A Simple Approach to Product Activation in VB.NET

Introduction:

This article describes an easy approach to keeping track of each installation of an application. The intent of the example is to demonstrate the use of a simple web service to collect and store information about each user and machine running the application. 

I was originally driven to coming up with something like this in response to working for an employer that operated strictly on the honor system. By that I mean that the company would sell its software by the seat to individual clients but with no licensing or other restrictions imposed or enforced by the software that might prevent the installation of additional copies of that software; for example, if a client purchased five seats of the product, it was assumed by the company that the client would only install it five times.

In one particular sale of the product, I felt that it was likely that the client would install additional copies beyond what they had purchased (given the magnitude of work they had to perform, five seats seemed woefully inadequate) and I had asked for approval to implement a licensing scheme in the code; the company declined to do this for whatever reason. They did agree for me to devise a method for tracking installations without requiring a license. The code in this project is a derivation of what I did there mainly because in the original approach, I was not permitted to terminate the application if it were not registered; I was only able to collect information on the installations. What we discovered was that the five purchased seats were installed over 100 times by the client (at about a $380,000 loss in revenue to the company in this one instance).

When I wrote this example version, I did it a little differently in that I create a bogus registry entry that is used to determine whether or not the application was installed and registered through the web service. If the product is not registered, I prevent the application from being used. When I terminate the application, I inform the user that the registration process is incomplete and that the process requires an active connection to the internet. This works much like what is seen when you are required to, for example, activate a copy of Microsoft Word through an internet connection. The registry key is checked each time the application is executed, if the registry key exists and its value indicates that the product is registered, then nothing else happens, if that is not the case, the application will not run until the registration occurs. If a person were to X-copy the application onto another machine, the application will still check for the key the first time it is executed and therefore it will not run until it is also registered.

I did not use it in this example, but you could use the original installation date and allow the user to use the product for some set period of days prior to locking them out which could be useful if you are authoring shareware with a time limited trial period. Here in this example, I just lock them out from the beginning. This approach does not prevent the client from over installing the product; it merely forces each installation to be registered through the web service. You could easily modify the web service to check and see if an individual license has been registered and prevent additional installations of that license but for the purposes of this example, I am only demonstrating the capture of each installation through the service.

As it stands, the example is not the be-all, end-all solution to securing your application against theft. It does however offer an approach for determining the extent of abuse you may be encountering with a release of custom software to a client company.  That information may be useful in making an argument for building a more robust approach to licensing your distributions.

Getting Started.

To get started, unzip the source code included with this project. In the code example, you will find a web service, and a Win Form application. Open the Web Service up and make any changes necessary to get it to operate on your machine. The project containing the web service has an MS Access database included and the database contains a single table used to collect the installation information. In reality you'd probably configure a database and table in SQL Server or Oracle to contain the data but for the purposes of this demonstration it was easier to pack it up in Access. Aside from the MS Access database, you will note that the web service project only contains a single service entitled, "RegisterInstallation".

Once you've configured the web service, run it and check it with the proxy to validate that it is updating the database correctly:

RegisterWS1-in-VB.NET.gif

Figure 1:  Run the Web Service

With the web service running, select the link to "RegisterInstallation":

RegisterWS2-in-VB.NET.gif

Figure 2:  Testing the "RegisterInstallation" Web Service

Once you've keyed in some sample values as indicated in Figure 2, click on the "Invoke" button and view the response, if successful, you should see something like what is shown in Figure 3:

RegisterWS3-in-VB.NET.gif

Figure 3:  The web service returns "true" if the installation information is saved to the Database

Given the web service has returned a true, take a look at the database to confirm that the values entered have been stored in the table:

RegisterWS4-in-VB.NET.gif

Figure 4:  The AppInstallers Table Updated By The Web Service

Having confirmed that the web service is up and running, open the application solution into Visual Studio 2005. Examine the content of the project in the solution explorer, you should see the following:

RegisterWS5-in-VB.NET.gif

Figure 5:  RegTest Application Solution Content

Within the solution, note that the registration service has been added as a web reference, you will likely need to update this reference. The app.config file is the default version and can be ignored here. The classes worthy of note are the frmMain.vb class and the RegistrationCheck.vb class. The main form class (frmMain.vb) represents your application, and the registration check class is used to capture information about the machine containing the application and package up for submittal to the registration web service.

Assuming that the web service and the project references check out, we can now take a look at the code.

Code:  Web Service Project - Registration Service

Locate the RegistrationService.asmx file contained in "RegistrationSvc" web service solution and open it up in the IDE. You will note that this is a very simple service and in general, all that it does is expose a function entitled, "RegisterInstallation". This function receives a collection of arguments containing the information about the installer and formats and executes an insert query against the MS Access database used to contain the installer information.

The import section of the code in this class has been amended to include the portions of the System.Data library that pertain to use of an OleDb data source:

Imports System.Web

Imports System.Web.Services

Imports System.Web.Services.Protocols

Imports System.Data

Imports System.Data.OleDb 

 

<WebService(Namespace:="http://localhost/RegistrationService/")> _

<WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _

<Global.Microsoft.VisualBasic.CompilerServices.DesignerGenerated()> _

Public Class Service

    Inherits System.Web.Services.WebService

The class declaration is cleverly called "Service" and the attributes applied to the class are also in the default configuration with the exception of the updated namespace. The only function in the service exposed as a web method is the RegisterInstallation function; its code is as follows:

<WebMethod()> _

Public Function RegisterInstallation(ByVal strDomainAndUser As String, _

                                     ByVal strComputerName As String, _

                                     ByVal strApplication As String, _

                                     ByVal strVersion As String, _

                                     ByVal strAppID As String, _

                                     ByVal strInstallDate As String) As 

                                     Boolean

 

   Dim conn As OleDbConnection = New

   OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;" & _

    "Data Source=c:\inetpub\wwwroot\RegistrationSvc\Registration.mdb;" & _

    "User ID=;Password=;")

 

    Try

 

        Dim strBuilder As New System.Text.StringBuilder

        strBuilder.Append("INSERT INTO AppInstallers ")

        strBuilder.Append("(DomainAndUser, ComputerName, Application,

        Version, AppID, InstallDate) VALUES(")

        strBuilder.Append("'" & strDomainAndUser & "', ")

        strBuilder.Append("'" & strComputerName & "', ")

        strBuilder.Append("'" & strApplication & "', ")

        strBuilder.Append("'" & strVersion & "', ")

        strBuilder.Append("'" & strAppID & "', ")

        strBuilder.Append("'" & strInstallDate & "')")

 

        Dim sSQL As String = strBuilder.ToString()

        Dim cmd As OleDbCommand = New OleDbCommand(sSQL, conn)

 

        Try

            conn.Open()

            cmd.ExecuteNonQuery()

            conn.Close()

        Catch ex As Exception

            conn.Close()

            Return False

        End Try

 

    Catch ex As Exception

        conn.Close()

        Return False

    End Try

 

    conn.Close()

    Return True

 

End Function

This function is pretty straight forward; the arguments detailing the installer's information are passed as arguments to the function, the function then takes the arguments directly and passes them to an insert query against the MS Access database. Once the execution of the insert statement has completed, the function returns a Boolean set to true if the data is passed to the database or false if the operation fails to update the database.

That is all there is to the web service; the calling application will gather the user's information and, if appropriate, connect to the web service and post the data to the database used to house the installer information.

One point to make here is with regards to the setting of the installation date; in this example, the value is passed into the web method from the client. If you are interested in creating a grace period for using the application (e.g., allow the user to use the application for 30 days without registering it) you may wish to set this value on server side instead of the client. This will prevent the user from changing the date on their machine to gain additional, free use of the application.

Next, open the "RegTest" solution into the IDE and we can take a look at that.

Code:  RegistrationCheck Class.

First off, open the "RegistrationCheck.vb" class into the code window. You will note that the class contains two subroutines and one function. The imports statements and class declaration are as follows:

Imports System

Imports System.Windows.Forms.SystemInformation

 

 

Public Class RegistrationCheck

By importing the "SystemInformation" library, we are able to capture the information used to identify the machine and user running the application. This will provide us with the source for the arguments passed to the web service.

Now take a look at the function, "CheckProductRegistration". This function is public and is the means by which the application checks for prior registrations and then gathers and submits data to the web service during the initialization of an unregistered version of the application. The code for this function is as follows:

Public Function CheckProductRegistration() As Boolean

 

        ' Check registry for key,

        ' create the key if it does not exist

        CheckForOrMakeRegKey()

 

        ' Check the key to see if application has been registered

        ' the key DA\SOMLA\1.0 is nonsense; it is just there to confuse

          anyone that tries to

        ' defeat the registration process. (actually, SOMLA is some software

          I used in the

        ' mid 1980's to test aircraft crash effects upon a seated aircraft

          occupant, but you

        ' can put whatever you want in there, use Bullwinkle or cDc if you

          don't like SOMLA)

        ' Set this boolean upon determining whether or not

        ' the product has been registered

        Dim blnIsRegistered As Boolean = False

        Dim key As Microsoft.Win32.RegistryKey

 

        Try

 

            key =

          Microsoft.Win32.Registry.CurrentUser.OpenSubKey

          ("SOFTWARE\\DA\\SOMLA\\1.0")

 

            If (Not key Is Nothing) Then

 

                Dim intVal As Integer = CType(key.GetValue("dval"), Integer)

 

                If intVal = 0 Then

                    blnIsRegistered = False

                ElseIf intVal = 1 Then

                    blnIsRegistered = True

                    Return True

                    ' it is already registered so just return true

                    ' and exit out of function

                End If

 

            Else

 

                ' The key does not exist, the application has not been

                  registered

                blnIsRegistered = False

 

            End If

 

            key.Close()

 

        Catch

 

            ' do nothing here, we want this to be pretty quiet...

 

        End Try

 

 

        ' Registration has not occurred, so try to register it

        If blnIsRegistered = False Then

 

            ' Obtain the user name currently logged on to this computer

            Dim strUser As String

            strUser =

            System.Windows.Forms.SystemInformation.UserName.ToString()

 

            ' Obtain the user's domain name for the current session

            Dim strDomain As String

            strDomain =

            System.Windows.Forms.SystemInformation.UserDomainName.ToString()

 

            ' Combine the user and domain names into a single entry

            Dim strDomainAndUser As String = strDomain & "\" & strUser

 

            ' Get the name of the computer the application

            ' is installed on

            Dim strComputerName As String

            strComputerName =

            System.Windows.Forms.SystemInformation.ComputerName.ToString()

 

            ' Create a local instance of the web service

            Dim ws As New RegistrationService.Service

 

            ' The web service returns a boolean to indicate

            ' success or failure in execution

            Dim blnTest As Boolean = False

 

            ' Run the web service and load the installer's

            ' information into the database

            Try

 

                blnTest = ws.RegisterInstallation(strDomainAndUser,

                strComputerName, _

                "RegTest", "1.0", "{376FEDC1-BC65-4c6a-B3C2-49CD57BFD127}", _

                Now.ToLongDateString())

 

            Catch

 

                ' Create registry entry and set it to false

                CreateKeyAndSetValue(0)

 

            End Try

 

            'NOTE: the GUID is canned as is meant to mark the install

            '      as a specific copy of the application

            '      create new guids and registry keys for other customers

            '      and applications - this will allow you to track who bought

            '      the software versus where it ends up getting installed.

 

            If blnTest = True Then

 

                ' Create registry entry and set it to 1 - registered

                CreateKeyAndSetValue(1) ' IS registered

                Return True

 

            Else

                ' Create registry entry and set it to 0 - not registered

                CreateKeyAndSetValue(0) ' NOT registered

                Return False

 

            End If

        End If

End Function

The first thing this function does is call a private subroutine used to check for the existence of the registry key used to check for prior registrations of the application. If the key does not exist (first use), the key will be created in the subroutine. The key used "SOFTWARE\\DA\\SOMLA\\1.0" is just some nonsense used to through someone off if they were to try to find and manually edit the key value used to determine whether or not the application has been registered. As I mention in the comments, SOMLA is an application dating back to the 1980's; it was used to run analysis of the effects of a crash upon the human spine. "DA" was for district attorney. You can change these values to whatever you want but you should make some effort to conceal the purpose of the key and its value.

Next the function gets the value of the key used to mark the application as having successfully been submitted to the registration web service; if the value indicates that the application has not been registered or activated through the service, it sets a Boolean to false, the Boolean is then tested and if it is false, the function will attempt to gather the user's information and submit it to the web service for registration. If the product is then registered, the calling method is notified of the success and the registry value is updated to indicate that the product has been activated through the service. If the Boolean returns false, the  user is booted out of the application, else the user is granted access to the application.

The two subroutines in this class are merely used to support the function by creating or confirming the existence of a registry key, and by allowing the function to set the key value associated with the registration of the application. The code for these two subroutines is as follows:

Private Sub CheckForOrMakeRegKey()

 

        Try

            Dim regVersion As Microsoft.Win32.RegistryKey

            regVersion = Microsoft.Win32.Registry.CurrentUser.OpenSubKey _

            ("SOFTWARE\\DA\\SOMLA\\1.0", True)

 

            If regVersion Is Nothing Then

                regVersion =

                Microsoft.Win32.Registry.CurrentUser.CreateSubKey _

                ("SOFTWARE\\DA\\SOMLA\\1.0")

            End If

 

            regVersion.Close()

 

        Catch

 

            'do nothing

 

        End Try

 

End Sub

Private Sub CreateKeyAndSetValue(ByVal intVal As Integer)

 

    Try

 

        ' Declare a registry key variable and set it to

        ' be the fake SOMLA key

        Dim regVersionKey As Microsoft.Win32.RegistryKey

        regVersionKey = Microsoft.Win32.Registry.CurrentUser.OpenSubKey _

        ("SOFTWARE\\DA\\SOMLA\\1.0", True)

 

        ' If the key exists, then set its dval key value

        ' to the integer passed into this subroutine

        If (Not regVersionKey Is Nothing) Then

            regVersionKey.SetValue("dval", intVal)

            regVersionKey.Close()

        End If

 

    Catch

 

        'do nothing

 

    End Try

 

End Sub

That concludes the discussion of the contents of this class. Next, open up the main form (frmMain.vb) class into the code window. The only item worthy of note in the main form's code is the handler for the load event:

Private Sub frmMain_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

 

        ' Each time the application is loaded, we check for the existence of

        ' the registry entry:

        Dim rc As New RegistrationCheck

        Dim bln As Boolean

 

        bln = rc.CheckProductRegistration()

 

        ' If the bln indicates that the application is not registered (and

          therefore

        ' could not be registered, then tell them Goodbye and exit the

          application.

 

        If bln = False Then

 

            MessageBox.Show("You have not registered this product. 

            Registration requires internet access.", "Registration Failed",

            MessageBoxButtons.OK)

            Application.Exit()

 

        End If

 

End Sub

This code is pretty simple, it merely creates an instance of the "RegistrationCheck" class, sets a Boolean variable to capture the results of the attempt to register the product, and then processes the evaluation of the returned Boolean. If the Boolean is false, the user is notified that product activation requires an internet connection and then the application is terminated if activation has not occurred. The user will continue to be met with this response until they permit the application to connect to the internet and subsequently activate the product.

Naturally, you can modify what occurs in response to a failed activation. For example, if you want to let the user use the product for thirty days after the original installation, you could amend the web service to return the initial installation date and compare that date to today's date and then decide whether or not to allow them to use the application.

Summary.

The sample application and web service are meant to convey an approach to activating a product. This is not a particularly robust way of doing it and it certainly is not foolproof. The approach could easily be compromised if the user were able to locate and manually edit the registry value. The approach does show you a general approach to product activation and is a good way of collecting specific information about who is using the software and determining which uniquely marked copy of the software the installer/user is running on a specific machine.

Next Recommended Readings