How to Validate a Serial Number or PID in MSI Setups Created in VS.NET

• Download source files - 143 Kb

Introduction

The MSDN article Q253683 describes how to validate a serial number during an MSI install created with VSI 1.1. However, the architecture of the MSI has changed somewhat in VS.NET and the instructions given for creating the custom action DLL may be difficult to follow for developers who are not experienced C++ programmers.

This article outlines how to adapt the procedure to an MSI created with VS.NET, and also gives detailed instructions on how to compile the custom action DLL.

Background

There are a wide variety of product registration strategies.

On one end of the spectrum are the typical "try-and-buy" techniques used with relatively small Internet download applications. The simplest technique is creating two downloads, one for the trial and one for the purchased product. More sophisticated methods usually involve embedding the registration code within the application itself, and rely on registry entries to determine when the trial ends or if a license has been obtained.

At the other end of the spectrum are shrink wrapped mass produced media that require a product key (PID) such as those Microsoft employs for its products.

Neither of these cases require special packaging skills from the typical developer. In the first case, the registration is achieved by familiar techniques - simply programming the trial and registration code into the app itself. The latter case invariably is handled by a department that exists solely for deployment management, and the code developers are not part of the process.

Occasionally, the developer themselves need to create media such as CDs for distribution without having the benefit of support from a dedicated group. This presents a problem for the app developer who generally does not have a lot of packaging expertise. This article is for the developer who needs to create a small number of media and wishes to require the user to enter a product key during the setup.

A simple technique that is manageable for a small number of deployment media is to create a product key file that uses some sort of encryption, and include it on the distribution media. The setup can then be modified to include a custom action that reads the product key file and validates the product key entered by the user.

This technique is outlined here.

Philosophy of licensing

This is not a discussion of licensing strategies, however one concept merits discussion. Some developers spend an undue time and effort trying to ensure their product is not used without a valid license. This is a futile endeavor.

The simple try-and-buy strategies are used to encourage most people to simply buy a relatively inexpensive product rather than using it illegally. But anyone who has a good working knowledge of the registry and programming techniques can figure out how to circumvent a trial period restriction. The philosophy here is that most people do not have this expertise, and besides, how much effort is it worth to avoid paying $39.95 for a spyware utility?

On the other hand, there is real interest in protecting higher value products like those marketed by Microsoft. But it is simply not feasible! Obviously, if you require a product key, you must supply the key with the media, and there is no way to prevent people from simply making copies of the product. So why do companies like MS invest the considerable resources required to create mass media with license keys? There are several reasons. The ROI comes not from the license key, but rather from the serial number! It is reasonable to assume that while many people who acquire legal software never actually register it, many do register. And that provides MS with valuable marketing information about how their products are acquired, because each time a product is registered, MS can look at the serial number and determine if the product was acquired as an OEM included with a new computer, a standalone shrink-wrapped app such as MS Word that was purchased from a vendor, or a shrink-wrapped suite of products like Office that was purchased from a vendor. All this information helps drive how they price, package, and distribute their products!

Also, having a standard process for generation of license keys and media makes it much simpler to prosecute bootlegged illegal products, but in practical terms this is much less of a consideration than acquiring marketing demographics.

Realistically, requiring a user to have a valid license key using the technique described in this article does very little to keep unlicensed copies from being made. So why bother? In my opinion, the reason is mainly if you create media for distribution of your product, users tend to expect a license key. Including this is mostly about creating a professional, high quality presentation for your product deployment. But you should understand that in terms of preventing unlicensed use of your product, the big boys have never been able to accomplish this and neither will you! Sorry, but that is the way it is!

About the Code

The download contains an HTML page that describes how to implement product key validation using a custom action DLL in MSI deployments created in VS.NET. The example DLL code simply uses a hard coded PID key value, but outlines the basic steps required to read this key from a file included with your setup.

The project and the source code for creating the custom DLL in VS.NET C++ is also included, along with more detailed instructions than the original MSDN article contained, in case you are not an experienced C++ developer.

A sample MSI that has been modified to perform PID validation is also included so that you can examine the MSI of a typical modified package in Orca.

To perform the modifications you will need a C++ compiler to create the DLL. The article describes the specifics for using VS.NET C++. Although creating the project and setting the compiler options are slightly different, the source code also works in VC++ 6.

You will also need to have the Windows Installer SDK installed, which is free for download.

Finally, the VS.NET IDE creates a dialog where the PID is labeled as "Serial Number". You will probably want to change this to "Product Registration Key", or "Product License Key", etc.. I leave this as an exercise for the reader. If you follow the instructions for the implementation as shown, you should be able to easily figure out how to modify the dialog label text.