Jump to content

SYSKEY awareness


mta

Recommended Posts

  • Moderators

I came across a PC today that asked for a password even before the normal user account password.

The image below is the prompt in question.
 

startup.password_thumb.png

 

The owner had just received one of those "Hello, I'm from Microsoft and your PC is full of errors.  Let us login and fix it for you" calls.  They took control but she didn't give out her credit card details but they obviously did something to her PC.

 

Fearing some sort of malware, I did some research and discovered they (the scammers) had turned on this Microsoft feature.

 

Here's the official description;

http://support.microsoft.com/kb/310105

 

In a nutshell, Windows keeps your user password in the Security Accounts Management (SAM) database file.

This is all part of the registry hive system and I won't go into all that.

It's also the place that password crack software (like those found on Hirems Boot CD) get into to get past a forgotten password.

 

What the SYSKEY program does is password protect (encrypt actually but I'm keeping this non-technical as much as possible) the SAM file so even Hirem and such can't get around your account password.

 

So what this damn scammer had done since no money was forthcoming was to run SYSKEY and give it some password, effectively shutting her out of her own PC.

 

In the end the solution was easy enough.  Using Hirems Boot CD to boot to Mini XP and getting into her Windows OS and restoring the old SAM file from the RegBack folder.

 

Just thought I'd share my revelations in case it helps someone else.

Firstly in case some scammer does the same thing to your PC and secondly as a means to bolster your own PC security.

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

  • Moderators

slight warning.

I played with the syskey.exe program yesterday, put a password on the SAM file, rebooted, all good, asked for the password and all.

went back into SYSKEY to remove the password by giving it a new one of blank (field left empty).

now, when I turn the PC on, the prompt still comes up and it expects a password of blanks.

so be aware...

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

  • Moderators

If you do this...

 

Run, type syskey and press enter.
Click the Update button.
Tick "system generated password" and then "store startup key locally".
Click OK to confirm, you should get a confirmation message.

 

Is the password box gone now?

 

Support contact

https://support.piriform.com/hc/en-us/requests/new

support@ccleaner.com

 

Link to comment
Share on other sites

  • Moderators

yeah, I did that while playing with it, and although it doesn't ask for the password from the user, that is, as you know, because the password is now stored locally.

 

it seems once you go down the path of encrypting the SAM file, it's a one way street.

this is fore-warned on the initial screen where it states Once enabled, this encryption cannot be disabled.

I guess I never joined the dots, I figured if a password can be applied, the reverse should be true - nope.

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

  • 3 months later...
  • Moderators

I wrongly was under the impression SYSKEY was introduced in Win7 onwards.

It's also in XP.

 

Had a PC today where the user was scammed into having someone remote control it they did the SYSKEY trick on them.

 

So heads up if you didn't know that.

 

Also, using the Hirem Boot CD can get past SYSKEY encryption - which is both good and bad.

It's a hidden option under DOS Programs, Password & Reg Tools, Offline Password Changer, Password Reset.  It lists;

1 - edit user data

9 - reg edit

q - quit

 

pressing 2 does the SYSKEY work-around.  Which for me was good but a bit scary if you have used SYSKEY as part of your layered protection only to have Hirem get around it so easily.

Backup now & backup often.
It's your digital life - protect it with a backup.
Three things are certain; Birth, Death and loss of data. You control the last.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.