Question about how a legitimate Windows KMS works

[bcredeur97]

Where I work we have a -not mentioned company- who has camera servers on our network... I noticed in Task Scheduler there is a task that is scheduled to run called "AutoKMS" and Windows is frequently not activated on these computers... seems a little fishy because I know AutoKMS is used to pirate windows. And I can't believe they could possibly be doing this in a business environment.


How can I figure out whether this is an actual hack tool vs a legitimate windows KMS service, because I know that is a thing as well?

[Hekoki]

how many servers? if i recall correctly KMS has a minimum number of systems requesting activation before it can be used, i think for windows server OSes the minimum number of systems is 5 (dont remember 100% tho)

[bcredeur97]

Just now, Hekoki said:

how many servers? if i recall correctly KMS has a minimum number of systems requesting activation before it can be used, i think for windows server OSes the minimum number of systems is 5 (dont remember 100% tho)

They have at least 8. So it passes that test.

The thing that bothers me is MS seems to stick to calling it just simple "KMS". wheras if you do a google search for "AutoKMS" thats where you get all the Hack tools/Viruses/etc.

I can remote into at least one of these systems to figure it out... but I need to know what to look for.

[Blebekblebek]

They have page explaining what kms is https://technet.microsoft.com/en-us/library/ff793434.aspx

 

To make it short it just automated software to activate windows, maybe a volume based one.

 

it's completely legitimate " IF " the routed connection is going trough microsoft servers rather than "pirated" server which also can be hosted locally, which many autoKMS doing to activate windows even without internet.

[bcredeur97]

1 minute ago, Blebekblebek said:

They have page explaining what kms is https://technet.microsoft.com/en-us/library/ff793434.aspx

 

To make it short it just automated software to activate windows, maybe a volume based one.

 

it's completely legitimate " IF " the routed connection is going trough microsoft servers rather than "pirated" server which also can be hosted locally, which many autoKMS doing to activate windows even without internet.

so how do I figure out where it's pointing is the question...

[Blebekblebek]

2 minutes ago, bcredeur97 said:

so how do I figure out where it's pointing is the question...

https://technet.microsoft.com/en-us/library/ee939272.aspx#EGAA

look for KMS host and slmgr.vbs

 

that page explain almost everything.

[Hekoki]

 

4 minutes ago, bcredeur97 said:

so how do I figure out where it's pointing is the question...

ive done a bit of googling, and if they're using KMS activation there should be a KMS server on the network that the other servers connect to, in the case of a KMS 'hack' the KMS server is on the system itself and the server doesnt contact any other servers to verify the validity of the activation.

 

my googling also suggests that anywhere that it's autoKMS is piracy

 

EDIT: i guess you could just ask them and see what they say lmao

[bcredeur97]

9 minutes ago, Hekoki said:

 

ive done a bit of googling, and if they're using KMS activation there should be a KMS server on the network that the other servers connect to, in the case of a KMS 'hack' the KMS server is on the system itself and the server doesnt contact any other servers to verify the validity of the activation.

 

my googling also suggests that anywhere that it's autoKMS is piracy

 

EDIT: i guess you could just ask them and see what they say lmao

I looked through the event viewer per the article @Blebekblebek posted, near the bottom I noticed there should be two events, in both of which you can clearly see the IP that the systems are trying to access...

So I went dig around on the event viewer, found tons of the events and they were all pointing to NOT localhost/127.0.0.1 like I would expect if it's piracy, but an IP that we do not have on our network...  but it would be within our Subnet. which is interesting.

Not sure what to think about that.

[Hekoki]

Just now, bcredeur97 said:

I looked through the event viewer per the article @Blebekblebek posted, near the bottom I noticed there should be two events, in both of which you can clearly see the IP that the systems are trying to access...

So I went dig around on the event viewer, found tons of the events and they were all pointing to NOT a local IP, but an IP that we do not have on our network... which is interesting.

Not sure what to think about that.

can you find out if its a microsoft ip address?

[bcredeur97]

Just now, Hekoki said:

can you find out if its a microsoft ip address?

it's not. It's a 10.3.x.x

Our subnet is 10.x.x.x so that's actually right.... but we have 0 network devices on "10.3.x.x"

[Blebekblebek]

well, the last thing to do is track the ip adress

I don't think they would use pirated key for the machine

most likely they just don't know how to activate properly, I am for one not sure how to activate a volume based license.

 

But even if they do used pirated keys, does it matter?

Worst thing to do is remind the company that the OS isn't activated, someone probably skimming licensing money.

[bcredeur97]

4 minutes ago, Blebekblebek said:

well, the last thing to do is track the ip adress

I don't think they would use pirated key for the machine

most likely they just don't know hot to activate properly, I am for one not sure how to activate a volume based license.

 

But even if they do used pirated keys, does it matter?

Worst thing to do is remind the company that the OS isn't activated, someone probably skimming licensing money.

My current thinking is the system was activated at their home location, then when the systems were brought here.. suddenly the KMS server doesn't exist. And they are ok with it I guess? not like windows 10 de-activates anyway... just disables personalization features. (perhaps they used the same 10.x.x.x IP format that we have here... Completely possible)

Only possible Red Flag is that "AutoKMS" in Task Scheduler. Which gives no other information other than "AutoKMS" and I would think a MS-created Task would have a better description than that.

[Blebekblebek]

1 minute ago, bcredeur97 said:

My current thinking is the system was activated at their home location, then when the systems were brought here.. suddenly the KMS server doesn't exist. And they are ok with it I guess? not like windows 10 de-activates anyway... just disables personalization features.

makes the most sense to me.

or they make hardware upgrades/changes, it does affect this whole activating thingy.

To make it more simple just find out the serial number and ask microsoft directly, I understand asking the company might be unethical thing to do.

[Tcrumpen]

39 minutes ago, Hekoki said:

how many servers? if i recall correctly KMS has a minimum number of systems requesting activation before it can be used, i think for windows server OSes the minimum number of systems is 5 (dont remember 100% tho)

5 for servers 25 for clients

[Beef Boss]

3 hours ago, Blebekblebek said:

well, the last thing to do is track the ip adress

I don't think they would use pirated key for the machine

most likely they just don't know how to activate properly, I am for one not sure how to activate a volume based license.

 

But even if they do used pirated keys, does it matter?

Worst thing to do is remind the company that the OS isn't activated, someone probably skimming licensing money.

Would you hired a company that uses pirated or illegally obtained equipment? 

[Blebekblebek]

15 minutes ago, BadluckBrian said:

Would you hired a company that uses pirated or illegally obtained equipment? 

Question goes back to you, do you never use pirated or illegally obtained equipment?

 

I live in Indonesia, even the goverment use pirated software, personally,I dont care. At all.

But legally speaking, there's nothing illegal by using unactivated windows, unless you can prove me otherwise.

[Beef Boss]

2 minutes ago, Blebekblebek said:

Question goes back to you, do you never use pirated or illegally obtained equipment?

 

I live in Indonesia, even the goverment use pirated software, personally,I dont care. At all.

But legally speaking, there's nothing illegal by using unactivated windows, unless you can prove me otherwise.

Okay, you might. But in a business environment it's way more ethical to be legitimate. It's just a shady thing to do in an actual business environment, but your morals might differ

[Blebekblebek]

Just now, BadluckBrian said:

Okay, you might. But in a business environment it's way more ethical to be legitimate. It's just a shady thing to do in an actual business environment, but your morals might differ

I'm not a perfect choice for your moral compass

 

Either way, I don't care, using unlicensed windows 10 (at least for now) is not illegal, and that's the only thing matter.

[bcredeur97]

27 minutes ago, Blebekblebek said:

I'm not a perfect choice for your moral compass

 

Either way, I don't care, using unlicensed windows 10 (at least for now) is not illegal, and that's the only thing matter.

my problem with it comes from the fact that they could possibly using non-legitimate tools in an attempt to activate the software non-legitimately.

If it was just unactivated windows, fine. But These are machines on OUR network that while they probably don't, they COULD pose a security risk to us. For all we know there could be some kind of backdoor in those tools or something. We don't know. and we didn't know they even did this, I appear to be the first one to find these oddities.

that's my problem with it. Whether my management cares or not, is up to them. I've already been discussing this with our network admin a bit.