Petreley's column: If you think you can beat Microsoft, think again

Last week, I described how Microsoft software creates a Global User ID (GUID) from your Ethernet card's unique Media Access Control (MAC) address, and how Windows ships this and other information to Microsoft without your knowledge. Microsoft Office also uses the GUID to brand every file you save.

Microsoft promised some fixes, but several readers wrote in to tell me how they already beat the system. However, the GUID system isn't as easy to subvert as you may think.

Some readers claim they are safe because they told Windows not to send configuration information over the Internet when they registered Windows. Whoops. The registration software has an alleged bug that causes Windows to send all your personal information anyway.

What's it to me, you ask? You use a Macintosh. Bzzt. Microsoft Office for the Macintosh forms your GUID from your current MAC address and stamps all saved files with it. Office for the Macintosh also sends user information to Microsoft without your knowledge or consent.

Some say they are immune because they mail their registrations in via the post office and never register via the Internet. Bzzt. Think again. If Microsoft wants your GUID, all it has to do is embed the RegWiz ActiveX control into any Web page. RegWiz is an ActiveX control that can ship your GUID and personal information to Microsoft the moment you visit that Web page. And you'll never know it happened.

No problem, you say. You can configure Windows to forget the RegWiz ActiveX control exists. All you have to do is change to the \Windows\System directory and run the command regsvr32.exe -u regwizc.dll. Heck, you can even delete the regwizc.dll and regwiz.exe files. Bzzt. Unfortunately, this solution isn't terribly effective. Any program you run using Windows -- be it a software installation, update, or application -- can reinstate the RegWiz ActiveX control without your knowledge.

Speaking of which, this should obliterate any fantasy you may have that you can make ActiveX safe for use over the Internet by embedding controls with digital signatures. Digital signatures work fine if you visit a Web page that contains an ActiveX control that is not already on your system. But the reason you are never asked permission regarding the RegWiz control is that you didn't get RegWiz from the Internet. It came on your Windows CD-ROM.

In fact, if anyone wants information from your PC and needs to circumvent ActiveX security, all he or she has to do is design a Trojan horse ActiveX control and drop it into a freeware, shareware, or commercial application. If you use Internet Explorer, you'll never know when a Web page causes that control to reveal secrets about you behind your back.

But let's get back to Microsoft and the GUID. You say you changed your network card since you installed Windows 98. So if your computer happens to send a GUID to Microsoft today, it will point to the wrong network card. Bzzt. Wrong. Against all reason, the RegWiz ActiveX control doesn't send the original GUID it created when you installed Windows -- the very GUID it continues to use throughout your registry. Instead, RegWiz creates a brand new GUID every time you run it. The new GUID includes the MAC address of your current network card, not the old one.

Fine, but you figure this can't possibly apply to Microsoft Office. After all, Microsoft stores the old GUID in the registry and in the default document template NORMAL.DOT. When it brands Office documents with a GUID, it must be using the old MAC address, right? Bzzt. When you create a new document, it brands the document with the new GUID based on the Ethernet address of your current network card.

Finally, some readers expressed the opinion that Microsoft isn't really interested in your MAC address but is simply using it for the GUID because it is a unique number. Frankly, we may never know. But because Microsoft creates a new GUID based on your current MAC address even when it doesn't make sense to do so, it seems as if only one of two things can be happening here. Either Microsoft programmers are lazy and incompetent. Or, for reasons known only to Microsoft, Microsoft wants to be able to get your current MAC address. I'll let you decide.

Former consultant and programmer, Nicholas Petreley can be reached at nicholas_petreley@infoworld.com, and you can visit his forum at www.infoworld.com.

Join the newsletter!

Error: Please check your email address.

More about Microsoft

Show Comments