![[The Whole Internet for Windows 95]](http://www.ora.com/ads/twi-wiz.gif)
The "Online Registration" feature of Microsoft's Windows 95 (Win95), also known as the "Registration Wizard" (RegWiz), has been the subject of much rumor and more or less idle speculation.
Of special concern is RegWiz's ability to collect information on applications (both Microsoft and non-Microsoft) that a user has installed on their hard disk, and to send this information back to Microsoft via the Microsoft Network (MSN). As explained below, the name for this process is "Product Inventory": it is a feature of the PRODINV.DLL module included with Win95.
![[Image: Win95 Registration Wizard]](regwiz.gif)
That Win95 can apparently tell what applications you have installed has generated numerous angry reactions online. A posting in the comp.risks newsgroup claims that Win95 "transmits your entire directory structure in [the] background" to MSN. Similar claims have appeared on Microsoft's forums on CompuServe, under headings such as "WIN95: Bye, Bye Privacy" and "Computer espionage by M$". RegWiz has prompted the Netsurfer Focus on Cryptography and Privacy to ask the worrisome question, "It's eleven o'clock at night. Do you know what your software is doing?"
Ralph Nader's Consumer Project on Technology has even urged President Clinton "to prevent federal agencies from buying Windows 95 until the information gathering features of the 'Registration Wizard' are disabled or modified" ( Ralph Nader on Windows 95 Problems).
Microsoft has responded with a white-paper clarification ( Microsoft on Windows 95 Online Registration Wizard) which acknowledges that the Win95 Registration Wizard (RegWiz) collects the names of applications, but which also points out that the user must explicitly consent before this information is sent via modem to MSN, and that the information can be viewed in the file REGINFO.TXT.
But while the Microsoft clarification states that RegWiz "is simply an electronic version of the paper-based registration card," this appears not to be true. RegWiz's apparent ability to sniff out what applications you have is not matched by the printed registration card, which merely asks for general information on the sorts of software you use with your computer ("Reference & Education", "Games & Entertainment", "Personal Finance/Organizer", etc.).
To see exactly what happens during Windows 95 "Online Registration," I used a utility called FILEMON (File Monitor), by Stan Mitchell, "Monitoring Windows 95 File Activity in Ring 0," Windows/DOS Developer's Journal, July 1995, pp. 6-24. Mitchell is writing a book on the Windows 95 file system, to be published by O'Reilly & Associates in 1996.
(Click here to download filemon.zip, which includes filemon.exe, dynamically-loadable filemon.vxd, all source code, plus a regwiz.log file created while running the Registration Wizard under FILEMON. This is a NEW version of FILEMON, updated October 12, 1995.)
FILEMON lets you completely monitor all file-system activity under Windows 95. This makes it perfect for getting to the bottom of the the rumors that have been circulating about RegWiz.
What FILEMON reveals is that RegWiz, far from conducting an indiscriminate search of a user's hard disk, instead searches for about 100 specific applications, both from Microsoft and its competitors.
RegWiz is launched by clicking the "Online Registration" button in
WELCOME.EXE, which is a small program that provides the initial
"Welcome to Windows 95" tips and options. Clicking "Online Registration"
launches a program named \WINDOWS\SYSTEM\REGWIZ.EXE (the full
command line is "regwiz -i Software\Microsoft\Windows\CurrentVersion"). Neither WELCOME nor REGWIZ are necessary for running Win95.
REGWIZ.EXE in turn loads a dynamic-link library, \WINDOWS\SYSTEM\PRODINV.DLL. This is the "Product Inventory DLL," normally used for compliance checking of upgrades to Microsoft Office programs such as WinWord. (In fact, PRODINV.DLL's internal module name is "COMPLINC," for "compliance checking.") Of course, when you buy the upgrade edition of something like WinWord, there needs to be a mechanism to check that in fact you really are upgrading from some previous word processor -- be it a previous version of WinWord, or a competitor's word processor, such as AmiPro or WordPerfect. So there's an encrypted database (the reasons for this encryption are discussed below) inside PRODINV of about 100 products, indicating that if a given EXE of a given size range is found within a given subdirectory, then you've got a given product, and are entitled to the reduced-price upgrade.
The Microsoft Office 95 Registration Wizard is described in detail in Appendix A of the online Office 95 Resource Kit; see the "Launch Registration Wizard" section.
Examining the file PRODINV.DLL turns up some intriguing-sounding strings, such as "Registry Search", "INI File Search", "Big Search", and "Hard Disk Search". The DLL exports a function called "RegProductSearch," which is called by REGWIZ.EXE.
Examining the file REGWIZ.EXE turns up the names of the people who worked on it:
- Software development: Tracy Ferrier - Program management: David Gonzalez, Peggy Angevine - Quality assurance: Sharmilli Ghosh - Special thanks to: Evelyn and LaurenRegWiz will list up to twelve applications that a user owns; these are stored in the text file REGINFO.TXT and in the registry ("HKEY_CURRENT_USER\Software\Microsoft\User information"). Once REGWIZ has written this information, it runs the SIGNUP program (C:\Program Files\The Microsoft Network\SIGNUP.EXE), which is normally used to sign-up new users for the Microsoft Network (MSN). The command line is:
signup.exe Software\Microsoft\User informationSIGNUP uses standard (although apparently undocumented) MSN functions to send data over the modem. Data sent by SIGNUP eventually appears at the WriteMosSlot function in MOSCL.DLL (MOS stands for "Microsoft Online Service," an internal name for MSN).
The product inventory section of one REGINFO.TXT might look like this:
Product Inventory 1 = Microsoft Word for Windows Product Inventory 2 = Personal Oracle 7 Product Inventory 3 = Borland C++ for Windows Product Inventory 4 = Microsoft Visual C++ Product Inventory 5 = Putt Putt Product Inventory 6 = Treehouse Product Inventory 7 = Lotus Notes Product Inventory 8 = CompuServe Product Inventory 9 = Product Inventory 10 = Product Inventory 11 = Product Inventory 12 =It's worth noting that the sample "Product Inventory" screen in Microsoft's white-paper clarification shows only Microsoft programs. But the upset generated by RegWiz has been due, of course, to its collection of information regarding non-Microsoft programs.
The applications in which RegWiz takes an interest are as follows (the names come directly from the PRODINV product inventory):
3-D Dinosaur Adventure Aldus Pagemaker for Windows Aldus Persuasion America On-line AmiPro for Windows Approach for Windows Bookshelf 94 for Windows Borland C++ for Windows Borland Dbase Borland Delphi Borland Paradox for DOS Borland Paradox for Windows CA - Visual Objects Charisma Charisma for Windows Clipper Complete Baseball for Windows Comptons Multimedia Encyclopedia CompuServe Corel Draw for Windows Crayola Art Studio Creative Writer Creative Writer - Ghost Mysteries DataEase DataEase for Windows dBase for Windows Director's Lab DOS Encarta Fine Artist Flight Simulator FoxPro for DOS FoxPro for Windows - Standard Freddi Fish Gupta SQL Windows Harvard Graphics Haunted House Internet In A Box Kid Pix DOS Kid Pix WIN Lion King Print Studio Lion King Story Book Lotus 123 for Windows Lotus Notes Lotus123 for DOS Mathblaster Episode 1 Mathblaster Episode 2 Microsoft Access Developers Toolkit Microsoft Access for Windows Microsoft Access Upsizing Tool Microsoft Encarta '95 Microsoft Excel for Windows Microsoft Money Microsoft Office for Windows Microsoft Powerpoint for Windows Microsoft Project for Windows Microsoft Publisher Microsoft Visual Basic Professional Microsoft Visual C++ Microsoft Visual FoxPro for Windows Microsoft Word for DOS Microsoft Word for Windows Microsoft Works for Windows Mind Your Money Money MSB - Human Body MSB - Solar My First Encyclopedia NCSA Mosaic for Windows Oregon Trail Oregon Trail 2 Personal Oracle 7 PGA Tour 486 Playroom PowerBuilder Enterprise 4 for NT PowerBuilder Enterprise 4 for Windows PowerPlus Print Shop Deluxe for Windows Prodigy Putt Putt Quattro Pro for DOS Quattro Pro for Windows Quick C for Windows Quicken for Windows Rabbit Ears - Leopard Reader Rabbit 1 Reader Rabbit 2 Relentless Scenes Spider Man Cartoon Maker SuperBase Treehouse Turbo Pascal for Windows Where in Space is Carmen San Diego Where in the USA is Carmen Where in the World is Carmen San Diego Wine Guide WordPerfect for DOS WordPerfect for DOS WordPerfect for Windows
Given that RegWiz ships this information over the Microsoft Network (MSN), it's interesting to note that RegWiz checks for the major online services that compete with MSN, such as America On-line, CompuServe, and Prodigy. Two Internet-related products, NCSA Mosaic for Windows and Internet in a Box, appear on the list, but Netscape does not.
It is a somewhat random collection of applications in which RegWiz takes an interest. It's worth noting, for example, that the list of applications known to WINBUG.DAT (part of the Win95 bug-reporting program) is quite different.
Most striking, of course, is the presence of many non-Microsoft productivity applications, such as AmiPro for Windows, Borland Dbase, Borland Paradox, Gupta SQL Windows, Lotus Notes, Lotus 123, Personal Oracle 7, Quattro Pro, and WordPerfect.
Is all this a cause for concern? After all, as Microsoft points out, the user must explicitly allow RegWiz to upload this information to Microsoft. The user can choose not to run Online Registration at all. They can, without any harm to Win95, delete REGWIZ.EXE and even WELCOME.EXE.
But what is a Microsoft Office upgrade mechanism doing as part of the operating system's online registration? Why is the operating system being used to collect customer lists and/or statistical information on applications that compete with those from Microsoft? The Registration Wizard appears to be yet another case in which Microsoft has blurred the distinction (whatever distinction remains) between its applications and operating-system divisions. Were I a Microsoft competitor whose product appeared in the encrypted PRODINV database, I wouldn't be happy with Microsoft acquiring (for free) a good chunk of my customer list, via online registration for Windows 95, which is supposed to be a platform supporting my product.
So, it's not really an invasion of privacy issue, but is very possibly an anti-competitive problem: Microsoft is using its control over the operating system to gain information about applications that compete with its own applications.
How does PRODINV determine that you have one or more of the products in its encrypted database? Running the FILEMON utility alongside RegWiz revealed that a large number of directory names were being checked. The output from FILEMON looks like this (... indicates lines removed for brevity):
031 Open C:\WINDOWS\WELCOME.EXE ... 058 Open C:\WINDOWS\SYSTEM\REGWIZ.EXE ... 080 Open C:\WINDOWS\SYSTEM\PRODINV.DLL ... 136 e GetAttrib K:\MSOFFICE\ACCESS 137 e GetAttrib K:\ACCESS 138 e GetAttrib K:\MSOFFICE\ACCESS 139 e GetAttrib K:\WORLDMPC 140 e GetAttrib K:\SPACE 141 e GetAttrib K:\CAVO 142 e GetAttrib K:\DBASEWIN\BIN 143 e GetAttrib K:\DELPHI 144 e GetAttrib K:\DELPHI\BIN 145 e GetAttrib K:\DISNEY\LKASB 146 e GetAttrib K:\LKSTUDIO 147 e GetAttrib K:\MYMWIN2 148 e GetAttrib K:\ORAWIN\BIN 149 e GetAttrib K:\PB4 150 e GetAttrib K:\PB4NT 151 e GetAttrib K:\TLC\RR1 ... 180 e GetAttrib C:\AOL20 181 e GetAttrib C:\WAOL 182 e GetAttrib C:\BC4 183 e GetAttrib C:\CSERVE 184 e GetAttrib C:\AMIPRO 185 e GetAttrib C:\PRODIGY 186 e GetAttrib C:\ALDUS 187 e GetAttrib C:\IBOX 188 e GetAttrib C:\DBASE 189 e GetAttrib C:\DBASE 190 e GetAttrib C:\PDOXWIN ... 032 e GetAttrib C:\KA\TREE 033 e GetAttrib C:\TREEHSE ...
\123R4D \123R4W \ACCESS \ALDUS \AMIPRO \AOL20 \APPROACH \BASEBALL \BC4 \BS \CAVO \CHARISMA \CIE \CLIPPER5\BIN \CLIPPER5\LIB \CRAYOLA \CSERVE \DBASE \DBASEWIN\BIN \DEASE \DELPHI \DELPHI\BIN \DEWIN \DINO3D \DISNEY\LKASB \ENCARTA \EXCEL \FLTSIM5 \FOXPRO2 \FOXPROW \FPW26 \GUPTA \HG \HG3 \HGW \IBOX \KA\SPIDERCM \KA\TREE \KIDPIX \LKSTUDIO \LOSTCITY \MBWINCD \MECC\OTII \MOSAIC \MSKIDS \MSKIDS\LEAOPARD \MSMONEY \MSOFFICE \MSOFFICE\ACCESS \MSOFFICE\SETUP \MSPUB \MSTOOLS \MSTOOLS\C\DLAB \MSVC20\BIN \MSWINE \MSWORKS \MYMWIN2 \NOTES \OFFICE\WPWIN \ORAWIN\BIN \OTWIN \PB4 \PB4NT \PDOX45 \PDOXWIN \PERSUASI \PGA486 \PLAYWRLD \POWERPNT \PRODIGY \PROJ \PSDWIN \PUTTPUTT \PWPLUS \QCWIN \QPRO \QPW \QUICKENW \RELENT \SB4W \SCENES \SPACE \TLCWIN\RR2WIN \TLC\RR1 \TPW \TREEHSE \VB \VFP \WAOL \WINDOWS \WINDOWS\CHARISMA \WINDOWS\CORELDRW \WINPROJ \WINWORD \WINWORD\C\DLAB \WORD \WORKS \WORLDMPC \WP \WP50 \WP51 \WP60 \WPWIN \WPWIN60
085 e FndOpen E:\AOL20\WAOL.EXE 086 GetAttrib E:\WAOL 087 e FndOpen E:\WAOL\WAOL.EXE 088 GetAttrib E:\BC4 089 e FndOpen E:\BC4\BCW.EXE 090 GetAttrib E:\CSERVE 091 e FndOpen E:\CSERVE\WINCIM.EXE 092 GetAttrib E:\AMIPRO 093 e FndOpen E:\AMIPRO\AMIPRO.EXE 094 GetAttrib E:\PRODIGY 095 e FndOpen E:\PRODIGY\PRODIGY.EXE 096 GetAttrib E:\ALDUS 097 e FndOpen E:\ALDUS\ALDSETUP.EXE 098 GetAttrib E:\IBOX 099 e FndOpen E:\IBOX\AIRMOS.EXE 100 GetAttrib E:\DBASE 101 e FndOpen E:\DBASE\DBASE.EXE ...
\123R4D\123.EXE \123R4W\123W.EXE \ACCESS\SCWIZ.DLL \ACCESS\SETUPWIZ.MDB \ACCESS\SWU2016.DLL \ACCESS\WZCS.MDA \ALDUS\ALDSETUP.EXE \ALDUS\PR2.EXE \AMIPRO\AMIPRO.EXE \AOL20\WAOL.EXE \APPROACH\APPROACH.EXE \BASEBALL\BASEBALL.EXE \BC4\BCW.EXE \BS\BS94.EXE \CAVO\CAVO.EXE \CHARISMA\CHARISMA.BIN \CHARISMA\CHARISMA.EXE \CIE\CIE.EXE \CLIPPER5\BIN\CLIPPER.EXE \CLIPPER5\LIB\CLIPPER.LIB \CRAYOLA\STUDIO.EXE \CSERVE\WINCIM.EXE \DBASEWIN\BIN\DBASEWIN.EXE \DBASE\DBASE.EXE \DBASE\DBASEIV.ICO \DEASE\DE16M.EXE \DEASE\DEASE.EXE \DELPHI\BIN\DELPHI.EXE \DELPHI\DELPHI.EXE \DEWIN\DEWIN.EXE \DINO3D\KAWIN.EXE \DISNEY\LKASB\LIONKING.EXE \ENCARTA\ENCART95 \EXCEL\EXCEL.EXE \FLTSIM5\FS5.COM \FOXPRO2\FOXPRO.EXE \FOXPRO2\FOXPROX.EXE \FOXPROW\FOXPROW.EXE \FPW26\FOXPROW.EXE \GUPTA\C\DLAB \GUPTA\SQLWIN50.EXE \HG3\HG3.EXE \HGW\HG20.EXE \HGW\HGW.EXE \HGW\HGW1.DLL \HGW\HGW2.DLL \HGW\HGW20.EXE \HGW\HGW2EXP.DLL \HGW\HGW3.DLL \HGW\HGW4.DLL \HGW\HGWPLAY.EXE \HG\HG.EXE \IBOX\AIRMOS.EXE \KA\SPIDERCM\SPIDERCM.EXE \KA\TREE\TREE.EXE \KIDPIX\KIDPIX.EXE \KIDPIX\KPWIN.EXE \LKSTUDIO\LIONKING.EXE \LOSTCITY\LOSTCITY.EXE \MAIN123W.EXE \MBWINCD\MB4.INI \MECC\OTII\OTIILB.EXE \MOSAIC\MOSAIC.EXE \MSKIDS\ARTIST.EXE \MSKIDS\GWICON.IC \MSKIDS\HHOUSE.ICO \MSKIDS\LEAOPARD\LEOPARD.EXE \MSKIDS\MSBHUMAN.EXE \MSKIDS\MSBSOLAR.EXE \MSKIDS\WRITER.EXE \MSMONEY\MSMONEY.EXE \MSOFFICE\ACCESS\SCWIZ.DLL \MSOFFICE\ACCESS\SETUPWIZ.MDB \MSOFFICE\ACCESS\SWU2016.DLL \MSOFFICE\ACCESS\WZCS.MDA \MSOFFICE\MSOFFICE.EXE \MSOFFICE\SETUP\OFF40_BB.DL_ \MSOFFICE\SETUP\OFF42_BB.DL_ \MSOFFICE\WINWORD\WINWORD.EXE \MSPUB\MSPUB.EXE \MSTOOLS\WORD.COM \MSVC20\BIN\MSVC.EXE \MSWINE\WINEGDE.EXE \MSWORKS\MSWORKS.EXE \MYMWIN2\MYMWIN.EXE \OFFICE\WPWIN\WPWIN.EXE \OFFICE\WPWIN\WPWIN61.EXE \ORAWIN\BIN\ORAINST.EXE \OTWIN\OREGON.EXE \PB4NT\PB040.EXE \PB4\PB040.EXE \PDOX45\PARADOX.AUX \PDOXWIN\PDOXWIN.EXE \PERSUASI\(C)ALDUS.'92 \PERSUASI\PR2.EXE \PGA486\PGA486.COM \PLAYWRLD\PLAYROOM.EXE \POWERPNT\POWERPNT.DLL \POWERPNT\POWERPNT.EXE \PRODIGY\PRODIGY.EXE \PSDWIN\PSDWIN.EXE \PUTTPUTT\PUTTPUTT.INI \PWPLUS\PWPLUS.EXE \QCWIN\QCWIN.EXE \QPRO\Q.EXE \RELENT\RELENT.EXE \SB4W\SB4W.EXE \SCENES\SCENES.EXE \SPACE\CARMEN.EXE \TLCWIN\RR2WIN\RR2WIN.EXE \TLC\RR1\RR1.EXE \TPW\TPW.EXE \TREEHSE\TREEHSE.EXE \VB\VB.EXE \VFP\VFP.EXE \WAOL\WAOL.EXE \WIN95\LOTUS.INI \WINDOWS\CHARISMA\CHARISMA.EXE \WINDOWS\CORELDRW\CORELDRW.EXE \WINDOWS\HEGAMES.INI \WINWORD\WORD.COM \WORD.EXE \WORD\WORD.EXE \WORKS\WORKS.EXE \WORLDMPC\CARMEN.EXE \WP50\WP.EXE \WP51\WP.EXE \WP60\WP.EXE \WPWIN60\WPWIN.EXE \WPWIN\WPWIN.EXE \WP\WP.EXE
The next obvious step was to try to create some of these files, and see if RegWiz decided that I now had a given product. However, creating dummy (0-byte) files with the correct names, or files with arbitrarily-chosen contents but with the correct names, did not induce RegWiz to believe the corresponding product was installed. Evidently, RegWiz needed something other than directory and file names: perhaps a file checksum, size, date, or a particular pattern of bytes within the file.
To find how RegWiz (ProdInv, actually) was deciding that a user had a product, I needed to find where it kept information associating directory/file names with product names. However, a full search of my hard disk turned up no occurrences of strings such as "TREEHSE" or "TREEHSE.EXE" or "CARMEN.EXE", aside from the ones that showed up in the FILEMON logs.
Evidently, then, the actual "product inventory" is kept on disk in compressed and/or encrypted form, and is de-encrypted in memory only when PRODINV is loaded.
The next step was to run RegWiz under the Soft-ICE Windows debugger (Nu-Mega Technologies), and stop the program when it is calling the operating-system functions that search for directories and files. The key such function is FindFirstFileA, provided by KERNEL32.DLL. I set a debugger "breakpoint" on this function, ran RegWiz, and clicked "Online Registration."
Sure enough, I could see passing in the names of the directories and files that showed up in the FILEMON output. I was then able to "walk back" to the place from where FindFirstFileA was being called: it turned out, not surprisingly, to be inside PRODINV.DLL. From there, I had to step back again to see from where these names were coming. I finally located a buffer in memory that looked like this:
Break Due to BPMB #013F:009AFA0C W DR3 C=01 :d eax 013F:004436C5 77 6F 72 64 2E 63 6F 6D-2C 5C 77 69 6E 77 6F 72 word.com,\winwor 013F:004436D5 64 2C 31 35 30 30 2C 39-30 30 30 30 2C 33 30 3A d,1500,90000,30: 013F:004436E5 4D 69 63 72 6F 73 6F 66-74 20 57 6F 72 64 20 66 Microsoft Word f 013F:004436F5 6F 72 20 44 4F 53 09 0A-77 6F 72 64 2E 63 6F 6D or DOS..word.com 013F:00443705 2C 5C 77 69 6E 77 6F 72-64 2C 31 35 30 30 2C 39 ,\winword,1500,9 013F:00443715 30 30 30 30 2C 33 30 3A-4D 69 63 72 6F 73 6F 66 0000,30:Microsof 013F:00443725 74 20 57 6F 72 64 20 66-6F 72 20 44 4F 53 09 0A t Word for DOS..
winword6.ini,Microsoft Word,programdir,1,winword.exe,3000000,4000000,2:Microsoft Word for Windows win.ini,embedding,Word.Document.6,3,,3000000,4000000,2:Microsoft Word for Windows win.ini,Microsoft Word 2.0,programdir,1,winword.exe,1000000,2000000,2:Microsoft Word for Windows win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for Windows lotus.ini,Lotus Applications,amipro,1,amipro.exe,1000000,1500000,20:AmiPro for Windows win.ini,AmiPro,dictionary,1,amipro.exe,1000000,1200000,20:AmiPro for Windows win.ini,extensions,nsf,1,notes.exe,,,43:Lotus Notes ... waol.exe,\aol20,12000,15000,54:America On-line waol.exe,\waol,12000,15000,54:America On-line bcw.exe,\bc4,850000,920000,45:Borland C++ for Windows wincim.exe,\cserve,850000,890000,56:CompuServe amipro.exe,\amipro,700000,2000000,20:AmiPro for Windows prodigy.exe,\prodigy,550000,560000,57:Prodigy aldsetup.exe,\aldus,280000,290000,46:Aldus Pagemaker for Windows airmos.exe,\ibox,600000,650000,75:Internet In A Box dbase.exe,\dbase,0,500000,21:Borland Dbase dbaseiv.ico,\dbase,0,2000,21:Borland Dbase ...
"win.ini,embedding,WPWin6.0,3,,10000,25000,3:WordPerfect for
Windows" means to look
for a WPWin6.0= entry in the [embedding] section of WIN.INI, and to treat the
third comma-delimited field as a full directory/filename. If that file is
between 10,000 and 25,000 bytes, RegWiz decides you have WordPerfect for
Windows. Thus, the following WIN.INI entry:
[embedding] WPWin6.0=foo,foo,C:\FOO\FOOBISH.EXE,fooalong with a file named C:\FOO\FOOBISH.EXE, whose size is between 10-25,000 bytes, will trigger RegWiz to display "WordPerfect for Windows" as one of the products on the user's machine. The use of .INI files allows RegWiz to detect some applications installed in non-standard directories.
However, the bulk of the product inventory directly references directory and file names, without an intermediary .INI file. For example, the last two entry shown above indicate that, if a user has \DBASE\DBASE.EXE (size anywhere from 0 to 500,000 bytes) or if they have \DBASE\DBASEIV.ICO (size anywhere from 0 to 2,000 bytes), then they have product #21, "Borland Dbase."
So why is the PRODINV "product inventory" encrypted? I suspect because it was originally written for Microsoft Office. A nearly-identical module named OFF95INV.DLL comes with Office 95; WRD95INV.DLL comes with WinWord. (It's worth noting that the actual encrypted "product inventory" for these modules is quite different from the one in Win95. For example, OFF95INV.DLL will look for Lotus Freelance for Windows. A list of the products for which OFF95INV.DLL will search can be found on the side of the Office 95 box.) The database is encrypted because otherwise it would be trivial to fool this "wizard" (hmm...; examination of RegWiz/ProdInv shows it to be anything but wizardly) simply by creating an appropriately-sized file with the appropriate name in the appropriate subdirectory.
This makes perfect sense for application upgrades. But does it make sense for the operating system's online registration?
Microsoft's white-paper clarifications says: "Registration enables Microsoft to send information about Microsoft programs that are tailored for users needs and interests." While there is nothing wrong in Microsoft seeking to interest WordPerfect or AmiPro users in Microsoft Word, surely they could find a more appropriate venue in which to do so than the online registration of Windows itself, which is supposed to support all applications, not just those from Microsoft.