Jump to content
CCleaner Community Forums

SYSKEY awareness


Recommended Posts

  • Moderators

I came across a PC today that asked for a password even before the normal user account password.

The image below is the prompt in question.



The owner had just received one of those "Hello, I'm from Microsoft and your PC is full of errors.  Let us login and fix it for you" calls.  They took control but she didn't give out her credit card details but they obviously did something to her PC.


Fearing some sort of malware, I did some research and discovered they (the scammers) had turned on this Microsoft feature.


Here's the official description;



In a nutshell, Windows keeps your user password in the Security Accounts Management (SAM) database file.

This is all part of the registry hive system and I won't go into all that.

It's also the place that password crack software (like those found on Hirems Boot CD) get into to get past a forgotten password.


What the SYSKEY program does is password protect (encrypt actually but I'm keeping this non-technical as much as possible) the SAM file so even Hirem and such can't get around your account password.


So what this damn scammer had done since no money was forthcoming was to run SYSKEY and give it some password, effectively shutting her out of her own PC.


In the end the solution was easy enough.  Using Hirems Boot CD to boot to Mini XP and getting into her Windows OS and restoring the old SAM file from the RegBack folder.


Just thought I'd share my revelations in case it helps someone else.

Firstly in case some scammer does the same thing to your PC and secondly as a means to bolster your own PC security.

Link to post
Share on other sites
  • Moderators

slight warning.

I played with the syskey.exe program yesterday, put a password on the SAM file, rebooted, all good, asked for the password and all.

went back into SYSKEY to remove the password by giving it a new one of blank (field left empty).

now, when I turn the PC on, the prompt still comes up and it expects a password of blanks.

so be aware...

Link to post
Share on other sites
  • Moderators

If you do this...


Run, type syskey and press enter.
Click the Update button.
Tick "system generated password" and then "store startup key locally".
Click OK to confirm, you should get a confirmation message.


Is the password box gone now?

Link to post
Share on other sites
  • Moderators

yeah, I did that while playing with it, and although it doesn't ask for the password from the user, that is, as you know, because the password is now stored locally.


it seems once you go down the path of encrypting the SAM file, it's a one way street.

this is fore-warned on the initial screen where it states Once enabled, this encryption cannot be disabled.

I guess I never joined the dots, I figured if a password can be applied, the reverse should be true - nope.

Link to post
Share on other sites
  • 3 months later...
  • Moderators

I wrongly was under the impression SYSKEY was introduced in Win7 onwards.

It's also in XP.


Had a PC today where the user was scammed into having someone remote control it they did the SYSKEY trick on them.


So heads up if you didn't know that.


Also, using the Hirem Boot CD can get past SYSKEY encryption - which is both good and bad.

It's a hidden option under DOS Programs, Password & Reg Tools, Offline Password Changer, Password Reset.  It lists;

1 - edit user data

9 - reg edit

q - quit


pressing 2 does the SYSKEY work-around.  Which for me was good but a bit scary if you have used SYSKEY as part of your layered protection only to have Hirem get around it so easily.

Link to post
Share on other sites

We crack users passwords at the shop all the time using Hirens. Usually they've forgotten them (and haven't used the machine in long enough to be unable to remember them) but sometimes they're just too embarrassed to tell us their password :lol:

Link to post
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...