Rafael Rivera

Generating valid tokens to access Limited Access Features in Windows 10

(revised )

Microsoft ships a number of Windows 10 features that require "specific approval to be used in an application". Windows Calculator, for example, taps into private math functionality tucked away in the RichEdit control. It isn't clear how one would request access to these APIs, but it is clear that part of the response is an app-specific token that must be provided at runtime.

More specifically, unlocking a Limited Access Feature via the LimitedAccessFeatures.TryUnlockFeature API requires several bits of information:

  1. It needs to know which feature you're trying to unlock (e.g. com.microsoft.windows.richeditmath) and an associated key data (e.g. RDZCQjY2M0YtQkFDMi00NkIwLUI3NzEtODg4NjMxMEVENkFF).

    A list of features can be found in the Windows Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\LimitedAccessFeatures.

  2. It needs a very specific string containing some scarecrow legalese and your application's Publisher ID:

    [publisher id] has registered their use of [feature id] with Microsoft
    and agrees to the terms of use.
  3. It needs a special token, generated and provided by Microsoft.

After some quick sluething with friends @NTAuthority and @thebookisclosed, we all converged on the token validation routines in Windows.ApplicationModel.dll and reverse engineered the scheme:

Token = Base64(SHA256("FeatureId!FeatureKey!PackageFamilyName")[0..16])

Creating a token generator is an exercise left for the reader.

Windows Calculator example:

Base64(SHA256("com.microsoft.windows.richeditmath!RDZCQjY2M0YtQkFDMi00NkIwLUI3NzEtODg4NjMxMEVENkFF!Microsoft.WindowsCalculator_8wekyb3d8bbwe")
=> "pfanNuxnzo+mAkBQ3N/rGQ=="