forked from Wind4/vlmcsd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvlmcsd.8.html
1197 lines (953 loc) · 44.5 KB
/
vlmcsd.8.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!-- Creator : groff version 1.22.3 -->
<!-- CreationDate: Sat Jun 17 00:53:29 2017 -->
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta name="generator" content="groff -Thtml, see www.gnu.org">
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<meta name="Content-Style" content="text/css">
<style type="text/css">
p { margin-top: 0; margin-bottom: 0; vertical-align: top }
pre { margin-top: 0; margin-bottom: 0; vertical-align: top }
table { margin-top: 0; margin-bottom: 0; vertical-align: top }
h1 { text-align: center }
</style>
<title>VLMCSD</title>
</head>
<body>
<h1 align="center">VLMCSD</h1>
<a href="#NAME">NAME</a><br>
<a href="#SYNOPSIS">SYNOPSIS</a><br>
<a href="#DESCRIPTION">DESCRIPTION</a><br>
<a href="#OPTIONS">OPTIONS</a><br>
<a href="#SIGNALS">SIGNALS</a><br>
<a href="#SUPPORTED OPERATING SYSTEMS">SUPPORTED OPERATING SYSTEMS</a><br>
<a href="#SUPPORTED PRODUCTS">SUPPORTED PRODUCTS</a><br>
<a href="#FILES">FILES</a><br>
<a href="#EXAMPLES">EXAMPLES</a><br>
<a href="#BUGS">BUGS</a><br>
<a href="#AUTHOR">AUTHOR</a><br>
<a href="#CREDITS">CREDITS</a><br>
<a href="#SEE ALSO">SEE ALSO</a><br>
<hr>
<h2>NAME
<a name="NAME"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">vlmcsd - a
fully Microsoft compatible KMS server</p>
<h2>SYNOPSIS
<a name="SYNOPSIS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>vlmcsd</b> [
<i>options</i> ]</p>
<h2>DESCRIPTION
<a name="DESCRIPTION"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em"><b>vlmcsd</b>
is a fully Microsoft compatible KMS server that provides
product activation services to clients. It is meant as a
drop-in replacement for a Microsoft KMS server (Windows
computer with KMS key entered). It currently supports KMS
protocol versions 4, 5 and 6.</p>
<p style="margin-left:11%; margin-top: 1em"><b>vlmcsd</b>
is designed to run on POSIX compatible operating systens. It
only requires a basic C library with a BSD-style sockets API
and either <b>fork</b>(2) or <b>pthreads</b>(7). That allows
it to run on most embedded systems like routers, NASes,
mobile phones, tablets, TVs, settop boxes, etc. Some efforts
have been made that it also runs on Windows.</p>
<p style="margin-left:11%; margin-top: 1em">Although
<b>vlmcsd</b> does neither require an activation key nor a
payment to anyone, it is not meant to run illegal copies of
Windows. Its purpose is to ensure that owners of legal
copies can use their software without restrictions, e.g. if
you buy a new computer or motherboard and your key will be
refused activation from Microsoft servers due to hardware
changes.</p>
<p style="margin-left:11%; margin-top: 1em"><b>vlmcsd</b>
may be started via an internet superserver like
<b>inetd</b>(8) or <b>xinetd</b>(8) as well as an advanced
init system like <b>systemd</b>(8) or <b>launchd</b>(8)
using socket based activation. If <b>vlmcsd</b> detects that
<b>stdin</b>(3) is a socket, it assumes that there is
already a connected client on stdin that wants to be
activated.</p>
<p style="margin-left:11%; margin-top: 1em">All options
that control setting up listening sockets will be ignored
when in inetd mode. The sockets will be set up by your
internet superserver. You also cannot limit the number of
simultanous clients (option <b>-m</b>). You need to
configure the limit in your internet superserver.</p>
<p style="margin-left:11%; margin-top: 1em">The followong
features that require that vlmcsd is permanently loaded will
not work if started from an internet superserver:</p>
<p style="margin-left:22%; margin-top: 1em">You cannot
maintain a client list (option <b>-M1</b>)</p>
<p style="margin-left:22%; margin-top: 1em">EPID
Randomization Level 1 (option <b>-r1</b>) works like Level 2
(<b>-r2</b>). You may want to use Level 0 (<b>-r0</b>) or
custom EPIDs (options <b>-w</b>, <b>-G</b>, <b>-0</b>,
<b>-3</b> and <b>-6</b>) instead.</p>
<h2>OPTIONS
<a name="OPTIONS"></a>
</h2>
<p style="margin-left:11%; margin-top: 1em">Since vlmcsd
can be configured at compile time, some options may not be
available on your system.</p>
<p style="margin-left:11%; margin-top: 1em">All options
that do no require an argument may be combined with a single
dash, for instance "vlmcsd -D -e" is identical to
"vlmcsd -De". For all options that require an
argument a space between the option and the option argument
is optional. Thus "vlmcsd -r 2" and "vlmcsd
-r2" are identical too. <b><br>
-h</b> or <b>-?</b></p>
<p style="margin-left:22%;">Displays help.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-V</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Displays extended version information. This includes the
compiler used to build vlmcsd, the intended platform and
flags (compile time options) to build vlmcsd. If you have
the source code of vlmcsd, you can type <b>make help</b> (or
<b>gmake help</b> on systems that do not use the GNU version
of <b>make</b>(1) by default) to see the meaning of those
flags.</p> </td></tr>
</table>
<p style="margin-left:11%;"><b>-L</b>
<i>ipaddress</i>[:<i>port</i>]</p>
<p style="margin-left:22%;">Instructs vlmcsd to listen on
<i>ipaddress</i> with optional <i>port</i> (default 1688).
You can use this option more than once. If you do not
specify <b>-L</b> at least once, IP addresses 0.0.0.0 (IPv4)
and :: (IPv6) are used. If the IP address contains colons
(IPv6) you must enclose the IP address in brackets if you
specify the optional port, e.g.
[2001:db8::dead:beef]:1688.</p>
<p style="margin-left:22%; margin-top: 1em">If no port is
specified, vlmcsd uses the default port according to a
preceding <b>-P</b> option. If you specify a port, it can be
a number (1-65535) or a name (usually found in /etc/services
if not provided via LDAP, NIS+ or another name service).</p>
<p style="margin-left:22%; margin-top: 1em">If you specify
a link local IPv6 address (fe80::/10, usually starting with
fe80::), it must be followed by a percent sign (%) and a
scope id (=network interface name or number) on most unixoid
OSses including Linux, Android, MacOS X and iOS, e.g.
fe80::1234:56ff:fe78:9abc<b>%eth0</b> or
[fe80::1234:56ff:fe78:9abc<b>%2</b>]:1688. Windows
(including cygwin) does not require a scope id unless the
same link local address is used on more than one network
interface. Windows does not accept a name and the scope id
must be a number.</p>
<p style="margin-left:11%;"><b>-o</b> <i>level</i></p>
<p style="margin-left:22%;">Sets the <i>level</i> of
protection against activations from public IP addresses. The
default is <b>-o0</b> for no protection.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-o1</b>
causes vlmcsd not to listen on all IP addresses but on
private IP addresses only. IPv4 addresses in the
100.64.0.0/10 range (see RFC6598) are not treated as private
since they can be reached from other users of your ISP.
Private IPv4 addresses are 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, 169.254.0.0/16 and 127.0.0.0/8. vlmcsd
treats all IPv6 addresses not within 2000::/3 as private
addresses.</p>
<p style="margin-left:22%; margin-top: 1em">If <b>-o1</b>
is combined with <b>-L</b>, it will listen on all private IP
addresses plus the ones specified by one or more <b>-L</b>
statements. If <b>-o1</b> is combined with <b>-P</b>, only
the last <b>-P</b> statement will be used.</p>
<p style="margin-left:22%; margin-top: 1em">Using
<b>-o1</b> does not protect you if you enable NAT port
forwarding on your router to your vlmcsd machine. It is
identical to using multiple -L statements with all of your
private IP addresses. What <b>-o1</b> does for you, is
automatically enumerating your private IP addresses.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-o2</b> does
not affect the interfaces, vlmcsd is listening on. When a
clients connects, vlmcsd immediately drops the connection if
the client has a public IP address. Unlike <b>-o1</b>
clients will be able to establish a TCP connection but it
will be closed without a single byte sent over the
connection. This protects against clients with public IP
addresses even if NAT port forwarding is used. While
<b>-o2</b> offers a higher level of protection than
<b>-o1</b>, the client sees that the KMS TCP port (1688 by
default) is actually accepting connections.</p>
<p style="margin-left:22%; margin-top: 1em">If vlmcsd is
compiled to use MS RPC, <b>-o2</b> can only offer very poor
protection. Control is passed from MS RPC to vlmcsd after
the KMS protocol has already been negotiated. Thus a client
can always verify that the KMS protocol is available even
though it receives an RPC_S_ACCESS_DENIED error message.
vlmcsd will issue a warning if <b>-o2</b> is used with MS
RPC. <b>For adaequate protection do not use a MS RPC build
of vlmcsd with -o2</b>.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-o3</b>
combines <b>-o1</b> and <b>-o2</b>. vlmcsd listens on
private interfaces only and if a public client manages to
connect anyway due to NAT port forwarding, it will be
immediately dropped.</p>
<p style="margin-left:22%; margin-top: 1em">If you use any
form of TCP level port forwarding (e.g. <b>nc</b>(1),
<b>netcat</b>(1), <b>ssh</b>(1) port forwarding or similar)
to redirect KMS requests to vlmcsd, there will be no
protection even if you use <b>-o2</b> or <b>-o3</b>. This is
due to the simple fact that vlmcsd sees the IP address of
the redirector and not the IP address of the client.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-o1</b> (and
thus <b>-o3</b>) is not (yet) available in some
scenarios:</p>
<p style="margin-left:29%; margin-top: 1em">FreeBSD: There
is a longtime unfixed
<a href="https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=178881">bug</a>
in the 32-bit ABI of the 64-bit kernel. If you have a 64-bit
FreeBSD kernel, you must run the 64-bit version of vlmcsd if
you use <b>-o1</b> or <b>-o3</b>. The 32-bit version causes
undefined behavior up to crashing vlmcsd. Other BSDs
(NetBSD, OpenBSD, Dragonfly and Mac OS X) work
correctly.</p>
<p style="margin-left:29%; margin-top: 1em">If vlmcsd was
started by an internet superserver or was compiled to use
Microsoft RPC (Windows only) or simple sockets, <b>-o1</b>
and <b>-o3</b> are not available by design.</p>
<p style="margin-left:11%;"><b>-P</b> <i>port</i></p>
<p style="margin-left:22%;">Use TCP <i>port</i> for all
subsequent <b>-L</b> statements that do not include an
optional port. If you use <b>-P</b> and <b>-L</b>, <b>-P</b>
must be specified before <b>-L</b>.</p>
<p style="margin-left:11%;"><b>-O</b>
<i>vpn-adapter-name</i>[=<i>ipv4-address</i>][/<i>cidr-mask</i>][:<i>dhcp-lease-duration</i>]</p>
<p style="margin-left:22%;">Enables a compatible VPN
adapter to create additional local IPv4 addresses (like
127.0.0.1) that appear as remote IPv4 addresses to the
system. This allows product activation using a local
instance of vlmcsd. This feature is only available in
Windows and Cygwin builds of vlmcsd since it is not of any
use on other operating systems. Compatible VPN adapters are
Tap-windows version 8.2 or higher (from OpenVPN) and the
TeamViewer VPN adapter. There are two special
<i>vpn-adapter-name</i>s. A single period (.) instructs
vlmcsd to use the first available compatible VPN adapter. A
single dash (-) disables the use of a VPN adapter if one has
been configured in <b>vlmcsd.ini</b>(5). The
<i>vpn-adapter-name</i> is <b>not</b> case-sensitive. If the
<i>vpn-adapter-name</i> contains spaces (e.g. Ethernet 3),
you must enclose it in quotes.</p>
<p style="margin-left:22%; margin-top: 1em">The default
<i>ipv4-address</i> is 10.10.10.9 and the default
<i>cidr-mask</i> is 30. If you are using the default values,
your VPN adapter uses an IPv4 address of 10.10.10.9 and you
can set your activation client to use the easy to remember
address 10.10.10.10 (e.g. slmgr /skms 10.10.10.10 or cscript
ospp.vbs /sethst:10.10.10.10).</p>
<p style="margin-left:22%; margin-top: 1em">The
<i>dhcp-lease-duration</i> is a number optionally followed
by s, m, h, d or w to indicate seconds, minutes, hours, days
or weeks. The default <i>dhcp-lease-duration</i> is 1d (one
day). It is normally not required to change this value.</p>
<p style="margin-left:22%; margin-top: 1em">It is advised
not to manually configure your OpenVPN TAP or TeamViewer VPN
adapter in "Network Connections". If you set the
IPv4 configuration manually anyway, the IPv4 address and the
subnet mask must match the <b>-O</b> parameter. It is safe
leave the IPv4 configuration to automatic (DHCP). vlmcsd
will wait up to four seconds for the DHCP configuration to
complete before binding to and listenin on any
interfaces.</p>
<p style="margin-left:22%; margin-top: 1em">You should be
aware that only one program can use a VPN adapter at a time.
If you use the TeamViewer VPN adapter for example, you will
not be able to use the VPN feature of TeamViewer as long as
vlmcsd is running. The same applies to OpenVPN TAP adapters
that are in use by other programs (for example OpenVPN,
QEMU, Ratiborus VM, aiccu, etc.). The best way to avoid
conflicts is to install Tap-Windows from OpenVPN, cd to
C:\Program Files\TAP-Windows\bin and run addtap.bat to
install an additional TAP adapter. Go to "Network
Connections" and rename the new adapter to
"vlmcsd" and specify <b>-O vlmcsd</b> to use
it.</p>
<p style="margin-left:22%; margin-top: 1em">Example: <b>-O
"Ethernet 7"=192.168.123.1/24</b> (uses VPN
adapter Ethernet 7 with IPv4 address 192.168.123.1 and have
192.168.123.2 to 192.168.123.254 as additional local (but
apparently remote) IPv4 addresses.</p>
<p style="margin-left:11%;"><b>-x0</b> and <b>-x1</b></p>
<p style="margin-left:22%;">Controls under what
circumstances vlmcsd will exit. Using the default of
<b>-x0</b> vlmcsd stays active as long as it can perform
some useful operations. If vlmcsd is run by any form of a
watchdog, e.g. NT service manager (Windows), systemd (Linux)
or launchd (Mac OS / iOS), it may be desirable to end vlmcsd
and let the watchdog restart it. This is especially true if
some pre-requisites are not yet met but will be some time
later, e.g. network is not yet fully setup.</p>
<p style="margin-left:22%; margin-top: 1em">By using
<b>-x0</b> vlmcsd will</p>
<p style="margin-left:29%; margin-top: 1em">exit if none of
the listening sockets specified with <b>-L</b> can be used.
It continues if at least one socket can be setup for
listening.</p>
<p style="margin-left:29%; margin-top: 1em">exit any TAP
mirror thread (Windows version only) if there is an error
condition while reading or writing from or to the VPN
adapter but continue to work without utilizing a VPN
adapter.</p>
<p style="margin-left:22%; margin-top: 1em">By using
<b>-x1</b> vlmcsd will</p>
<p style="margin-left:29%; margin-top: 1em">exit if not all
listening sockets specified with <b>-L</b> can be used.</p>
<p style="margin-left:29%; margin-top: 1em">exit completely
if there is a problem with a VPN adapter it is using. This
can happen for instance if the VPN adapter has been disabled
using "Control Panel - Network - Adapter Settings"
while vlmcsd is using it.</p>
<p style="margin-left:22%; margin-top: 1em">Please note
that <b>-x1</b> is kind of a workaround option. While it may
help under some circumstances, it is better to solve the
problem at its origin, e.g. properly implementing
dependencies in your startup script to ensure all network
interfaces and the VPN adapter you will use are completely
setup before you start vlmcsd.</p>
<p style="margin-left:11%;"><b>-F0</b> and <b>-F1</b></p>
<p style="margin-left:22%;">Allow (<b>-F1</b>) or disallow
(<b>-F0</b>) binding to IP addresses that are currently not
configured on your system. The default is <b>-F0</b>.
<b>-F1</b> allows you to bind to an IP address that may be
configured after you started <b>vlmcsd</b>. <b>vlmcsd</b>
will listen on that address as soon as it becomes available.
This feature is only available under Linux (IPv4 and IPv6)
and FreeBSD (IPv4 only). FreeBSD allows this feature only
for the root user (more correctly: processes that have the
PRIV_NETINET_BINDANY privilege). Linux does not require a
capability for this.</p>
<p style="margin-left:11%;"><b>-t</b> <i>seconds</i></p>
<p style="margin-left:22%;">Timeout the TCP connection with
the client after <i>seconds</i> seconds. After sending an
activation request. RPC keeps the TCP connection for a
while. The default is 30 seconds. You may specify a shorter
period to free ressources on your device faster. This is
useful for devices with limited main memory or if you used
<b>-m</b> to limit the concurrent clients that may request
activation. Microsoft RPC clients disconnect after 30
seconds by default. Setting <i>seconds</i> to a greater
value does not make much sense.</p>
<p style="margin-left:11%;"><b>-m</b>
<i>concurrent-clients</i></p>
<p style="margin-left:22%;">Limit the number of clients
that will be handled concurrently. This is useful for
devices with limited ressources or if you are experiencing
DoS attacks that spawn thousands of threads or forked
processes. If additional clients connect to vlmcsd, they
need to wait until another client disconnects. If you set
<i>concurrent-clients</i> to a small value ( <10 ), you
should also select a reasonable timeout of 2 or 3 seconds
with <b>-t</b>. The default is no limit.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-d</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Disconnect each client after processing one activation
request. This is a direct violation of DCE RPC but may help
if you receive malicous fake RPC requests that block your
threads or forked processes. Some other KMS emulators (e.g.
py-kms) behave this way.</p></td></tr>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-k</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Do not disconnect clients after processing an activation
request. This selects the default behavior. <b>-k</b> is
useful only if you used an ini file (see
<b>vlmcsd.ini</b>(5) and <b>-i</b>). If the ini file
contains the line "DisconnectClientsImmediately =
true", you can use this switch to restore the default
behavior.</p> </td></tr>
</table>
<p style="margin-left:11%;"><b>-N0</b> and <b>-N1</b></p>
<p style="margin-left:22%;">Disables (<b>-N0</b>) or
enables (<b>-N1</b>) the use of the NDR64 transfer syntax in
the RPC protocol. Unlike Microsoft vlmcsd supports NDR64 on
32-bit operating systems. Microsoft introduced NDR64 in
Windows Vista but their KMS servers started using it with
Windows 8. Thus if you choose random ePIDs, vlmcsd will
select ePIDs with build numbers 9200 and 9600 if you enable
NDR64 and build numbers 6002 and 7601 if you disable NDR64.
The default is to enable NDR64.</p>
<p style="margin-left:11%;"><b>-B0</b> and <b>-B1</b></p>
<p style="margin-left:22%;">Disables (<b>-B0</b>) or
enables (<b>-B1</b>) bind time feature negotiation (BTFN) in
the RPC protocol. All Windows operating systems starting
with Vista support BTFN and try to negotiate it when
initiating an RPC connection. Thus consider turning it off
as a debug / troubleshooting feature only. Some older
firewalls that selectively block or redirect RPC traffic may
get confused when they detect NDR64 or BTFN.</p>
<p style="margin-left:11%;"><b>-l</b> <i>filename</i></p>
<p style="margin-left:22%;">Use <i>filename</i> as a log
file. The log file records all activations with IP address,
Windows workstation name (no reverse DNS lookup), activated
product, KMS protocol, time and date. If you do not specify
a log file, no log is created. For a live view of the log
file type tail -f <i>file</i>.</p>
<p style="margin-left:22%; margin-top: 1em">If you use the
special <i>filename</i> "syslog", vlmcsd uses
<b>syslog</b>(3) for logging. If your system has no syslog
service (/dev/log) installed, logging output will go to
/dev/console. Syslog logging is not available in the native
Windows version. The Cygwin version does support syslog
logging.</p>
<p style="margin-left:11%;"><b>-T0</b> and <b>-T1</b></p>
<p style="margin-left:22%;">Disable (<b>-T0</b>) or enable
(<b>-T1</b>) the inclusion of date and time in each line of
the log. The default is <b>-T1</b>. <b>-T0</b> is useful if
you log to <b>stdout</b>(3) which is redirected to another
logging mechanism that already includes date and time in its
output, for instance <b>systemd-journald</b>(8). If you log
to <b>syslog</b>(3), <b>-T1</b> is ignored and date and time
will never be included in the output sent to
<b>syslog</b>(3).</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-D</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Normally vlmcsd daemonizes and runs in background
(except the native Windows version). If <b>-D</b> is
specified, vlmcsd does not daemonize and runs in foreground.
This is useful for testing and allows you to simply press
<Ctrl-C> to exit vlmcsd.</p></td></tr>
</table>
<p style="margin-left:22%; margin-top: 1em">The native
Windows version never daemonizes and always behaves as if
<b>-D</b> had been specified. You may want to install vlmcsd
as a service instead. See <b>-s</b>.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-e</b></p></td>
<td width="8%"></td>
<td width="78%">
<p style="margin-top: 1em">If specified, vlmcsd ignores
<b>-l</b> and writes all logging output to <b>stdout</b>(3).
This is mainly useful for testing and debugging and often
combined with <b>-D</b>.</p></td></tr>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-v</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Use verbose logging. Logs every parameter of the base
request and the base response. It also logs the HWID of the
KMS server if KMS protocol version 6 is used. This option is
mainly for debugging purposes. It only has an effect if some
form of logging is used. Thus <b>-v</b> does not make sense
if not used with <b>-l</b>, <b>-e</b> or <b>-f</b>.</p></td></tr>
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-q</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Do not use verbose logging. This is actually the default
behavior. It only makes sense if you use vlmcsd with an ini
file (see <b>-i</b> and <b>vlmcsd.ini</b>(5)). If the ini
file contains the line "LogVerbose = true" you can
use <b>-q</b> to restore the default behavior.</p></td></tr>
</table>
<p style="margin-left:11%;"><b>-p</b> <i>filename</i></p>
<p style="margin-left:22%;">Create pid file
<i>filename</i>. This has nothing to do with KMS ePIDs. A
pid file is a file where vlmcsd writes its own process id.
This is used by standard init scripts (typically found in
/etc/init.d). The default is not to write a pid file.</p>
<p style="margin-left:11%;"><b>-u</b> <i>user</i> and
<b>-g</b> <i>group</i></p>
<p style="margin-left:22%;">Causes vlmcsd to run in the
specified <i>user</i> and <i>group</i> security context. The
main purpose for this is to drop root privileges after it
has been started from the root account. To use this feature
from cygwin you must run cyglsa-config and the account from
which vlmcsd is started must have the rights "Act as
part of the operating system" and "Replace a
process level token". The native Windows version does
not support these options.</p>
<p style="margin-left:22%; margin-top: 1em">The actual
security context switch is performed after the TCP sockets
have been created. This allows you to use privileged ports
(< 1024) when you start vlmcsd from the root account.</p>
<p style="margin-left:22%; margin-top: 1em">However if you
use an ini, pid or log file, you must ensure that the
unprivileged user has access to these files. You can always
log to <b>syslog</b>(3) from an unprivileged account on most
platforms (see <b>-l</b>).</p>
<p style="margin-left:11%;"><b>-w</b> <i>ePID</i></p>
<p style="margin-left:22%;">Use <i>ePID</i> as Windows
ePID. If specified, <b>-r</b> is disregarded for
Windows.</p>
<p style="margin-left:11%;"><b>-0</b> <i>ePID</i></p>
<p style="margin-left:22%;">Use <i>ePID</i> as Office 2010
ePID (including Project and Visio). If specified, <b>-r</b>
is disregarded for Office 2010.</p>
<p style="margin-left:11%;"><b>-3</b> <i>ePID</i></p>
<p style="margin-left:22%;">Use <i>ePID</i> as Office 2013
ePID (including Project and Visio). If specified, <b>-r</b>
is disregarded for Office 2013.</p>
<p style="margin-left:11%;"><b>-6</b> <i>ePID</i></p>
<p style="margin-left:22%;">Use <i>ePID</i> as Office 2016
ePID (including Project and Visio). If specified, <b>-r</b>
is disregarded for Office 2016.</p>
<p style="margin-left:11%;"><b>-G</b> <i>ePID</i></p>
<p style="margin-left:22%;">Use <i>ePID</i> as Windows
China Government ePID. If specified, <b>-r</b> is
disregarded for Windows China Government Editions
(Enterprise G/GN).</p>
<p style="margin-left:11%;"><b>-H</b> <i>HwId</i></p>
<p style="margin-left:22%;">Use <i>HwId</i> for all
products. All HWIDs in the ini file (see <b>-i</b>) will not
be used. In an ini file you can specify a seperate HWID for
each <i>application-guid</i>. This is not possible when
entering a HWID from the command line.</p>
<p style="margin-left:22%; margin-top: 1em"><i>HwId</i>
must be specified as 16 hex digits that are interpreted as a
series of 8 bytes (big endian). Any character that is not a
hex digit will be ignored. This is for better readability.
The following commands are identical:</p>
<p style="margin-left:22%; margin-top: 1em">vlmcsd -H
0123456789ABCDEF <br>
vlmcsd -H 01:23:45:67:89:ab:cd:ef <br>
vlmcsd -H "01 23 45 67 89 AB CD EF"</p>
<p style="margin-left:11%;"><b>-i</b> <i>filename</i></p>
<p style="margin-left:22%;">Use configuration file (aka ini
file) <i>filename</i>. Most configuration parameters can be
set either via the command line or an ini file. The command
line always has precedence over configuration items in the
ini file. See <b>vlmcsd.ini</b>(5) for the format of the
configuration file.</p>
<p style="margin-left:22%; margin-top: 1em">If vlmcsd has
been compiled to use a default configuration file (often
/etc/vlmcsd.ini), you may use <b>-i-</b> to ignore the
default configuration file.</p>
<p style="margin-left:11%;"><b>-j</b> <i>filename</i></p>
<p style="margin-left:22%;">Use KMS data file
<i>filename</i>. By default vlmcsd only contains the minimum
product data that is required to perform all operations
correctly. You may use a more complete KMS data file that
contains all detailed product names. This is especially
useful if you are logging KMS requests. If you don’t
log, there is no need to load an external KMS data file.</p>
<p style="margin-left:22%; margin-top: 1em">If vlmcsd has
been compiled to use a default KMS data file, you may use
<b>-j-</b> to ignore the default configuration file.</p>
<p style="margin-left:11%;"><b>-r0</b>, <b>-r1</b>
(default) and <b>-r2</b></p>
<p style="margin-left:22%;">These options determine how
ePIDs are generated if</p>
<p style="margin-left:22%; margin-top: 1em">- you did not
sprecify an ePID in the command line and <br>
- you haven’t used <b>-i</b> or <br>
- the file specified by <b>-i</b> cannot be opened or <br>
- the file specified by <b>-i</b> does not contain an ePID
for the KMS request</p>
<p style="margin-left:22%; margin-top: 1em"><b>-r0</b>
means there are no random ePIDs. vlmcsd simply issues
default ePIDs that are built into the binary at compile
time. <b>Pro:</b> behaves like real KMS server that also
always issues the same ePID. <b>Con:</b> Microsoft may start
blacklisting again and the default ePID may not work any
longer.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-r1</b>
instructs vlmcsd to generate random ePIDs when the program
starts or receives a SIGHUP signal and uses these ePIDs
until it is stopped or receives another SIGHUP. Most other
KMS emulators generate a new ePID on every KMS request. This
is easily detectable. Microsoft could just modify sppsvc.exe
in a way that it always sends two identical KMS requests in
two RPC requests but over the same TCP connection. If both
KMS responses contain the different ePIDs, the KMS server is
not genuine. <b>-r1</b> is the default mode. <b>-r1</b> also
ensures that all three ePIDs (Windows, Office 2010 and
Office 2013) use the same OS build number and LCID (language
id).</p>
<p style="margin-left:22%; margin-top: 1em">If vlmcsd has
been started by an internet superserver, <b>-r1</b> works
almost identically to <b>-r2</b>. The only exception occurs
if you send more than one activation request over the same
TCP connection. This is simply due to the fact that vlmcsd
is started upon a connection request and does not stay in
memory after servicing a KMS request. Consider using
<b>-r0</b> or <b>-w</b>, <b>-G</b>, <b>-0</b>, <b>-3</b> and
<b>-6</b> when starting vlmcsd by an internet
superserver.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-r2</b>
behaves like most other KMS server emulators with random
support and generates a new random ePID on every request.
<b>-r2</b> should be treated as debugging option only
because it allows very easy emulator detection.</p>
<p style="margin-left:11%;"><b>-C</b> <i>LCID</i></p>
<p style="margin-left:22%;">Do not randomize the locale id
part of the ePID and use <i>LCID</i> instead. The
<i>LCID</i> must be specified as a decimal number, e.g. 1049
for "Russian - Russia". This option has no effect
if the ePID is not randomized at all, e.g. if it is selected
from the command line or an ini file.</p>
<p style="margin-left:22%; margin-top: 1em">By default
vlmcsd generates a valid locale id that is recognized by
.NET Framework 4.0. This may lead to a locale id which is
unlikely to occur in your country, for instance 2155 for
"Quecha - Ecuador". You may want to select the
locale id of your country instead. See
<a href="http://msdn.microsoft.com/en-us/goglobal/bb964664.aspx">MSDN</a>
for a list of valid <i>LCID</i>s. Please note that some of
them are not recognized by .NET Framework 4.0.</p>
<p style="margin-left:22%; margin-top: 1em">Most other KMS
emulators use a fixed <i>LCID</i> of 1033 (English - US). To
achive the same behavior in vlmcsd use <b>-C 1033</b>.</p>
<p style="margin-left:11%;"><b>-K0</b>, <b>-K1</b>,
<b>-K2</b> and <b>-K3</b></p>
<p style="margin-left:22%;">Sets the whitelisting level to
determine which products vlmcsd activates or refuses. The
default is <b>-K0</b>.</p>
<p style="margin-left:29%; margin-top: 1em"><b>-K0</b>:
activate all products with an unknown, retail or
beta/preview KMS ID. <b><br>
-K1</b>: activate products with a retail or beta/preview KMS
ID but refuse to activate products with an unknown KMS ID.
<b><br>
-K2</b>: activate products with an unknown KMS ID but refuse
products with a retail or beta/preview KMS ID. <b><br>
-K3</b>: activate only products with a known volume license
RTM KMS ID and refuse all others.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="22%"></td>
<td width="78%">
<p>The SKU ID is not checked. Like a genuine KMS server
vlmcsd activates a product that has a random or unknown SKU
ID. If you select <b>-K1</b> or <b>-K3</b>, vlmcsd also
checks the Application ID for correctness. If Microsoft
introduces a new KMS ID for a new product, you cannot
activate it if you used <b>-K1</b> or <b>-K3</b> until a new
version of vlmcsd is available.</p></td></tr>
</table>
<p style="margin-left:11%;"><b>-c0</b> and <b>-c1</b></p>
<p style="margin-left:22%;"><b>-c1</b> causes vlmcsd to
check if the client time differs no more than four hours
from the system time. <b>-c0</b> (the default) disables this
check. <b>-c1</b> is useful to prevent emulator detection. A
client that tries to detect an emulator could simply send
two subsequent request with two time stamps that differ more
than four hours from each other. If both requests succeed,
the server is an emulator. If you specify <b>-c1</b> on a
system with no reliable time source, activations will fail.
It is ok to set the correct system time after you started
vlmcsd.</p>
<p style="margin-left:11%;"><b>-M0</b> and <b>-M1</b></p>
<p style="margin-left:22%;">Disables (<b>-M0</b>) or
enables (<b>-M1</b>) maintaining a list of client machine
IDs (CMIDs). The default is <b>-M0</b>. <b>-M1</b> is useful
to prevent emulator detection. By maintaing a CMID list,
vlmcsd reports current active clients exactly like a genuine
KMS emulator. This includes bug compatibility to the extent
that you can permanently kill a genuine KMS emulator by
sending an "overcharge request" with a required
client count of 376 or more and then request activation for
671 clients. vlmcsd can be reset from this condition by
restarting it. If <b>-M0</b> is used, vlmcsd reports current
active clients as good as possible. If no client sends an
"overcharge request", it is not possible to detect
vlmcsd as an emulator with <b>-M0</b>. <b>-M1</b> requires
the allocation of a buffer that is about 50 kB in size. On
hardware with few memory resources use it only if you really
need it.</p>
<p style="margin-left:22%; margin-top: 1em">If you start
vlmcsd from an internet superserver, <b>-M1</b> cannot be
used. Since vlmcsd exits after each activation, it cannot
maintain any state in memory.</p>
<p style="margin-left:11%;"><b>-E0</b> and <b>-E1</b></p>
<p style="margin-left:22%;">These options are ignored if
you do not also specify <b>-M1</b>. If you use <b>-E0</b>
(the default), vlmcsd starts up as a fully
"charged" KMS server. Clients activate
immediately. <b>-E1</b> lets you start up vlmcsd with an
empty CMID list. Activation will start when the required
minimum clients (25 for Windows Client OSses, 5 for Windows
Server OSses and Office) have registered with the KMS
server. As long as the minimum client count has not been
reached, clients end up in HRESULT 0xC004F038 "The
count reported by your Key Management Service (KMS) is
insufficient. Please contact your system
administrator". You may use <b>vlmcs</b>(1) or another
KMS client emulator to "charge" vlmcsd. <b>-E1</b>
does not improve emulator detection prevention. It’s
primary purpose is to help developers of KMS clients to test
"charging" a KMS server.</p>
<p style="margin-left:11%;"><b>-R</b>
<i>renewal-interval</i></p>
<p style="margin-left:22%;">Instructs clients to renew
activation every <i>renewal-interval</i>. The
<i>renewal-interval</i> is a number optionally immediately
followed by a letter indicating the unit. Valid unit letters
are s (seconds), m (minutes), h (hours), d (days) and w
(weeks). If you do not specify a letter, minutes is
assumed.</p>
<p style="margin-left:22%; margin-top: 1em"><b>-R3d</b> for
instance instructs clients to renew activation every 3 days.
The default <i>renewal-interval</i> is 10080 (identical to
7d and 1w).</p>
<p style="margin-left:22%; margin-top: 1em">Due to poor
implementation of Microsofts KMS Client it cannot be
guaranteed that activation is renewed on time as specfied by
the -R option. Don’t care about that. Renewal will
happen well before your activation expires (usually 180
days).</p>
<p style="margin-left:22%; margin-top: 1em">Even though you
can specify seconds, the granularity of this option is 1
minute. Seconds are rounded down to the next multiple of
60.</p>
<p style="margin-left:11%;"><b>-A</b>
<i>activation-interval</i></p>
<p style="margin-left:22%;">Instructs clients to retry
activation every <i>activation-interval</i> if it was
unsuccessful, e.g. because it could not reach the server.
The default is 120 (identical to 2h).
<i>activation-interval</i> follows the same syntax as
<i>renewal-interval</i> in the <b>-R</b> option.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p><b>-s</b></p></td>
<td width="8%"></td>
<td width="78%">
<p>Installs vlmcsd as a Windows service. This option only
works with the native Windows version and Cygwin. Combine
<b>-s</b> with other command line options. These will be in
effect when you start the service. The service automatically
starts when you reboot your machine. To start it manually,
type "net start vlmcsd".</p></td></tr>
</table>
<p style="margin-left:22%; margin-top: 1em">If you use
Cygwin, you must include your Cygwin system DLL directory
(usually C:\Cygwin\bin or C:\Cygwin64\bin) into the PATH
environment variable or the service will not start.</p>
<p style="margin-left:22%; margin-top: 1em">You can
reinstall the service anytime using vlmcsd -s again, e.g.
with a different command line. If the service is running, it
will be restarted with the new command line.</p>
<p style="margin-left:22%; margin-top: 1em">When using
<b>-s</b> the command line is checked for basic syntax
errors only. For example "vlmcsd -s -L 1.2.3.4"
reports no error but the service will not start if 1.2.3.4
is not an IP address on your system.</p>
<table width="100%" border="0" rules="none" frame="void"
cellspacing="0" cellpadding="0">
<tr valign="top" align="left">
<td width="11%"></td>
<td width="3%">
<p style="margin-top: 1em"><b>-S</b></p></td>
<td width="8%"></td>
<td width="78%">
<p style="margin-top: 1em">Uninstalls the vlmcsd service.
Works only with the native Windows version and Cygwin. All
other options will be ignored if you include -S in the
command line.</p></td></tr>
</table>
<p style="margin-left:11%;"><b>-U</b>
[<i>domain</i>\]<i>username</i></p>
<p style="margin-left:22%;">Can only be used together with
<b>-s</b>. Starts the service as a different user than the
local SYSTEM account. This is used to run the service under
an account with low privileges. If you omit the domain, an
account from the local computer will be used.</p>
<p style="margin-left:22%; margin-top: 1em">You may use
"NT AUTHORITY\NetworkService". This is a pseudo
user with low privileges. You may also use "NT
AUTHORITY\LocalService" which has more privileges but
these are of no use for running vlmcsd.</p>
<p style="margin-left:22%; margin-top: 1em">Make sure that
the user you specify has at least execute permission for
your executable. "NT AUTHORITY\NetworkService"
normally has no permission to run binaries from your home
directory.</p>
<p style="margin-left:22%; margin-top: 1em">For your
convenience you can use the special username "/l"
as a shortcut for "NT AUTHORITY\LocalService" and
"/n" for "NT AUTHORITY\NetworkService".
"vlmcsd -s -U /n" installs the
service to run as "NT
AUTHORITY\NetworkService".</p>
<p style="margin-left:11%;"><b>-W</b> <i>password</i></p>
<p style="margin-left:22%;">Can only be used together with
<b>-s</b>. Specifies a <i>password</i> for the corresponding
username you use with -U. SYSTEM, "NT
AUTHORITY\NetworkService", "NT
AUTHORITY\LocalService" do not require a password.</p>
<p style="margin-left:22%; margin-top: 1em">If you specify
a user with even lower privileges than "NT
AUTHORITY\NetworkService", you must specify its
password. You also have to grant the "Log on as a
service" right to that user.</p>
<h2>SIGNALS