2

I'm deploying software that is licensed based on uniquely identifiable computer characteristics. I am wondering about the Manufacturer-assigned serial number of an internal fixed hard-disk.

To be clear, I am not referring to the Volume Serial Number which changes every time you format a Windows hard drive. I mean the manufacturer-specific number that corresponds (usually) to what is physically written on label on the outside of the drive. My software uses low level APIs (e.g. DeviceIoControl on Windows) to read it.

Is it possible for software to "spoof" this ID? My understanding is that while software can query it, it cannot change it because it comes from firmware. Is that correct? (I've avoided using MAC addresses for this very reason, among others)

Joe
  • 133
  • 3
  • What if a customer's machine crashes and they need to setup a backup machine? Or what if they want to run on virtual machines? – Limit Mar 22 '21 at 21:56
  • 1
    If they need a backup machine then they need a new license. We don't permit our software to run on Virtual machines – Joe Mar 22 '21 at 22:36

1 Answers1

1

The hard disk hardware serial number and volume ID can easily be spoofed. There are even tools available for doing this. See https://www.raymond.cc/blog/changing-or-spoofing-hard-disk-hardware-serial-number-and-volume-id/.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • 1
    Found that article before. Those tools change the volume serial number, not the manufacturer-assigned device serial number. The last tool, "PB Downforce", *looks* like maybe it *might* be change the actual number but even the comments in the article cast doubt on that. And it triggers virus-protection software. And it looks like it changes it only for one run of a program. And the APIs it appears to use are ones I've already investigated so I am doubtful. – Joe Mar 22 '21 at 22:50
  • 2
    @Joe: it would have been helpful if you actually included what you already found into your question, instead of letting others dig up information, only then to be presented with "I already know this and this is not what I'm looking for". – Steffen Ullrich Mar 23 '21 at 05:31
  • @Steffen, While I appreciate people's attempts to help, I was not asking people to Google things for me. I was asking if anyone who already knew about the topic might weigh in. I was quite explicit in my question that I did not mean the Volume Serial Number. The person who answered missed that. They ran the same Google search I did, found the same result and posted it. I understand this was meant to be helpful and I am grateful, I really am. But I didn't think it was necessary to tell people that I know how to use Google and it seemed rude to tell them read thoroughly – Joe Mar 23 '21 at 15:05
  • 1
    Before this turns into a full-blown pissing match - Joe, your question reminded me of a project that I was working on ~20 years ago (in the Windows XP days), where the stakeholder wanted key his sofware to the hard drive id. At the time, I remember finding tools that could be used to spoof the hard drive id. I did a quick Google search, to see if I could find the same (or similar) tools, and found that page that I posted. As slightly different search terms can produce very different results in Google, I wasn't sure you had seen it, but if you already knew about it, then all the better. – mti2935 Mar 23 '21 at 15:59
  • @Joe: I'm sure that you know how to use Google - but unfortunately I'm only sure after I've read your reply. It is pretty common here that users ask question without further research and nothing in your question indicated what research you did and what you already found out. And as you noticed yourself - the link provided is not only about volume serial number but also about the hardware serial number, only that the API did not work for you (which again would have been valuable information in your question). – Steffen Ullrich Mar 23 '21 at 16:15
  • @mti2935 Much appreciated thanks. So clearly a motivated enough person can spoof it. Until now we've used a combination of ids, including MAC address of the first NIC card found but unfortunately that can change (and could also be spoofed) so I guess I must decide how motivated and unethical my customers might possibly be. – Joe Mar 23 '21 at 16:27