It's official: upgrade hack included in Vista SP1

Windows Secrets Newsletter • Issue 147 • 2008-04-03 • Circulation: over 400,000

Table of contents

Top Story: It’s official: upgrade hack included in Vista SP1
Known Issues: VirtualBox is an impressive VM contender
Wacky Web Week: Video shows top 10 ways to break your server
Woody's Windows: Use Vista’s superior system font in XP
Perimeter Scan: Powerful net monitoring: learn the whys and hows

Top Story

It’s official: upgrade hack included in Vista SP1

By Scott Dunn

The new Service Pack 1 version of Windows Vista allows end users to purchase the “upgrade edition” and install it on any PC — with no need to purchase the more expensive “full edition.”

The same behavior was present when Vista was originally released, but the fact that the trick wasn’t removed from SP1 suggests that Microsoft executives approved the back door as a way to make the price of Vista more appealing to sophisticated buyers.

Previous Windows version not needed for upgrade

Just after Vista was first released to consumers on Jan. 30, 2007, an article in the Windows Secrets Newsletter explained that the upgrade edition of the operating system could be installed on a “clean” hard drive. For whatever reason, Vista had been programmed to accept itself as a “qualifying product.” This eliminated any need for users to purchase the full edition of Vista or to upgrade Vista only over an older instance of Windows.

The Feb. 1, 2007, article by Windows Secrets editorial director Brian Livingston explained that the procedure is supported by several built-in dialog boxes. This indicates that the trick had been deliberately included by Vista’s developers.

To boost the sales of retail packages, Microsoft announced just over one month ago significant price cuts in Vista, beginning with Service Pack 1. The savings over the old prices vary among different Vista versions, such as Home Premium, Business, and Ultimate. In the U.S., the list price of the upgrade edition is at least $100 cheaper than the full edition. Smaller savings exist in other markets, such as Canada and the European Union, as shown in the table below.

The price reductions on the Service Pack 1 version of Vista are even more significant because the upgrade trick still works in SP1, rendering unnecessary the purchase of Vista’s full edition.

Shortly after the hidden upgrade method was published, Microsoft officials publicly stated that the procedure would violate Vista’s end-user license agreement. Section 13 of the Vista EULA (PDF version) says, “To use upgrade software, you must first be licensed for the software that is eligible for the upgrade.”

“We believe only a very small percentage of people will take the time to implement this workaround, and we encourage all customers to follow our official guidelines for upgrading to Windows Vista, which can be found at WindowsVista.com, instead,” said a Microsoft press representative quoted in a News.com article on Feb. 14, 2007. “Following these guidelines will allow customers to easily and validly upgrade to Windows Vista,” he continued.

Since that time, of course, Microsoft has had over one year to remove the upgrade back door before releasing the SP1 version of Vista. Livingston believes that the company must have consciously decided not to do so.

“The fact that the upgrade edition will still upgrade over itself in Vista SP1 proves that Microsoft executives knowingly support the upgrade trick,” he says. “I think the feature was deliberately included to make it unnecessary for more advanced and price-sensitive users to ever buy the full version. There is no ethical dilemma with people using a feature that Microsoft has specifically programmed into Vista.”

Ironically, the original release of Vista’s upgrade edition was disappointing to many consumers. They’d been told by Microsoft that the Vista upgrade process would no longer accept the insertion of a disc containing an older version of Windows as proof that Vista was upgrading over a qualifying product.

Instead, users heard from Microsoft that the Vista upgrade procedure must be launched while a copy of Windows 2000 or XP was actually running. The upgrade trick that Vista developers included, however, renders that requirement moot. A Vista upgrade disc will install and activate properly even on a blank hard drive that has never previously been used.

Installing software from an original distribution disc to an empty hard drive, which is called a “clean install,” is a best practice recommended by security organizations, such as NIST and US-CERT. Vista, unlike XP and previous Windows versions, doesn’t make a clean install easy.

The original Windows Secrets article contains step-by-step instructions on upgrading Vista in this way. In a nutshell, the procedure involves booting a PC from the Vista upgrade DVD. Next, a clean install is performed without the user entering the disc’s product key or downloading any patches.

Once this unactivated, trial version of Vista is running, the setup program is launched again — this time from within Vista. At this point, the “upgrade” option is selected, the product key is entered, and Vista can be activated exactly like the full edition of the product.

Upgrading Vista on a clean machine works in SP1

Once Microsoft released the SP1 version of Vista, I tested the upgrade trick again to see whether the company had removed the feature. I used an upgrade disc of Vista Ultimate SP1 that I’d ordered at retail from Amazon.com.

I repeated the original steps and found they work just as well on the SP1 version of Vista as they did on the old version.

For PC users who are thinking about installing Windows Vista, the upgrade technique has even more value than it did last year. There are two reasons:

1. Quality. Vista SP1 is arguably a better product than the old, gold version of the operating system. SP1 includes 551 bug fixes, according to a white paper available from a Microsoft.com download page. The company claims in a press release that SP1 addresses security, reliability, and performance concerns with the older version of Vista.

2. Price. Whether or not you believe Vista was overpriced before, it’s clearly a less-expensive product now than it was a year ago. As reported by Computerworld, the price cuts range from zero to 47%, depending on the country and the version of Vista.

Table 1, below, shows that the upgrade edition of Vista is always cheaper than the full edition of the same version (Home Premium, Business, and Ultimate.) The figures are based on documents provided to Windows Secrets by Microsoft’s public relations firm, Waggener Edstrom.

The following table shows Microsoft’s new suggested list prices and the percentage reduction from Vista’s original prices. Street prices for Vista SP1 currently average about 10% less than suggested retail.

Table 1. New Vista SP1 list prices and percentage reductions from the originals.

United States (in U.S. dollars)	Full edition	Upgrade edition
Vista Home Premium	$ 239 ( 0%)	$ 130 (–19%)
Vista Business	$ 299 ( 0%)	$ 199 ( 0%)
Vista Ultimate	$ 320 (–20%)	$ 220 (–15%)

Canada (in Canadian dollars)	Full edition	Upgrade edition
Vista Home Premium	C$ 206 (–26%)	C$ 113 (–26%)
Vista Business	C$ 253 (–27%)	C$ 233 ( 0%)
Vista Ultimate	C$ 263 (–27%)	C$ 243 ( –1%)

United Kingdom (in pounds)	Full edition	Upgrade edition
Vista Home Premium	£ 103 (–27%)	£ 50 (–47%)
Vista Business	£ 127 (–27%)	£ 117 ( 0%)
Vista Ultimate	£ 132 (–44%)	£ 122 (–21%)

Euro Zone (in euros)	Full edition	Upgrade edition
Vista Home Premium	€ 147 (–34%)	€ 81 (–46%)
Vista Business	€ 201 (–28%)	€ 187 ( 0%)
Vista Ultimate	€ 208 (–44%)	€ 194 (–21%)

Vista upgrading over itself is no accident

After all the publicity, the fact that the upgrade back door is still present in Vista SP1 is a strong indication that the feature has at least the tacit support of Microsoft officials. Indeed, the upgrade label on Vista retail packages, then and now, states that a “clean install may be required.”

There’s no question that users who own a license for Windows 2000 or XP can legitimately save time and money by buying the upgrade edition of Vista and not having to first install the older operating system on a PC.

Although a clean install of Vista’s upgrade edition — without any prior purchase of 2000 or XP — may violate the Vista license, the result is clearly an installed copy of Vista that is indistinguishable from a full edition.

The upgrade edition’s lower cost, Microsoft’s overall price cuts for Vista, and the fact that Service Pack 1 need not be downloaded and installed separately make Vista SP1 a somewhat better value for users who didn’t buy the OS earlier.

Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.

Known Issues

VirtualBox is an impressive VM contender

By Scott Dunn

My Mar. 27 lead story described Microsoft’s Virtual PC and VMWare’s VMWare Player as virtual-machine software that PC users should consider — but there’s a great alternative to both.

A few readers recommended VirtualBox, and my tests show that this open-source upstart includes the best features of both of its competitors.

Innotek provides a worthy virtual-machine option

Reader Dominic Sim was one of our subscribers who thinks there’s a superior way to run XP under Vista using a virtual machine:

“I have tried both VMware and Microsoft VPC, but for overall compatibility with XP, Vista, and Linux OSes, I would recommend VirtualBox.

“It works out of the box, and it’s (equally) free. Perhaps you could give it a try.”

The program comes from Innotek, a subsidiary of Sun Microsystems. I obtained a copy from the company’s download page, installed VirtualBox, and gave it a test drive.

Based on my trial, VirtualBox seems to me to offer the best features of both Microsoft’s Virtual PC and VMware Player.

Like VMware Player, VirtualBox supports access to USB devices (which Microsoft’s software does not). VirtualBox is, however, much easier to install and set up than VMWare Player. As with Virtual PC, you need to install some support programs (Innotek calls them “Guest Additions”) to get the full value that VirtualBox offers.

Note: The normal install procedure, pulling down VirtualBox’s Device menu and selecting the Install Guest Additions option, failed for me. I was, however, able to install the additions by accessing the VBoxGuestAdditions.iso file as a virtual CD drive. The installer puts the .iso file alongside the program in the same folder as VirtualBox. You don’t need to download anything separately.

VirtualBox has a few nifty features. One is the ability to change the resolution of the virtual machine, on the fly, as you resize its window.

Although I haven’t been able to spend enough time with VirtualBox to give you a complete review, my test drive with the product so far has been very promising.

You need more than virtual security for a VM

Fran Parker reminds us of a security issue in Virtual PC:

“(It) might be good to mention the potential for vulnerability of things crossing the guest/host barrier.”

Parker says it’s important to note Microsoft security bulletin MS07-049. This bulletin points out that (1) if the system running as the guest inside the virtual machine is compromised, and (2) the guest user has administrator privileges, an intruder can run programs or execute code on the host operating system.

Avoid this serious problem by making users of the XP virtual machine log in to that VM as users without administrator rights.

Reader Victor Sacco points out another practical necessity for VM systems.

“With regard to your article about Virtual Machines, I agree they are useful, however, I don’t think you talked enough about their limitations. For instance… the guest OS in a VM is vulnerable to malware just like the host OS, so it needs its own security software installed if it will be connected to the Internet.”

He’s right to remind users to install a security suite on the guest operating system, just as you’d do on the host OS.

Finally, on the topic of security, it should be mentioned that the “shared folders” feature of any virtual machine poses known security risks. Shared folders allow the VM and the host machine to share files and other data — a doorway through which more than just files can move.

Users need to balance these risk against the potential usefulness of the technique when they consider running virtual-machine software.

I’d like to credit the many readers who sent in suggestions to run Windows XP in a virtual machine within Vista. Their comments were in response to my Feb. 14 story on how to set up a dual-boot machine to run both Vista and XP.

David Gustafson was the first reader to recommend the VM approach, which is the concept that became the subject of my Mar. 27 article on virtual machines. Gustafson received a gift certificate for sending the comment that resulted in the article.

Run Virtual PC on XP Home and Vista Home Premium

A handful of readers pointed out that Microsoft’s Virtual PC download page makes no mention that the program will run under XP Home Edition or Vista Home Premium. Many readers assumed, therefore, that the program wouldn’t run under either OS.

I should have reminded readers of a previous article reporting that Virtual PC works just fine on XP Home and Vista Home Premium. That secret from readers appeared in an article on Aug. 2, 2007.

Running Virtual PC on either OS, however, goes against the terms of Microsoft’s license. To repeat a caution from the earlier article, if you run Virtual PC outside of the license terms, don’t expect any support from Microsoft.

Readers Sim, Parker, and Sacco will each receive a gift certificate for a book, CD, or DVD of their choice for sending tips we printed. Send us your tips via the Windows Secrets contact page.

Wacky Web Week

Video shows top 10 ways to break your server

The staff of Scalent Systems labor ceaselessly to quell your common computing woes — again and again.

In this humorous 2-minute video, Scalent employees describe the 10 most common ways you can break your server. They assure us that, no matter how far you may “accidentally” throw the machine you love to hate, they’ll be able to bring it back!

Rest assured, kind readers, that no software was harmed during the making of this video. Play the video

Woody's Windows

Use Vista’s superior system font in XP

By Woody Leonhard

My last column explained how to make Vista’s all-new application fonts (Calibri, Candara, Corbel, Cambria, Constantia, and Consolas) work for free on your Windows XP or 2000 computer.

This week, permit me to show you how to install Vista’s new system font, Segoe UI, on your Windows XP computer — yes, legally — and use it as your WinXP system font.

What the heck is a Segoe UI?

Easy question. Controversial answer.

Segoe UI (pronounced “see-go you-eye”) is Microsoft’s system font for Vista, and it’s a font I like a lot. As with the six Vista fonts I told you how to get free in my Mar. 20 article, you can get Segoe UI for free — legally.

The controversial part of the answer requires a little background.

Few fonts have ever engendered such wrath — or billable hours for expensive lawyers. This much can be said for sure: the Segoe saga started with type company Monotype and its Segoe creator, typeface designer Steve Matteson.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

Perimeter Scan

Powerful net monitoring: learn the whys and hows

By Ryan Russell

This week, I’ll cover some of the benefits of using advanced tools such as Wireshark and give you detailed answers to some of your questions from my previous columns.

Wireshark can reveal the stream of attacks your PC faces every day, so you can focus on the priority events you need to deal with.

Reason #1: expose invisible skullduggery

In my Mar. 20 article, I asked for feedback and, boy, I got it. I received more e-mails than I have for any other column I’ve written.

I said I’d give you examples this week of why you’d want to monitor your network traffic. Some concrete benefits of using a packet-capture utility such as Wireshark are:

Monitoring outgoing traffic from your computer to determine if your PC has any infections;
Detecting and removing overly chatty programs that you may not really need; and
Debugging connection problems, both in hardware and in applications.

Here’s my single favorite use, and one I think you’ll find fun: watching the blizzard of attacks that pound on your Internet connection. Not everyone realizes just how many attempts to infect your PC are being made every hour.

A few years back, security consultant Kevin Mitnick and I did a study, as reported in USA Today, on how long it took unpatched, unprotected machines on the Internet to be compromised. Typically, it took only minutes.

With a packet-capture utility such as Wireshark, you can see the kinds of attacks we studied, but you’ll need to have certain prerequisites in place. Please note that what I’m instructing you to do in the next few paragraphs is educational and fun, but it does temporarily increase a PC’s exposure to malware.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Table of contents

Top-scoring articles in the past 12 months

Internet Services

Web Development

Digital Marketing

Consumer Tech