But first, a word from our sponsor, O'Reilly & Associates...  
The Whole Internet for Windows 95 by Ed Krol and Paula Ferguson
------------------------------------------------------------------------

Inside the Windows 95 Registration Wizard

Last updated: January 2, 1996
by Andrew Schulman
Senior Editor, O'Reilly & Associates
andrew@ora.com

------------------------------------------------------------------------

The "Online Registration" feature of Microsoft's Windows 95 (Win95), 
also known as the "Registration Wizard" (RegWiz), has been the subject 
of much rumor and more or less idle speculation.
Of special concern is RegWiz's ability to collect information on 
applications (both Microsoft and non-Microsoft) that a user has 
installed on their hard disk, and to send this information back to 
Microsoft via the Microsoft Network (MSN). As explained below, the name 
for this process is "Product Inventory": it is a feature of the 
PRODINV.DLL module included with Win95.

That Win95 can apparently tell what applications you have installed has 
generated numerous angry reactions online. A posting in the comp.risks 
newsgroup claims that Win95 "transmits your entire directory structure 
in [the] background" to MSN. Similar claims have appeared on Microsoft's 
forums on CompuServe, under headings such as "WIN95: Bye, Bye Privacy" 
and "Computer espionage by M$". RegWiz has prompted the  Netsurfer Focus 
on Cryptography and Privacy to ask the worrisome question, "It's eleven 
o'clock at night. Do you know what your software is doing?"
Ralph Nader's Consumer Project on Technology has even urged President 
Clinton "to prevent federal agencies from buying Windows 95 until the 
information gathering features of the 'Registration Wizard' are disabled 
or modified" ( Ralph Nader on Windows 95 Problems).
Microsoft has responded with a white-paper clarification ( Microsoft on 
Windows 95 Online Registration Wizard) which acknowledges that the Win95 
Registration Wizard (RegWiz) collects the names of applications, but 
which also points out that the user must explicitly consent before this 
information is sent via modem to MSN, and that the information can be 
viewed in the file REGINFO.TXT.
But while the Microsoft clarification states that RegWiz "is simply an 
electronic version of the paper-based registration card," this appears 
not to be true. RegWiz's apparent ability to sniff out what applications 
you have is not matched by the printed registration card, which merely 
asks for general information on the sorts of software you use with your 
computer ("Reference & Education", "Games & Entertainment", "Personal 
Finance/Organizer", etc.).
To see exactly what happens during Windows 95 "Online Registration," I 
used a utility called FILEMON (File Monitor), by Stan Mitchell, 
"Monitoring Windows 95 File Activity in Ring 0,"  Windows/DOS 
Developer's Journal, July 1995, pp. 6-24. Mitchell is writing a book on 
the Windows 95 file system, to be published by O'Reilly & Associates in 
1996.
(Click here to download filemon.zip, which includes filemon.exe, 
dynamically-loadable filemon.vxd, all source code, plus a regwiz.log 
file created while running the Registration Wizard under FILEMON. This 
is a NEW version of FILEMON, updated October 12, 1995.)
FILEMON lets you completely monitor all file-system activity under 
Windows 95. This makes it perfect for getting to the bottom of the the 
rumors that have been circulating about RegWiz.
What FILEMON reveals is that RegWiz, far from conducting an 
indiscriminate search of a user's hard disk, instead searches for about 
100 specific applications, both from Microsoft and its competitors.
RegWiz is launched by clicking the "Online Registration" button in 
WELCOME.EXE, which is a small program that provides the initial "Welcome 
to Windows 95" tips and options. Clicking "Online Registration" launches 
a program named \WINDOWS\SYSTEM\REGWIZ.EXE (the full command line is 
"regwiz -i Software\Microsoft\Windows\CurrentVersion"). Neither WELCOME 
nor REGWIZ are necessary for running Win95.
REGWIZ.EXE in turn loads a dynamic-link library, 
\WINDOWS\SYSTEM\PRODINV.DLL. This is the "Product Inventory DLL," 
normally used for compliance checking of upgrades to Microsoft Office 
programs such as WinWord. (In fact, PRODINV.DLL's internal module name 
is "COMPLINC," for "compliance checking.") Of course, when you buy the 
upgrade edition of something like WinWord, there needs to be a mechanism 
to check that in fact you really are upgrading from some previous word 
processor -- be it a previous version of WinWord, or a competitor's word 
processor, such as AmiPro or WordPerfect. So there's an encrypted
 database (the reasons for this encryption are discussed below) inside 
PRODINV of about 100 products, indicating that if a given EXE of a given 
size range is found within a given subdirectory, then you've got a given 
product, and are entitled to the reduced-price upgrade.
The Microsoft Office 95 Registration Wizard is described in detail in 
Appendix A of the online  Office 95 Resource Kit; see the "Launch 
Registration Wizard" section.
Examining the file PRODINV.DLL turns up some intriguing-sounding 
strings, such as "Registry Search", "INI File Search", "Big Search", and 
"Hard Disk Search". The DLL exports a function called 
"RegProductSearch," which is called by REGWIZ.EXE.
Examining the file REGWIZ.EXE turns up the names of the people who 
worked on it: 

- Software development: Tracy Ferrier
- Program management: David Gonzalez, Peggy Angevine
- Quality assurance: Sharmilli Ghosh
- Special thanks to: Evelyn and Lauren

RegWiz will list up to twelve applications that a user owns; these are 
stored in the text file REGINFO.TXT and in the registry 
("HKEY_CURRENT_USER\Software\Microsoft\User information"). Once REGWIZ 
has written this information, it runs the SIGNUP program (C:\Program 
Files\The Microsoft Network\SIGNUP.EXE), which is normally used to 
sign-up new users for the Microsoft Network (MSN). The command line is: 
signup.exe Software\Microsoft\User information

SIGNUP uses standard (although apparently undocumented) MSN functions to 
send data over the modem. Data sent by SIGNUP eventually appears at the 
WriteMosSlot function in MOSCL.DLL (MOS stands for "Microsoft Online 
Service," an internal name for MSN).
The product inventory section of one REGINFO.TXT might look like this: 
Product Inventory 1 = Microsoft Word for Windows
Product Inventory 2 = Personal Oracle 7
Product Inventory 3 = Borland C++ for Windows
Product Inventory 4 = Microsoft Visual C++ 
Product Inventory 5 = Putt Putt
Product Inventory 6 = Treehouse
Product Inventory 7 = Lotus Notes
Product Inventory 8 = CompuServe
Product Inventory 9 = 
Product Inventory 10 = 
Product Inventory 11 = 
Product Inventory 12 = 

It's worth noting that the sample "Product Inventory" screen in 
Microsoft's white-paper clarification shows only Microsoft programs. But 
the upset generated by RegWiz has been due, of course, to its collection 
of information regarding non-Microsoft programs.
The applications in which RegWiz takes an interest are as follows (the 
names come directly from the PRODINV product inventory): 
------------------------------------------------------------------------

Applications Detected by Win95 Registration Wizard

3-D Dinosaur Adventure                  Aldus Pagemaker for Windows
Aldus Persuasion                        America On-line
AmiPro for Windows                      Approach for Windows 
Bookshelf 94 for Windows                Borland C++ for Windows
Borland Dbase                           Borland Delphi
Borland Paradox for DOS                 Borland Paradox for Windows
CA - Visual Objects                     Charisma 
Charisma for Windows                    Clipper
Complete Baseball for Windows           Comptons Multimedia Encyclopedia 
CompuServe                              Corel Draw for Windows
Crayola Art Studio                      Creative Writer
Creative Writer - Ghost Mysteries       DataEase 
DataEase for Windows                    dBase for Windows
Director's Lab DOS                      Encarta
Fine Artist                             Flight Simulator 
FoxPro for DOS                          FoxPro for Windows - Standard
Freddi Fish                             Gupta SQL Windows
Harvard Graphics                        Haunted House
Internet In A Box                       Kid Pix DOS
Kid Pix WIN                             Lion King Print Studio
Lion King Story Book                    Lotus 123 for Windows
Lotus Notes                             Lotus123 for DOS 
Mathblaster Episode 1                   Mathblaster Episode 2
Microsoft Access Developers Toolkit     Microsoft Access for Windows 
Microsoft Access Upsizing Tool          Microsoft Encarta '95
Microsoft Excel for Windows             Microsoft Money
Microsoft Office for Windows            Microsoft Powerpoint for Windows 
Microsoft Project for Windows           Microsoft Publisher
Microsoft Visual Basic Professional     Microsoft Visual C++ 
Microsoft Visual FoxPro for Windows     Microsoft Word for DOS
Microsoft Word for Windows              Microsoft Works for Windows
Mind Your Money                         Money
MSB - Human Body                        MSB - Solar
My First Encyclopedia                   NCSA Mosaic for Windows
Oregon Trail                            Oregon Trail 2
Personal Oracle 7                       PGA Tour 486 
Playroom                                PowerBuilder Enterprise 4 for NT 
PowerBuilder Enterprise 4 for Windows   PowerPlus
Print Shop Deluxe for Windows           Prodigy
Putt Putt                               Quattro Pro for DOS
Quattro Pro for Windows                 Quick C for Windows
Quicken for Windows                     Rabbit Ears - Leopard
Reader Rabbit 1                         Reader Rabbit 2
Relentless                              Scenes
Spider Man Cartoon Maker                SuperBase
Treehouse                               Turbo Pascal for Windows 
Where in Space is Carmen San Diego      Where in the USA is Carmen
Where in the World is Carmen San Diego  Wine Guide
WordPerfect for DOS                     WordPerfect for DOS
WordPerfect for Windows

------------------------------------------------------------------------
While there are many Microsoft applications listed here, note that there 
are also many from other vendors. Some major commercial applications, 
such as Lotus Freelance Graphics, do not appear on the list, while many 
programs for children, such as Treehouse and Reader Rabbit, are 
included.
Given that RegWiz ships this information over the Microsoft Network 
(MSN), it's interesting to note that RegWiz checks for the major online 
services that compete with MSN, such as America On-line, CompuServe, and 
Prodigy. Two Internet-related products, NCSA Mosaic for Windows and 
Internet in a Box, appear on the list, but Netscape does not.
It is a somewhat random collection of applications in which RegWiz takes 
an interest. It's worth noting, for example, that the list of 
applications known to WINBUG.DAT (part of the Win95 bug-reporting 
program) is quite different.
Most striking, of course, is the presence of many non-Microsoft 
productivity applications, such as AmiPro for Windows, Borland Dbase, 
Borland Paradox, Gupta SQL Windows, Lotus Notes, Lotus 123, Personal 
Oracle 7, Quattro Pro, and WordPerfect.
Is all this a cause for concern? After all, as Microsoft points out, the 
user must explicitly allow RegWiz to upload this information to 
Microsoft. The user can choose not to run Online Registration at all. 
They can, without any harm to Win95, delete REGWIZ.EXE and even 
WELCOME.EXE.
But what is a Microsoft Office upgrade mechanism doing as part of the 
operating system's online registration? Why is the operating system 
being used to collect customer lists and/or statistical information on 
applications that compete with those from Microsoft? The Registration 
Wizard appears to be yet another case in which Microsoft has blurred the 
distinction (whatever distinction remains) between its applications and 
operating-system divisions. Were I a Microsoft competitor whose product 
appeared in the encrypted PRODINV database, I wouldn't be happy with 
Microsoft acquiring (for free) a good chunk of my customer list, via 
online registration for Windows 95, which is supposed to be a platform 
supporting my product.
So, it's not really an invasion of privacy issue, but is very possibly 
an anti-competitive problem: Microsoft is using its control over the 
operating system to gain information about applications that compete 
with its own applications.
How does PRODINV determine that you have one or more of the products in 
its encrypted database? Running the FILEMON utility alongside RegWiz 
revealed that a large number of directory names were being checked. The 
output from FILEMON looks like this (... indicates lines removed for 
brevity): 
------------------------------------------------------------------------

Extract from FILEMON Output

 031         Open   C:\WINDOWS\WELCOME.EXE
...
 058         Open   C:\WINDOWS\SYSTEM\REGWIZ.EXE
...
 080         Open   C:\WINDOWS\SYSTEM\PRODINV.DLL
...
 136 e  GetAttrib   K:\MSOFFICE\ACCESS
 137 e  GetAttrib   K:\ACCESS
 138 e  GetAttrib   K:\MSOFFICE\ACCESS
 139 e  GetAttrib   K:\WORLDMPC
 140 e  GetAttrib   K:\SPACE
 141 e  GetAttrib   K:\CAVO
 142 e  GetAttrib   K:\DBASEWIN\BIN
 143 e  GetAttrib   K:\DELPHI
 144 e  GetAttrib   K:\DELPHI\BIN
 145 e  GetAttrib   K:\DISNEY\LKASB
 146 e  GetAttrib   K:\LKSTUDIO
 147 e  GetAttrib   K:\MYMWIN2
 148 e  GetAttrib   K:\ORAWIN\BIN
 149 e  GetAttrib   K:\PB4
 150 e  GetAttrib   K:\PB4NT
 151 e  GetAttrib   K:\TLC\RR1
...
 180 e  GetAttrib   C:\AOL20
 181 e  GetAttrib   C:\WAOL
 182 e  GetAttrib   C:\BC4
 183 e  GetAttrib   C:\CSERVE
 184 e  GetAttrib   C:\AMIPRO
 185 e  GetAttrib   C:\PRODIGY
 186 e  GetAttrib   C:\ALDUS
 187 e  GetAttrib   C:\IBOX
 188 e  GetAttrib   C:\DBASE
 189 e  GetAttrib   C:\DBASE
 190 e  GetAttrib   C:\PDOXWIN
...
 032 e  GetAttrib   C:\KA\TREE
 033 e  GetAttrib   C:\TREEHSE
...

------------------------------------------------------------------------
Simplifying the FILEMON output, here is a complete list of the 
directories for which RegWiz (actually, the ProdInv "product inventory" 
module) searches: 
------------------------------------------------------------------------

Directories Scanned by Win95 "Product Inventory"

\123R4D            \123R4W            \ACCESS            \ALDUS
\AMIPRO            \AOL20             \APPROACH          \BASEBALL
\BC4               \BS                \CAVO              \CHARISMA
\CIE               \CLIPPER5\BIN      \CLIPPER5\LIB      \CRAYOLA
\CSERVE            \DBASE             \DBASEWIN\BIN      \DEASE
\DELPHI            \DELPHI\BIN        \DEWIN             \DINO3D
\DISNEY\LKASB      \ENCARTA           \EXCEL             \FLTSIM5
\FOXPRO2           \FOXPROW           \FPW26             \GUPTA
\HG                \HG3               \HGW               \IBOX
\KA\SPIDERCM       \KA\TREE           \KIDPIX            \LKSTUDIO
\LOSTCITY          \MBWINCD           \MECC\OTII         \MOSAIC
\MSKIDS            \MSKIDS\LEAOPARD   \MSMONEY           \MSOFFICE
\MSOFFICE\ACCESS   \MSOFFICE\SETUP    \MSPUB             \MSTOOLS
\MSTOOLS\C\DLAB    \MSVC20\BIN        \MSWINE            \MSWORKS
\MYMWIN2           \NOTES             \OFFICE\WPWIN      \ORAWIN\BIN
\OTWIN             \PB4               \PB4NT             \PDOX45
\PDOXWIN           \PERSUASI          \PGA486            \PLAYWRLD
\POWERPNT          \PRODIGY           \PROJ              \PSDWIN
\PUTTPUTT          \PWPLUS            \QCWIN             \QPRO
\QPW               \QUICKENW          \RELENT            \SB4W
\SCENES            \SPACE             \TLCWIN\RR2WIN     \TLC\RR1
\TPW               \TREEHSE           \VB                \VFP
\WAOL              \WINDOWS           \WINDOWS\CHARISMA  \WINDOWS\CORELDRW
\WINPROJ           \WINWORD           \WINWORD\C\DLAB    \WORD
\WORKS             \WORLDMPC          \WP                \WP50
\WP51              \WP60              \WPWIN             \WPWIN60

------------------------------------------------------------------------
If these directories actually existed, it makes sense that RegWiz would 
start looking for specific files within these directories. So the next 
step was to write a batch file which created all these directories, and 
then rerun RegWiz alongside FILEMON. Now FILEMON revealed RegWiz 
searching for specific files within directories. For example: 
------------------------------------------------------------------------

Extract from FILEMON Output (2)

085 e    FndOpen   E:\AOL20\WAOL.EXE
086    GetAttrib   E:\WAOL
087 e    FndOpen   E:\WAOL\WAOL.EXE
088    GetAttrib   E:\BC4
089 e    FndOpen   E:\BC4\BCW.EXE
090    GetAttrib   E:\CSERVE
091 e    FndOpen   E:\CSERVE\WINCIM.EXE
092    GetAttrib   E:\AMIPRO
093 e    FndOpen   E:\AMIPRO\AMIPRO.EXE
094    GetAttrib   E:\PRODIGY
095 e    FndOpen   E:\PRODIGY\PRODIGY.EXE
096    GetAttrib   E:\ALDUS
097 e    FndOpen   E:\ALDUS\ALDSETUP.EXE
098    GetAttrib   E:\IBOX
099 e    FndOpen   E:\IBOX\AIRMOS.EXE
100    GetAttrib   E:\DBASE
101 e    FndOpen   E:\DBASE\DBASE.EXE
...

------------------------------------------------------------------------
Extracting filenames from the FILEMON output and sorting them, yielded 
the following list of filenames in which RegWiz (again, actually the 
Win95 PRODINV.DLL "product inventory" module) takes a direct interest: 
------------------------------------------------------------------------

Files Scanned by Win95 "Product Inventory"

\123R4D\123.EXE                 \123R4W\123W.EXE
\ACCESS\SCWIZ.DLL               \ACCESS\SETUPWIZ.MDB
\ACCESS\SWU2016.DLL             \ACCESS\WZCS.MDA
\ALDUS\ALDSETUP.EXE             \ALDUS\PR2.EXE
\AMIPRO\AMIPRO.EXE              \AOL20\WAOL.EXE
\APPROACH\APPROACH.EXE          \BASEBALL\BASEBALL.EXE
\BC4\BCW.EXE                    \BS\BS94.EXE
\CAVO\CAVO.EXE                  \CHARISMA\CHARISMA.BIN
\CHARISMA\CHARISMA.EXE          \CIE\CIE.EXE
\CLIPPER5\BIN\CLIPPER.EXE       \CLIPPER5\LIB\CLIPPER.LIB
\CRAYOLA\STUDIO.EXE             \CSERVE\WINCIM.EXE
\DBASEWIN\BIN\DBASEWIN.EXE      \DBASE\DBASE.EXE
\DBASE\DBASEIV.ICO              \DEASE\DE16M.EXE
\DEASE\DEASE.EXE                \DELPHI\BIN\DELPHI.EXE
\DELPHI\DELPHI.EXE              \DEWIN\DEWIN.EXE
\DINO3D\KAWIN.EXE               \DISNEY\LKASB\LIONKING.EXE
\ENCARTA\ENCART95               \EXCEL\EXCEL.EXE
\FLTSIM5\FS5.COM                \FOXPRO2\FOXPRO.EXE
\FOXPRO2\FOXPROX.EXE            \FOXPROW\FOXPROW.EXE
\FPW26\FOXPROW.EXE              \GUPTA\C\DLAB
\GUPTA\SQLWIN50.EXE             \HG3\HG3.EXE
\HGW\HG20.EXE                   \HGW\HGW.EXE
\HGW\HGW1.DLL                   \HGW\HGW2.DLL
\HGW\HGW20.EXE                  \HGW\HGW2EXP.DLL
\HGW\HGW3.DLL                   \HGW\HGW4.DLL
\HGW\HGWPLAY.EXE                \HG\HG.EXE
\IBOX\AIRMOS.EXE                \KA\SPIDERCM\SPIDERCM.EXE
\KA\TREE\TREE.EXE               \KIDPIX\KIDPIX.EXE
\KIDPIX\KPWIN.EXE               \LKSTUDIO\LIONKING.EXE
\LOSTCITY\LOSTCITY.EXE          \MAIN123W.EXE
\MBWINCD\MB4.INI                \MECC\OTII\OTIILB.EXE
\MOSAIC\MOSAIC.EXE              \MSKIDS\ARTIST.EXE
\MSKIDS\GWICON.IC               \MSKIDS\HHOUSE.ICO
\MSKIDS\LEAOPARD\LEOPARD.EXE    \MSKIDS\MSBHUMAN.EXE
\MSKIDS\MSBSOLAR.EXE            \MSKIDS\WRITER.EXE
\MSMONEY\MSMONEY.EXE            \MSOFFICE\ACCESS\SCWIZ.DLL
\MSOFFICE\ACCESS\SETUPWIZ.MDB   \MSOFFICE\ACCESS\SWU2016.DLL
\MSOFFICE\ACCESS\WZCS.MDA       \MSOFFICE\MSOFFICE.EXE
\MSOFFICE\SETUP\OFF40_BB.DL_    \MSOFFICE\SETUP\OFF42_BB.DL_
\MSOFFICE\WINWORD\WINWORD.EXE   \MSPUB\MSPUB.EXE
\MSTOOLS\WORD.COM               \MSVC20\BIN\MSVC.EXE
\MSWINE\WINEGDE.EXE             \MSWORKS\MSWORKS.EXE
\MYMWIN2\MYMWIN.EXE             \OFFICE\WPWIN\WPWIN.EXE
\OFFICE\WPWIN\WPWIN61.EXE       \ORAWIN\BIN\ORAINST.EXE
\OTWIN\OREGON.EXE               \PB4NT\PB040.EXE
\PB4\PB040.EXE                  \PDOX45\PARADOX.AUX
\PDOXWIN\PDOXWIN.EXE            \PERSUASI\(C)ALDUS.'92
\PERSUASI\PR2.EXE               \PGA486\PGA486.COM
\PLAYWRLD\PLAYROOM.EXE          \POWERPNT\POWERPNT.DLL
\POWERPNT\POWERPNT.EXE          \PRODIGY\PRODIGY.EXE
\PSDWIN\PSDWIN.EXE              \PUTTPUTT\PUTTPUTT.INI
\PWPLUS\PWPLUS.EXE              \QCWIN\QCWIN.EXE
\QPRO\Q.EXE                     \RELENT\RELENT.EXE
\SB4W\SB4W.EXE                  \SCENES\SCENES.EXE
\SPACE\CARMEN.EXE               \TLCWIN\RR2WIN\RR2WIN.EXE
\TLC\RR1\RR1.EXE                \TPW\TPW.EXE
\TREEHSE\TREEHSE.EXE            \VB\VB.EXE
\VFP\VFP.EXE                    \WAOL\WAOL.EXE
\WIN95\LOTUS.INI                \WINDOWS\CHARISMA\CHARISMA.EXE
\WINDOWS\CORELDRW\CORELDRW.EXE  \WINDOWS\HEGAMES.INI
\WINWORD\WORD.COM               \WORD.EXE
\WORD\WORD.EXE                  \WORKS\WORKS.EXE
\WORLDMPC\CARMEN.EXE            \WP50\WP.EXE
\WP51\WP.EXE                    \WP60\WP.EXE
\WPWIN60\WPWIN.EXE              \WPWIN\WPWIN.EXE
\WP\WP.EXE

------------------------------------------------------------------------
This list should lay to rest the idea that RegWiz scans your entire hard 
disk. On the contrary, it has specific things it is looking for. Indeed, 
the list is so specific that one might ask what happens when a user 
installs product in a directory other than the vendors' recommended 
directory: how then would RegWiz find it? We'll get to that later. For 
now, the important thing is that RegWiz (via PRODINV) does not do an 
indiscriminate search of your hard disk, but has specific targets in 
mind.
The next obvious step was to try to create some of these files, and see 
if RegWiz decided that I now had a given product. However, creating 
dummy (0-byte) files with the correct names, or files with 
arbitrarily-chosen contents but with the correct names, did not induce 
RegWiz to believe the corresponding product was installed. Evidently, 
RegWiz needed something other than directory and file names: perhaps a 
file checksum, size, date, or a particular pattern of bytes within the 
file.
To find how RegWiz (ProdInv, actually) was deciding that a user had a 
product, I needed to find where it kept information associating 
directory/file names with product names. However, a full search of my 
hard disk turned up no occurrences of strings such as "TREEHSE" or 
"TREEHSE.EXE" or "CARMEN.EXE", aside from the ones that showed up in the 
FILEMON logs.
Evidently, then, the actual "product inventory" is kept on disk in 
compressed and/or encrypted form, and is de-encrypted in memory only 
when PRODINV is loaded.
The next step was to run RegWiz under the Soft-ICE Windows debugger (
Nu-Mega Technologies), and stop the program when it is calling the 
operating-system functions that search for directories and files. The 
key such function is FindFirstFileA, provided by KERNEL32.DLL. I set a 
debugger "breakpoint" on this function, ran RegWiz, and clicked "Online 
Registration."
Sure enough, I could see passing in the names of the directories and 
files that showed up in the FILEMON output. I was then able to "walk 
back" to the place from where FindFirstFileA was being called: it turned 
out, not surprisingly, to be inside PRODINV.DLL. From there, I had to 
step back again to see from where these names were coming. I finally 
located a buffer in memory that looked like this: 
------------------------------------------------------------------------

Debugger Hex Dump of PRODINV Product Inventory

Break Due to BPMB #013F:009AFA0C W DR3 C=01
:d eax
013F:004436C5 77 6F 72 64 2E 63 6F 6D-2C 5C 77 69 6E 77 6F 72 word.com,\winwor
013F:004436D5 64 2C 31 35 30 30 2C 39-30 30 30 30 2C 33 30 3A d,1500,90000,30:
013F:004436E5 4D 69 63 72 6F 73 6F 66-74 20 57 6F 72 64 20 66 Microsoft Word f
013F:004436F5 6F 72 20 44 4F 53 09 0A-77 6F 72 64 2E 63 6F 6D or DOS..word.com
013F:00443705 2C 5C 77 69 6E 77 6F 72-64 2C 31 35 30 30 2C 39 ,\winword,1500,9
013F:00443715 30 30 30 30 2C 33 30 3A-4D 69 63 72 6F 73 6F 66 0000,30:Microsof
013F:00443725 74 20 57 6F 72 64 20 66-6F 72 20 44 4F 53 09 0A t Word for DOS..

------------------------------------------------------------------------
At this point, it was trivial to locate the beginning and end of the 
buffer, and write it to disk. (Recall that the database is stored on 
disk in encrypted form; this is why a search of the entire hard disk did 
not find it.) Here are some selected portions of the PRODINV product 
inventory:

------------------------------------------------------------------------

PRODINV Product Inventory: Extracts

winword6.ini,Microsoft Word,programdir,1,winword.exe,3000000,4000000,2:Microsoft Word for Windows 
win.ini,embedding,Word.Document.6,3,,3000000,4000000,2:Microsoft Word for Windows 
win.ini,Microsoft Word 2.0,programdir,1,winword.exe,1000000,2000000,2:Microsoft Word for Windows  
win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows 
lotus.ini,Lotus Applications,amipro,1,amipro.exe,1000000,1500000,20:AmiPro for 
Windows 
win.ini,AmiPro,dictionary,1,amipro.exe,1000000,1200000,20:AmiPro for Windows 
win.ini,extensions,nsf,1,notes.exe,,,43:Lotus Notes 
...
waol.exe,\aol20,12000,15000,54:America On-line  
waol.exe,\waol,12000,15000,54:America On-line   
bcw.exe,\bc4,850000,920000,45:Borland C++ for Windows   
wincim.exe,\cserve,850000,890000,56:CompuServe  
amipro.exe,\amipro,700000,2000000,20:AmiPro for Windows 
prodigy.exe,\prodigy,550000,560000,57:Prodigy   
aldsetup.exe,\aldus,280000,290000,46:Aldus Pagemaker for Windows    
airmos.exe,\ibox,600000,650000,75:Internet In A Box 
dbase.exe,\dbase,0,500000,21:Borland Dbase  
dbaseiv.ico,\dbase,0,2000,21:Borland Dbase
...

------------------------------------------------------------------------
The first set of entries reference .INI (initialization) files, which in 
turn reference file and/or directory names. For example, 
"win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows"
 means to look for a WPWin6.0= entry in the [embedding] section of 
WIN.INI, and to treat the third comma-delimited field as a full 
directory/filename. If that file is between 10,000 and 25,000 bytes, 
RegWiz decides you have WordPerfect for Windows. Thus, the following 
WIN.INI entry: 

[embedding] 
WPWin6.0=foo,foo,C:\FOO\FOOBISH.EXE,foo

along with a file named C:\FOO\FOOBISH.EXE, whose size is between 
10-25,000 bytes, will trigger RegWiz to display "WordPerfect for 
Windows" as one of the products on the user's machine. The use of .INI 
files allows RegWiz to detect some applications installed in 
non-standard directories.
However, the bulk of the product inventory directly references directory 
and file names, without an intermediary .INI file. For example, the last 
two entry shown above indicate that, if a user has \DBASE\DBASE.EXE 
(size anywhere from 0 to 500,000 bytes) or if they have 
\DBASE\DBASEIV.ICO (size anywhere from 0 to 2,000 bytes), then they have 
product #21, "Borland Dbase."
So why is the PRODINV "product inventory" encrypted? I suspect because 
it was originally written for Microsoft Office. A nearly-identical 
module named OFF95INV.DLL comes with Office 95; WRD95INV.DLL comes with 
WinWord. (It's worth noting that the actual encrypted "product 
inventory" for these modules is quite different from the one in Win95. 
For example, OFF95INV.DLL will look for Lotus Freelance for Windows. A 
list of the products for which OFF95INV.DLL will search can be found on 
the side of the Office 95 box.) The database is encrypted because 
otherwise it would be trivial to fool this "wizard" (hmm...; examination 
of RegWiz/ProdInv shows it to be anything but wizardly) simply by 
creating an appropriately-sized file with the appropriate name in the 
appropriate subdirectory.
This makes perfect sense for application upgrades. But does it make 
sense for the operating system's online registration?
Microsoft's white-paper clarifications says: "Registration enables 
Microsoft to send information about Microsoft programs that are tailored 
for users needs and interests." While there is nothing wrong in 
Microsoft seeking to interest WordPerfect or AmiPro users in Microsoft 
Word, surely they could find a more appropriate venue in which to do so 
than the online registration of Windows itself, which is supposed to 
support all applications, not just those from Microsoft.

------------------------------------------------------------------------

The O'Reilly Windows Center 
