SYSKEY awareness

[mta]

I came across a PC today that asked for a password even before the normal user account password.

The image below is the prompt in question.
 

 

The owner had just received one of those "Hello, I'm from Microsoft and your PC is full of errors.  Let us login and fix it for you" calls.  They took control but she didn't give out her credit card details but they obviously did something to her PC.

 

Fearing some sort of malware, I did some research and discovered they (the scammers) had turned on this Microsoft feature.

 

Here's the official description;

http://support.microsoft.com/kb/310105

 

In a nutshell, Windows keeps your user password in the Security Accounts Management (SAM) database file.

This is all part of the registry hive system and I won't go into all that.

It's also the place that password crack software (like those found on Hirems Boot CD) get into to get past a forgotten password.

 

What the SYSKEY program does is password protect (encrypt actually but I'm keeping this non-technical as much as possible) the SAM file so even Hirem and such can't get around your account password.

 

So what this damn scammer had done since no money was forthcoming was to run SYSKEY and give it some password, effectively shutting her out of her own PC.

 

In the end the solution was easy enough.  Using Hirems Boot CD to boot to Mini XP and getting into her Windows OS and restoring the old SAM file from the RegBack folder.

 

Just thought I'd share my revelations in case it helps someone else.

Firstly in case some scammer does the same thing to your PC and secondly as a means to bolster your own PC security.

[hazelnut]

Good heads up mta.

 

Thanks for posting.

[mta]

slight warning.

I played with the syskey.exe program yesterday, put a password on the SAM file, rebooted, all good, asked for the password and all.

went back into SYSKEY to remove the password by giving it a new one of blank (field left empty).

now, when I turn the PC on, the prompt still comes up and it expects a password of blanks.

so be aware...

[hazelnut]

If you do this...

 

Run, type syskey and press enter.
Click the Update button.
Tick "system generated password" and then "store startup key locally".
Click OK to confirm, you should get a confirmation message.

 

Is the password box gone now?

[mta]

yeah, I did that while playing with it, and although it doesn't ask for the password from the user, that is, as you know, because the password is now stored locally.

 

it seems once you go down the path of encrypting the SAM file, it's a one way street.

this is fore-warned on the initial screen where it states Once enabled, this encryption cannot be disabled.

I guess I never joined the dots, I figured if a password can be applied, the reverse should be true - nope.

[mta]

I wrongly was under the impression SYSKEY was introduced in Win7 onwards.

It's also in XP.

 

Had a PC today where the user was scammed into having someone remote control it they did the SYSKEY trick on them.

 

So heads up if you didn't know that.

 

Also, using the Hirem Boot CD can get past SYSKEY encryption - which is both good and bad.

It's a hidden option under DOS Programs, Password & Reg Tools, Offline Password Changer, Password Reset.  It lists;

1 - edit user data

9 - reg edit

q - quit

 

pressing 2 does the SYSKEY work-around.  Which for me was good but a bit scary if you have used SYSKEY as part of your layered protection only to have Hirem get around it so easily.

[Winapp2.ini]

We crack users passwords at the shop all the time using Hirens. Usually they've forgotten them (and haven't used the machine in long enough to be unable to remember them) but sometimes they're just too embarrassed to tell us their password