Security researchers from MASSGRAVE have revealed TSforge, a powerful tool that exploits vulnerabilities in Microsoft’s Software Protection Platform (SPP) to activate all Windows versions from Windows 7 onward, including Office suites and add-ons. This marks the first successful direct attack on SPP’s core cryptographic defenses since its introduction with Windows Vista.
SPP relies on encrypted “trusted stores” to verify activation status, with key data stored in files like data.dat (Windows 8+), registry-backed files (Windows 7), and WPA keys across all versions. TSforge’s breakthrough came after reverse-engineering SPP’s private key infrastructure from leaked Windows 8 beta builds.
Researchers found that by modifying these trusted stores with forged activation data, they could bypass RSA-2048/AES-CBC encryption, tricking SPP into accepting permanent licenses. The exploit works by extracting SPP’s RSA private key, which Microsoft uses to sign activation blobs. Using an obscure bytecode interpreter called ExecCodes, they simulated modular exponentiation to derive the private key and decrypt the AES key protecting data.dat.
With this decrypted data, TSforge injects several modifications, including zeroed hardware IDs to bypass fingerprint checks, precomputed product key blobs mimicking KMS/MAK activations, and timestamped license metadata with 4000+ years of validity. The tool’s versatility is notable as it works across both older Windows 7 and newer Windows 10 systems.
Although Microsoft has yet to comment, enterprise users of KMS should audit their activation logs for spoofed status codes (0xC004F200). While MASSGRAVE has not publicly released TSforge, its findings expose significant weaknesses in SPP’s “validate once, trust forever” model. As Windows 10 approaches its 2025 end-of-life, this exploit could lead to significant changes in enterprise licensing strategies, prompting Microsoft to reconsider the security of its activation system.
