Abstract: A feature is updated on a computing device. One or more composite image files are accessed that correspond to updates to be implemented in the computing device. The composite image files are signed containers. A runtime in-memory merge of the composite image files is performed. The merged composite image files are exposed as a read-only volume. The features are made available to the computing device. A system boot using the read-only volume can be initiated.

Abstract: Remote administration of initial computer operating system setup options is facilitated by systems and mechanisms that provide such initial setup options to a computing device during an earlier stage of the operating system setup. An administrator defines, in a profile, how such initial setup options are to be set and when an operating system is being set up it communicates with licensing servers to validate the copy of the operating system. If authorized, and if set up by an administrator, initial setup options are provided to the computing device at such an early stage of the operating system setup. Processes executing on the computing device then utilize software licensing application program interfaces to not only validate the copy of the operating system, but also to set the initial setup options in the manner pre-specified by the administrator. A customized directory service login user interface is one such initial setup option.

Abstract: Remote administration of initial computer operating system setup options is facilitated by systems and mechanisms that provide such initial setup options to a computing device during an earlier stage of the operating system setup. An administrator defines, in a profile, how such initial setup options are to be set and when an operating system is being set up it communicates with licensing servers to validate the copy of the operating system. If authorized, and if set up by an administrator, initial setup options are provided to the computing device at such an early stage of the operating system setup. Processes executing on the computing device then utilize software licensing application program interfaces to not only validate the copy of the operating system, but also to set the initial setup options in the manner pre-specified by the administrator. A customized directory service login user interface is one such initial setup option.

Abstract: A compiler automatically modularizes identified functions or portions of source code, thereby enabling developers to merely identify portions of source code that represent functionality that is to be protected, including going back and identifying such portions after the programming of the software application program has been substantially completed. Such identification can be inline, within the source code itself, or specified in an external file.

Abstract: Remote administration of initial computer operating system setup options is facilitated by systems and mechanisms that provide such initial setup options to a computing device during an earlier stage of the operating system setup. An administrator defines, in a profile, how such initial setup options are to be set and when an operating system is being set up it communicates with licensing servers to validate the copy of the operating system. If authorized, and if set up by an administrator, initial setup options are provided to the computing device at such an early stage of the operating system setup. Processes executing on the computing device then utilize software licensing application program interfaces to not only validate the copy of the operating system, but also to set the initial setup options in the manner pre-specified by the administrator. A customized directory service login user interface is one such initial setup option.

Abstract: A compiler automatically modularizes identified functions or portions of source code, thereby enabling developers to merely identify portions of source code that represent functionality that is to be protected, including going back and identifying such portions after the programming of the software application program has been substantially completed. Such identification can be inline, within the source code itself, or specified in an external file.

Abstract: A computing device may include at least one primary notification module and at least one secondary notification module. A notification controller module may trigger a primary notification module and a secondary notification module to generate notification messages or the controller module may trigger the primary notification module to generate a notification message. A graphics device may generate a composite notification message based at least in part on the notification messages from the primary and the secondary notification modules, where representations of the notification messages are stacked one on-top of the other in the composite notification message.

Abstract: A service accessible by a set of entities may be provided to each entity at a different service level (e.g., with a different set of privileges) based on the privilege level of the entity. However, many users may attempt to perform malicious activities through the service, and may do so with impunity if the penalties of detection are inconsequential. Instead, privilege levels of entities may be established based on the claims of assets having identifiable value. Such claims may be established by submitting an asset identifier to the service, such as proof of a software license identified by the submission of a license key purchased at a substantial cost. The penalties of malicious activities performed by such users may include the invalidation of such asset identifiers. Establishing the privilege levels of respective entities in this manner raises the penalties, and hence the deterrence, of attempted malicious use of the service.

Abstract: One or more techniques and/or systems are provided for securely authorizing a client to consume data and/or services from a service provider server while mitigating burdensome requests made to a validation server. That is, validation data provided to a client from a validation server may be maintained on the client and at least some of that validation data can be used to subsequently authorize the client when the client attempts to consume data and/or services from the service provider server (e.g., download a song). However, the validation data is maintained on the client and/or provided to the service provider server in a manner that inhibits user tampering. In this manner, numerous requests for validation of the client need not be made from the service provider server to the validation server when a client requests content from the service provider server, while also inhibiting unauthorized consumptions of data by the client.

Abstract: A computing device may include at least one primary notification module and at least one secondary notification module. A notification controller module may trigger a primary notification module and a secondary notification module to generate notification messages or the controller module may trigger the primary notification module to generate a notification message. A graphics device may generate a composite notification message based at least in part on the notification messages from the primary and the secondary notification modules, where representations of the notification messages are stacked one on-top of the other in the composite notification message.

Abstract: Techniques involving a simulated start-up or “boot” process to detect the introduction of unauthorized code or data into the boot process. In one embodiment, a boot process is performed to initiate a computing system. The boot process is then simulated using the initiated computing system to detect unauthorized modifications introduced into the computing system prior to the computing system's operating system being operational.

Abstract: A Trusted Activation License (TAL) can be comprised of a key unique to a Trusted Platform Module (TPM) and identifying information of the software applications bundled with the computing device having that TPM. To activate the software applications, the identifying information in the TAL can be compared against that of the software applications being activated, and the unique TPM key in the TAL can be compared against that of the TPM on the computing device on which the activation is taking place. Subsequent validations can be based on a protected association between the TAL and an Attestation Identity Key (AIK) that can be generated by the TPM as part of the activation step. Optionally, Platform Configuration Registers (PCRs) of the TPM can be periodically changed during validation to protect against useage of one TPM for validations on multiple computing devices.

Abstract: One or more techniques and/or systems are provided for securely authorizing a client to consume data and/or services from a service provider server while mitigating burdensome requests made to a validation server. That is, validation data provided to a client from a validation server may be maintained on the client and at least some of that validation data can be used to subsequently authorize the client when the client attempts to consume data and/or services from the service provider server (e.g., download a song). However, the validation data is maintained on the client and/or provided to the service provider server in a manner that inhibits user tampering. In this manner, numerous requests for validation of the client need not be made from the service provider server to the validation server when a client requests content from the service provider server, while also inhibiting unauthorized consumptions of data by the client.

Abstract: A service accessible by a set of entities may be provided to each entity at a different service level (e.g., with a different set of privileges) based on the privilege level of the entity. However, many users may attempt to perform malicious activities through the service, and may do so with impunity if the penalties of detection are inconsequential. Instead, privilege levels of entities may be established based on the claims of assets having identifiable value. Such claims may be established by submitting an asset identifier to the service, such as proof of a software license identified by the submission of a license key purchased at a substantial cost. The penalties of malicious activities performed by such users may include the invalidation of such asset identifiers. Establishing the privilege levels of respective entities in this manner raises the penalties, and hence the deterrence, of attempted malicious use of the service.

Abstract: Restricting execution by a computing device of instructions within an application program. The application program is modified such that execution of the selected instructions is dependent upon a corresponding expected state of one or more hardware components in the computing device. In an embodiment, the application program is modified to place the hardware components in the expected states prior to execution of the corresponding selected instructions. Creating the dependency on the hardware components prevents the unintended or malicious execution of the selected instructions.

Abstract: A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium.

Abstract: A Trusted Activation License (TAL) can be comprised of a key unique to a Trusted Platform Module (TPM) and identifying information of the software applications bundled with the computing device having that TPM. To activate the software applications, the identifying information in the TAL can be compared against that of the software applications being activated, and the unique TPM key in the TAL can be compared against that of the TPM on the computing device on which the activation is taking place. Subsequent validations can be based on a protected association between the TAL and an Attestation Identity Key (AIK) that can be generated by the TPM as part of the activation step. Optionally, Platform Configuration Registers (PCRs) of the TPM can be periodically changed during validation to protect against useage of one TPM for validations on multiple computing devices.

Abstract: Restricting execution by a computing device of instructions within an application program. The application program is modified such that execution of the selected instructions is dependent upon a corresponding expected state of one or more hardware components in the computing device. In an embodiment, the application program is modified to place the hardware components in the expected states prior to execution of the corresponding selected instructions. Creating the dependency on the hardware components prevents the unintended or malicious execution of the selected instructions.

Abstract: A method to apply a protection mechanism to a binary object includes using operating system resources to load a binary object from a storage medium along with a manifest and a digital signature. Authentication of the binary object is performed using the digital signature and the manifest is read to determine a category of protection for the binary object. The operating system selects a protection mechanism corresponding to the protection category and injects protection mechanism code, along with the binary object into a binary image on computer RAM. When the binary image is accessed, the protection mechanism executes and either allows full access and functionality to the binary object or prevents proper access and operation of the binary object. The protection mechanisms may be updated independently from the information on the storage medium.

Abstract: In an example embodiment, executable files are individually encrypted utilizing a symmetric cryptographic key. For each user to be given access to the obfuscated file, the symmetric cryptographic key is encrypted utilizing a public key of a respective public/private key pair. A different public key/private key pair is utilized for each user. Obfuscated files are formed comprising the encrypted executable files and a respective encrypted symmetric cryptographic key. The private keys of the public/private key pairs are stored on respective smart cards. The smart cards are distributed to the users. When a user wants to invoke the functionality of an obfuscated file, the user provides the private key via his/her smart card. The private key is retrieved and is utilized to decrypt the appropriate portion of the obfuscated file. The symmetric cryptographic key obtained therefrom is utilized to decrypt the encrypted executable file.