
# Insert some dashes
for($i = 4; $i -gt 0; $i--) {
    $pkey = $pkey.Insert($i * 5, "-")
}
$pkey

Run this and you get your product key. (So no coding for you after all)

Original post

So this is the actual C# code I dug up and commented.

public static string ConvertDigitalProductID(string regPath, string searchKey = "DigitalProductID") {
    // Open the sub key i.E.: "Software\Microsoft\Windows NT\CurrentVersion"
    var regkey = Registry.LocalMachine.OpenSubKey(regPath, false);
    // Retreive the value of "DigitalProductId"
    var dpid = (byte[])regkey.GetValue(searchKey);
    // Prepare an array for the relevant parts
    var idpart = new byte[15];

    // Copy the relevant parts of the array
    Array.Copy(dpid, 52, idpart, 0, 15);

    // Prepare the chars that will make up the key
    var charStore = "BCDFGHJKMPQRTVWXY2346789";

    // Prepare a string for the result
    string productkey = "";

    // We need 24 iterations (one for each character)
    for(int i = 0; i < 25; i++) {

        int c = 0;
        // Go through each of the 15 bytes of our dpid
        for(int j = 14; j >= 0; j--) {
            // Shift the current byte to the left and xor in the next byte
            c = (c << 8) ^ idpart[j];

            // Leave the result of the division in the current position
            idpart[j] = (byte)(c / 24);

            // Take the rest of the division forward to the next round
            c %= 24;
        }
        // After each round, add a character from the charStore to our key
        productkey = charStore[c] + productkey;
    }

    // Insert the dashes
    for(int i = 4; i > 0; i--) {
        productkey = productkey.Insert(i * 5, "-");
    }

    return productkey;
}

You'll have to pass it Software\Microsoft\Windows NT\CurrentVersion as a Key, where it'll find the DigitalProductId

At that time MS Office Products used the same algorithm, so by providing the function with the relevant registry key it could calculate those product keys as well.

You can of course refactor the function so that it takes a byte array as input.

As for today. I just tested it on my Windows 10 Machine, and it still works.

Solution 3

Here is a Python port of the other answer (adapted for Windows 8.1). The advantage of this over chntpw is that it will work even with drives in read-only state.

Requirements:

pip install python-registry

Code:

#!/usr/bin/env python
import sys
from Registry import Registry
reg = Registry.Registry("/path/to/drive/Windows/System32/config/RegBack/SOFTWARE")
# Uncomment for registry location for Windows 7 and below:
#reg = Registry.Registry("/path/to/drive/Windows/system32/config/software")
key = reg.open("Microsoft\Windows NT\CurrentVersion")
did = bytearray([v.value() for v in key.values() if v.name() == "DigitalProductId"][0])
idpart = did[52:52+15]
charStore = "BCDFGHJKMPQRTVWXY2346789";
productkey = "";
for i in range(25):
  c = 0
  for j in range(14, -1, -1):
    c = (c << 8) ^ idpart[j]
    idpart[j] = c // 24
    c %= 24
  productkey = charStore[c] + productkey
print('-'.join([productkey[i * 5:i * 5 + 5] for i in range(5)]))

22,289

sundiata

Updated on September 18, 2022

Comments

sundiata almost 2 years

I accidentally disconnected my hard drive while it was still running and corrupted my Windows 7 installation; I am now completely unable to boot into Windows. I have tried everything to try and repair the installation: Windows Startup Repair, chkdsk /r, SFC /scannow, bootrec /rebuildbcd, etc. and no luck. I want to just perform a fresh install, but my problem is that I do not have my Windows product key written down anywhere, and I am unable to use any scripts or utilities to retrieve it from the registry because I cannot boot into Windows.

Windows 7 product keys are stored, encrypted, in the "DigitalProductId" value of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion. I was able to mount the corrupted Windows partition read-only from an Ubuntu live CD and copy the Windows\System32\config\SOFTWARE registry hive, which contains the key & value in question, to a flash drive, but loading this hive into regedit on a working Windows installation and then trying to use scripts or utilities to decrypt the loaded "DigitalProductId" value only returns the product key of the host Windows installation, no matter how much fiddling I try. I've tried contacting Microsoft support and they've been rather unhelpful. Would anyone be able to guide me further? Perhaps if there's a different way to retrieve the product key from Linux?

If someone more familiar with scripting/cryptography would be willing to try and follow the decryption script to decrypt the product key by hand, I could e-mail you the exported "DigitalProductId" value, SOFTWARE registry hive, and decryption script.
- JasonXA about 9 years
  
  This doesn't sound right. If you bought a license you should have the key. Now, on the other hand, if you got your hands on someone elses windows image and want to extract its key, that's not really the point of this site.
- sundiata about 9 years
  
  I did buy a license. I have the installation DVD but can't find the product key that came with it. But I think I may have found a solution here: dagondesign.com/articles/windows-xp-product-key-recovery/…
- JasonXA about 9 years
  
  Yes, that does seem to work. Using the method I did manage to reproduce my key.
- David H about 9 years
  
  If your firmware is UEFI-based, the license key is actually stored in the ACPI MSDM table so it persists across a reboot. If so, see blog.fpmurphy.com for details on how to recover it.
Mohamed EL HABIB almost 7 years

The path to the relevant registry file is into /path/to/windisk/Windows/System32/config/RegBack/SOFTWARE
Mark Kirby almost 7 years

This is a great answer, I quoted it on Ask Ubuntu askubuntu.com/a/953130/75060
Paddy Landau almost 7 years

Thank you for this. Please make a note to check the case of the folder and file names. In my case, I had to use uppercase SOFTWARE for the file name.
Mark Kirby almost 7 years

This is a good answer but the question is very old and may not recieve many views. As you are a member, please consider adding your answer to our current Ask Ubuntu post askubuntu.com/questions/953126/…
MrPaulch almost 7 years

Thank you. But i believe it would be off topic over there. I may slap together a pseudo code implementation. And refer to this post as an actual implementation.
Mark Kirby almost 7 years

No problem, do what you think is best
Lenar Hoyt almost 6 years

The inner loop was one iteration too short. It should work now.
Markus von Broady over 4 years

If you have problems reading the system32 folder, try making a copy and supplying the path to the copy to the chntpw.