Winsage
February 24, 2025
TSforge is a new exploit developed by researchers that can activate all versions of Windows from Windows 7 onward, as well as all Office versions since Office 2013. It utilizes a technique called the "CID trick," which modifies the CID validation code in sppobjs.dll to allow the use of a counterfeit CID for activation. This activation persists even after service restarts. The researchers identified key locations for activation data storage, including specific files and registry keys that form the "trusted store." They used leaked Windows beta builds to understand the spsys.sys driver and reverse-engineered components to extract private RSA keys for decrypting and re-encrypting the activation data. TSforge can activate any Windows edition without debuggers or kernel exploits and bypasses hardware ID validation and the PKEY2005 encoding system.