Windows is priced by region and purchasing power, not just “$ = ₹ = €”.

• One country: full-fat $120+ pricing.
• Another: equivalent of $30–40 for the same edition.

People then:

• Use VPNs to “appear” in cheaper regions.
• Add matching billing addresses so the payment doesn’t scream fraud.
• Sometimes even sync phone / GPS locations for app stores.

On top of that, Microsoft gives special geo-discounts to partners via Partner Center:

• Official price sheets: learn.microsoft.com/partner-center/pricing/pricing-and-offers
• Some SKUs get deeper discounts in places like India, UK, Australia, Canada.

Middlemen and bots sit in the middle of all this, scoop the cheap licenses, and resell them worldwide.

Big companies and schools buy Windows in bulk. That comes with side-effects.

Volume Licensing Spill

• Enterprises use MAK (Multiple Activation Keys) and KMS.
• One MAK can activate a bunch of machines.
• Over time: admins change, migrations happen, spreadsheets get messy.

Some admins even monitor MAK usage with tools like:

• check_mak.py from github.com/casdr/mak-tool plugged into Nagios/Zabbix to watch how many activations are left.

If one of those keys leaks:

• It might still have plenty of activations.
• Sellers treat each successful activation as a separate “product” and flip them as cheap keys.

Academic Fallout

Education programs spewed keys everywhere:

• DreamSpark / Imagine / Azure for Students.
• Academic MSDN / Visual Studio subscriptions.

Reality:

• Keys meant for lab PCs ended up on personal laptops.
• Uni accounts got shared, then forgotten.
• Labs got wiped; licenses lived on.

Result: a sea of “orphan” keys that were once totally legit… now drifting across the internet as $3 bargains.

OEM Keys From Dead Machines

OEM = the license that ships preinstalled with your device.

• Laptops get scrapped, but OEM keys sit quietly in BIOS/UEFI or the registry.
• Refurbishers and e-waste buyers plug whole pallets into scripts and harvest keys.

Common tools:

• github.com/larevuegeek/windows-key-extractor
• github.com/mrpeardotnet/WinProdKeyFinder
• github.com/dblohm7/winoemkey

You also see:

• wmic path SoftwareLicensingService get OA3xOriginalProductKey
  mentioned in guides like technine.be/2022/06/21/retrieve-oem-bios-windows-license-key-uefi/

Microsoft has broken some of these tricks on newer builds (people complain in places like reddit.com/r/Windows10/comments/r3phjh/microsoft_finally_managed_to_break_nirsoft/), but the general idea stays: OEM keys can be yanked out at scale.

Downgrade Rights Shenanigans

Enterprise licensing can include downgrade rights (e.g., license covers new version, you run an older one).

Admins sometimes:

• Extract OEM keys from existing devices.
• Use PowerShell + slmgr.vbs scripts to downgrade machines (e.g., Enterprise to Pro) after refresh.
• That leaves extra, higher-level licenses floating around.

There are threads like:

• reddit.com/r/Intune/comments/1djs1go/downgrading_windows_enterprise_to_pro_on_multiple/

which show how automation + downgrade rights can create leftover license “confetti”.

Those leftovers are great food for the grey market.

Ruble & Store Currency Exploit

On places like reddit.com/r/explainlikeimfive/comments/3l5lmo/eli5_how_can_cdkey_sites_like_g2acom_and/, people explain how:

• Sellers buy games/software from Russian or heavily devalued currency regions, where prices are naturally lower.
• They resell the keys in richer regions for a profit — even while undercutting local prices by 50–60%.

Steam Wallet → Real Cash Trick

Same ELI5 threads mention:

• Some traders are “stuck” with Steam wallet credit.
• They buy keys with wallet funds.
• Then resell those keys on places like G2A at a slight discount, effectively converting wallet credits to cash.

Gift Card Arbitrage

Gift card flippers on threads like reddit.com/r/Flipping/comments/35m6hh/gift_card_resalefor_use_with_retail_arbitrage_add/ talk about:

• Sites like giftcardgranny.com where cards can be 10–20% cheaper (example: Ross, TJ Maxx, etc.).
• Extra ~3% discount for bulk wire transfers.
• Weird edge cases like Babies“R”Us cards working at Toys“R”Us but selling cheaper.

Stack all that:

• Buy software/gift cards cheap.
• Stack store coupons and payment perks.
• Resell keys for $3–$5… and still profit.

It looks like sorcery.
It’s just coupon abuse + gift card flipping + currency chaos.

Not all keys are equal:

• Retail

  • Usually can move between devices (within reason).
  • What normal users think they’re buying.

• OEM

  • Tied to one device. Ideally dies with the hardware.

• OEM:SLP

  • Special OEM flavor bound to manufacturer recovery images.
  • Basically useless for random clean installs; more detail in guides like majorgeeks.com/files/details/showkeyplus.html.

• Volume:MAK

  • One key, multiple activations.
  • Meant for organizations; leaks become key-farm material.

• Volume:GVLK

  • Public “client setup” keys published by Microsoft.
  • They do nothing alone; they expect a real KMS server to talk to.
  • Explained in articles like tenforums.com/tutorials/49586-determine-if-windows-license-type-oem-retail-volume.html and learn.microsoft.com/windows-server/get-started/kms-client-activation-keys.

When a random site says “GLOBAL LIFETIME KEY!!!” without telling you the type:

• You might be buying something that depends on some stranger’s KMS server.
• Or a volume key that has 1 activation left and dies after your next motherboard upgrade.

slmgr.vbs – The Hidden Switchboard

slmgr.vbs is Windows’ internal licensing script. Most people use it just to check status, but it goes deeper:

• /act-type – force what kind of activation is allowed (1 = AD, 2 = KMS only, 3 = token-based).
• /sai – change how often KMS clients retry (from 15 minutes up to 30 days).
• /lil – list installed token-based licenses.

All documented (in very dry form) at:

• learn.microsoft.com/windows-server/get-started/activation-slmgr-vbs-options
• learn.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn502540(v=ws.11)

Admins use this to stay sane.
Key farms and pirates use the exact same plumbing to twist things.

Real KMS vs Fake KMS

Legit KMS:

• A proper activation server inside a company.
• Requires a minimum number of devices pinging it.

Emulated KMS (what a lot of shady activation scripts use):

• vlmcsd – C-based KMS emulator:

  • github.com/Wind4/vlmcsd
  • Tutorials like woshub.com/install-kms-server-vlmcsd-linux/ explain how it runs even on Linux/Android.

• py-kms – Python KMS with GUI and Docker:

  • github.com/SystemRage/py-kms
  • Forks/wrappers like github.com/itsarts1/PyKMS

• Docker KMS images:

  • github.com/11notes/docker-kms

These tools:

• Pretend to be a legit KMS server.
• Tell Windows “hey, you’re activated, all good” even when there’s no actual corporate environment behind it.

Using them to bypass licensing is a clear “you know what you’re doing” situation.
But they exist, and they’re a big reason why weird “pre-activated” ISOs and mystery keys keep floating around.

This is where the RDP scanning / credential dumping / registry scraping part kicks in.

Step 1: Scan The Internet For Exposed Windows

They (and also defenders!) use tools like:

• Masscan – internet-wide port scanner:

  • github.com/zan8in/masscan (wrapper)
  • kali.org/tools/masscan/

• Nmap – with RDP scripts:

  • rdp-enum-encryption: nmap.org/nsedoc/scripts/rdp-enum-encryption.html
  • rdp-ntlm-info: nmap.org/nsedoc/scripts/rdp-ntlm-info.html
  • rdp-vuln-ms12-020: nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html
  • General docs: nmap.org/book/port-scanning-tutorial.html
  • Extra examples: recordedfuture.com/threat-intelligence-101/tools-and-techniques/nmap-commands
  • Online wrapper: pentest-tools.com/network-vulnerability-scanning/port-scanner-online-nmap

And search engines like Shodan and Censys:

• RDP discovery/how-to:

  • infosecinstitute.com/resources/vulnerabilities/how-to-discover-open-rdp-ports-with-shodan
  • github.com/jakejarvis/awesome-shodan-queries
  • stationx.net/how-to-use-shodan
  • firecompass.com/shodan-dorks-to-find-exposed-it-assets

• Censys + VNC exposure:

  • youtube.com/watch?v=chlZAJsSL7w

Reports from places like CyberArk and Sophos say:

• Shodan sees 4M+ exposed RDP servers, with a big spike during the remote work boom:

  • cyberark.com/resources/blog/attackers-on-the-hunt-for-exposed-rdp-servers
  • infosecinstitute.com and others echo the same scale.

Bonus: Changing the port does nothing.
Sophos explains that RDP is detected by protocol fingerprint, not just port 3389:

• news.sophos.com/en-us/2024/03/20/remote-desktop-protocol-exposed-rdp-is-dangerous

So “we moved RDP to a weird port” = putting a different house number on your door and hoping burglars forget how street maps work.

Step 2: Break In & Grab Admin

Once they find exposed machines:

• They test passwords at scale using tools like CrackMapExec:

  • stationx.net/crackmapexec-cheat-sheet
  • awjunaid.com/kali-linux/crackmapexec-post-exploitation-and-penetration-testing-tool

• They use frameworks like Metasploit to poke RDP/web stuff:

  • RDP exploit framework: docs.metasploit.com/api/Msf/Exploit/Remote/RDP.html
  • RD Web Access timing tricks: raxis.com/blog/rd-web-access-vulnerability

If they get admin, the box becomes a loot box.

Step 3: Dump Passwords & Product Keys

With admin rights, they can:

• Dump credential data and Windows license data.

Common research tools:

• Impacket / secretsdump.py – registry credential dumping:

  • praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry
  • extrahop.com/resources/detections/impacket-secretsdump-sam-and-lsa-activity

• BloodHound / SharpHound – mapping who has access to what in Active Directory:

  • netwrix.com/en/resources/blog/bloodhound-active-directory-html
  • bloodhound.specterops.io/collect-data/permissions

• Remote registry extraction / PowerShell:

  • stackoverflow.com/questions/48325213/remote-registry-key-extractor-powershell-script
  • reddit.com/r/sysadmin/comments/qc39i8/powershell_script_to_pull_an_exact_registry_key
  • adamtheautomator.com/powershell-to-get-a-registry-value
  • learn.microsoft.com/powershell/scripting/samples/working-with-registry-keys
  • ninjaone.com/script-hub/find-windows-registry-keys
  • forums.powershell.org/t/script-that-extracts-windows-registry-to-a-csv-file-s/13291

Using these, they can:

• Sweep a whole company network.
• Grab Windows DigitalProductId fields from many machines.
• Feed those dumps into tools like github.com/mrpeardotnet/WinProdKeyFinder to decode license keys.

Ransomware crews use the same path:

• Shodan scan → weak RDP → CrackMapExec → secretsdump → mass encryption.
• cyberark.com and news.sophos.com both warn about this exact pattern.

Step 4: Sort, Check, And Clean Keys

Once they have a pile of keys:

• They check whether each key is valid or blocked using sites like:

  • mskey.in/pid-key-checker-for-office-windows-license-key

• They check remaining activations on MAK keys with:

  • github.com/casdr/mak-tool

Then:

• Export everything to CSV.
• Tag keys by edition (Home/Pro/Enterprise), channel (OEM/Retail/Volume) and status (ok/partial/dead).

Dead keys are junk.
Healthy keys become stock.

Step 5: Sell To The Public

Final step:

• List keys on marketplaces (G2A-style), “lifetime license” shops, private chats.
• Rotate seller names and accounts to dodge bans and chargebacks.

Sellers also get hit by chargeback fraud:

• Buyers activate keys and then complain to banks “this was unauthorized”, forcing a refund.
• Explained in places like unit21.ai/fraud-aml-dictionary/chargeback-fraud and reddit.com/r/fo76/comments/a1h01w/if_you_are_planning_to_chargeback_please_read/

To cover the risk:

• Sellers source keys cheaper and cheaper… which often means shadier and shadier.

Digital License Loopholes

Windows digital licenses can be tied to a Microsoft account.

Some people:

• Create a throwaway Microsoft account.
• Activate Windows and bind the digital license.
• Later, delete/ignore the account but keep reusing that license via troubleshooting flows across multiple hardware changes.

Discussions about local vs Microsoft account shenanigans show up in stories like:

• forums.theregister.com/forum/all/2025/10/07/windows_11_local_account_loophole/

This is how some retail licenses end up stretched way beyond what was intended.

If you just want to understand your own system:

See What License You Already Have

• ShowKeyPlus

  • Windows Store + portable versions:

    • apps.microsoft.com/detail/9pkvzcprx9nv
    • majorgeeks.com/files/details/showkeyplus.html
    • github.com/superfly-inc/showkeyplus

  • Shows if your key is OEM, Retail, or Volume and what’s in your registry/BIOS.

• ProduKey (NirSoft)

  • nirsoft.net/utils/product_cd_key_viewer.html
  • Older tool, but still helps in many cases.

• Key checkers

  • mskey.in/pid-key-checker-for-office-windows-license-key
  • Tells you whether a key is valid, blocked, and what channel it belongs to.

Managing Legit Volume Activation

• VAMT (Volume Activation Management Tool)

  • Microsoft’s official tool to manage volume keys, proxy activations, and track which machine uses what.

• MAS (Microsoft Activation Scripts)

  • github.com/massgravel/Microsoft-Activation-Scripts
  • Extremely powerful automation. What people do with it is 100% on them; it can easily cross the line into “nope” territory.

Short, honest take:

• Okay use case:

  • Test PC
  • Lab machine
  • Random home VM
  • A “I won’t cry if this breaks” setup

  Here, a cheap key is like a roadside snack: you know it’s not health food, you just enjoy it and move on.

• Bad idea:

  • Work laptop
  • Business machine
  • Anything holding client data or your whole life

  In that case, depending on a $3 grey-market license is basically building your house on a rented rug.

Assume for ultra-cheap keys:

• They can stop working suddenly.
• They might be tied to someone else’s KMS server, dev subscription, or volume pool.
• Reactivation after hardware changes or big upgrades might fail.
• The original “source” could be anything from junkyard hardware to leaked corporate keys to an exploited RDP farm.