Timebomb

A timebomb (or time bomb) is a software mechanism that renders a computer program unusable after a set period of time. It is commonly seen in pre-release software, where it is used to discourage users from holding onto out-of-date testing versions.

Windows[edit | edit source]

Windows 9x[edit | edit source]

Error after timebomb activated in Windows 95 build 216

The timebomb is activated through IO.SYS. Once the timebomb is triggered, Windows will display a message on boot saying the pre-evaluation period has expired, followed by an immediate shut down. The operating system will not boot unless it is reinstalled with the correct BIOS date as IO.SYS patches itself to enter an infinite loop. Unlike the timebomb in Windows NT, it is not possible to locate the expiration date via winver. Windows 95 build 216 is the first known build to include a timebomb.

Since Windows 98, setup also checks for the date and will refuse to install if the date is set incorrectly.

Windows NT[edit | edit source]

Windows displaying an END_OF_NT_EVALUATION_PERIOD bugcheck

Once a timebomb is triggered, the END_OF_NT_EVALUATION_PERIOD bugcheck is used to reboot the system after a period of time has elapsed. The code for implementing timebombs was first added in Windows NT 4.0 build 1166, which was used for evaluation releases of the final release. The first beta build to feature a modern timebomb was Windows 2000 build 1627.1, although the Japanese and Korean pre-release versions of Windows NT 3.5 include a warning message box asking the user to install a retail copy of Windows after a certain date, unlike other builds from the era.

Windows 8 and later versions include a milder variant of the timebomb; the current operating system install will be deactivated, access to personalization options in PC settings is disabled, and a one-hour long "reboot" cycle (that bugchecks the system) begins. In addition, certain builds may place the "Microsoft Confidential" disclosure warning slightly higher than usual to indicate that the timebomb has been triggered.

Most Windows 10 builds from the original release to the Creators Update are flight-signed; binary signature checks take certificate expiry time into account. When the timebomb is activated, the Windows Boot Manager and related boot loaders will be rendered non-functional as a result of signature invalidation. Due to confusion arising from end-users who unknowingly installed public Insider Preview builds that were redistributed across the Internet with little to no oversight (an issue that had persisted since Windows 10 build 9841, the first Windows 10 Technical Preview release), the Windows cryptography library (mincrypt; statically linked to in the code integrity library and the Windows Boot Manager) was altered in build 14965.1001 to allow expired flight code signing certificate chains and give users a chance to update to the most current Windows release.

Numerous issues are caused when attempting to use builds beyond their expiry date due to flight code signing certificates being verified outside of their intended validity period. Examples of issues caused by running these builds under the current date and time are listed below:

  • Applications such as the legacy Windows Defender user interface and built-in Windows diagnostics tools will fail to start due to relevant signature checks failing;
  • User Account Control may complain about untrusted executables or prevent them from running, even if the applications themselves are signed by Microsoft - prevalent during the out-of-box experience and when launching certain system applications such as the Task Manager;
  • Non-critical system drivers such as print spoolers will not be available post-installation. Should these be required, both drivers can be manually installed and a driver signature enforcement check must be overridden.

Detection[edit | edit source]

The expiration date and time of the timebomb can be retrieved by checking the value of the SystemExpirationDate field in the KUSER_SHARED_DATA structure,[1] which is accessible at address 0x7FFE0000 from the user mode.[2] If no timebomb is present, the field is set to zero; otherwise, it will be set to the file time[a] of the expiration date and time in UTC.

Mac OS X[edit | edit source]

The only known version of Mac OS X to feature a timebomb is the Public Beta. While the timebomb prevented the user from logging into the desktop, it did not affect aspects of the Darwin kernel or any other components that are not related to the user interface.

Several server builds of Mac OS X up to Snow Leopard also have an expiry date that causes the out-of-box experience to reject any serial keys past the expiration date.

Notes[edit | edit source]

  1. A file time is a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).[3]

References[edit | edit source]