Tutorials Collection

This tutorial explains how to enable, use and remove Syskey startup password in Windows (10, 8.1, 7 and XP) including how to deal with Syskey scam.

Basic concepts of Syskey

In Windows system, user passwords are stored in SAM (Security Accounts Management) database. This database is encrypted with a key known as System Key. To add an additional layer of security, this key is further encrypted with a key known as Syskey.

syskey explained

In easy language, think there are two lockers. In second locker user database is kept while in first locker the key which opens second locker is kept. In order to open the second locker, we have to open the first locker. Syskey is the key of first locker.

Windows syskey explained

Syskey is the primary key to access a Windows system. It can be secured with following options: -

In floppy disk

In this option, Syskey is stored in floppy disk. If this option is selected, the disk which contains Syskey need to be inserted in system each time when Windows boots.

In local hard disk with startup password

In this option, Syskey is stored in local hard disk as a part of operating system with startup password. If this option is selected, correct startup password need to be typed each time when Windows boots.

In local hard disk without any password

In this option, Syskey is stored in local hard disk as a part of operating system without any password. If this option is selected, no user interaction is required when Windows boots. By default this option is selected.

Windows syskey default option

Syskey is a double edge sword. In positive side, it provides an additional layer of security. In negative side, the same security can be used to lock down the system completely. Sadly it is used in negative side more than positive side. For example scammers use this utility to cheat the Windows user.

Syskey scam

Usually a scammer calls victim pretending himself as a Microsoft support person and makes victim to believe that his computer need to be repaired immediately. Once victim is convinced, scammer offers online support to fix the problem. Believing that help is offered from Microsoft, victim allows scammer to access his computer remotely.

In remote access session, scammer changes the default Syskey mode to With Password from Without Password and sets a password which only he knows. Once Syskey startup password is set, Windows will not boot until the correct startup password is supplied.

Now scammer asks victim to pay the ransom money. Since Syskey startup password cannot be changed, updated or removed unless the original password is obtained from scammer, victim usually pays ransom money to unlock the Windows.

Good news is that Microsoft has removed Syskey from Windows 10 and Windows Server 2016 Fall Creators Update. So if you are using these versions, just update the Windows and forget about this. But if you are using any lower version of Windows or cannot update Windows right now or already stuck in Syskey startup password lockdown situation, use this tutorial to deal with Syskey scam in the best possible way.

Dealing with Syskey scam

For demonstration purpose, I will use all four major versions of Windows (XP, 7, 8.1 and 10) which are heavily affected by Syskey scam.

To simulate the Syskey lockdown situation, let’s enable it in all Windows.

Enabling Syskey in Windows

Access Run or Search box and type Syskey and press Enter key. In XP this will bring main Syskey application while in remaining Windows this will bring Syskey application shortcut. Click Syskey shortcut to launch Syskey main application in remaining Windows.

run skyskey

From Vista, Windows introduced a new security feature known as UAC (User Access Control). This feature let an application starts only if it is permitted by user. Click Yes to confirm the access of Syskey.

Windows UAC

Once Syskey is launched, remaining process is exactly same in all versions. Click Update button.

syskey main screen

By default, Store Startup Key Locally option is selected.

syskey default option

Change it to Password Startup and set a password.

set syskey passowrd

Click Ok to confirm the action and close the Syskey utility.

syskey enabled

Now restart the Windows. Since Syskey startup password is configured, Windows will not start until correct startup password is supplied.

syskey applied

As we can see in above figure, there are only two options; either provides the correct Syskey startup password or restart the Windows which will bring us back on the same screen.

Removing Syskey startup password in Windows

There are four ways to remove the Syskey startup password: -

  • Using Windows default backup to restore the original Syskey configuration
  • Using third party Syskey removal tools to clear the Syskey startup password
  • Using registry key to disable Syskey startup password
  • Reinstalling Windows without losing any data

Using Windows default backup to remove the Syskey password

Depending on triggers and settings, Windows automatically takes the backup of critical system files including registry hives. During the backup, configuration files and registry hives which control the boot process and authenticate the login process are copied in Windows\System32\config\RegBack folder from Windows\System32\config folder.

Following figure shows RegBack folder without backup

regback folder with 0kb files

Following figure shows RegBack folder with backup

regback folder with backup

Have you noticed any difference between both figures?

In first figure, which shows RegBack folder without backup, files are empty while in second figure, which shows RegBack folder with backup, files are not empty.

By looking at file size, we can easily figure out whether the backup is taken or not. If files are empty (0 kb in size) or no files are available in this folder then backup is not taken. If backup is taken, Syskey can be removed easily without using any third party tools or harming any Windows files.

Before we learn how to restore original Syskey configuration back from this folder, let’s quickly understand how Windows default backup is triggered and which settings control it.

To explain following topic I used a separate system in which Syskey startup password is not set.

Understanding Windows default backup

By default Windows default backup is triggered on a scheduled time, but it can also be triggered when system files are changed. When a scheduled backup is performed, it is known as “Last known good configuration”. When a backup is performed before change in system files, it is known as “Restore point”. Both backup are same. The only difference between them is the timing. First is a scheduled type backup while second is as per requirement type backup.

Settings which control the Scheduled Backup

Scheduled backup is triggered from Task Scheduler. Task Scheduler is available at

Control Panel => System and Security => Administrative Tools

To check the configuration of scheduled backup in Task Scheduler, open it and navigate to Registry from left pane.

Once Registry hive is selected in left pane, all control and inform options would be displayed in right pane.

In Right pane check the Last Run Time, it should be recent time. If require, you may adjust the trigger time from Triggers and Settings options. You can also run this backup immediately from Run option available in right pane.

windows task scheduler

Settings which control Restore Point Backup

Restore point settings are available in System Properties. To access System Properties: -

  • In XP and Windows 7, click Start button select Computer and do right click. In Right click context menu click Properties.
  • In Windows 8, select This PC from Start screen and do right click and click Properties from available options.
  • In Windows 10, search About your Pc or Create Restore Point and click the Settings or create restore point respectively.

In System properties, switch to System Protection tab. In Protection Settings, check the Protection field status for Windows partition, it must be on. If it is off, turn it on from Configure option.

create restore point settings

Once protection is on, restore point will be created automatically whenever it is required by an application or Windows. We can also create a manual restore point from here. To create it, click Create button and fill the name of restore point and click Create.

create restore point in windows
Key points
  • By default, Syskey is enabled and stored in Windows\system32\config folder without startup password as a part of Windows.
  • If Windows default backup is taken, the file which stores Syskey without password as a part of Windows will be copied in Windows\system32\config\RegBack folder with other files.
  • When a scammer sets Syskey startup password, only the file which is stored Windows\system32\config folder is changed.
  • The file which is stored in Windows\system32\config\RegBack folder remains unchanged. It still contains the Syskey without startup password.
  • If file from RegBack folder is copied back in config folder, modified file will be replaced with original file.
  • Once original file is restored, Syskey startup password will be removed automatically. As it was set in modified file not in original file and modified file has been replaced with original file.

Restoring original Syskey configuration back from RegBack folder

We have three options to restore the original files back from RegBack folder to config folder.

  • Through Advance Recovery options
  • Through Windows installation disk
  • Through Ubuntu installation disk

Through Advance Recovery options

From version 8.1, Windows has replaced existing recovery console with advance recovery options. Advance recovery options provide several enhanced features and tools for maintenance purpose including command prompt. Through the command prompt, we can easily restore the original files back in config folder. Since command prompt is provided by installed Windows, it would be accessible only after proper authentication with administrative privilege.

To remove Syskey through advance recovery options use following steps: -

When Windows asks for Syskey startup password, do not click any option, just power off the system. Now start the system again, if Windows presents Syskey startup password screen, repeat the same process again until Windows shows following screen.

windows self dignosing

Once self diagnosing is finished, Windows will start Automatic Repair wizard for further troubleshooting. Click Advanced options

Windows autmatic repair

Click Troubleshoot option

windows advance recovery

Click Advanced options

windows recovery advanced options

Click Command Prompt

windows recovery wizard command prompt

At this point, if administrator account is not enabled, Wizard will display following error.

no administrator account message

Clicking Forgot your password or don’t see your account? link provides more information about why we are not allowed to the access the command prompt.

no administrator account message detail

Sadly from version 8.1, default administrator account is disabled. But if require, it can be enabled with following command.

enable administrator account

To learn this option, let’s assume that either default administrator account was enabled or an additional user account with administrator privilege was created before the Windows get locked.

If wizard finds any enabled administrator account, it will further check whether it is password protected or not. If it is password protected, wizard will authenticate it with correct password before displaying command prompt. If it not protected with password, clicking Command prompt will bring the command prompt.

If you are unable to access command prompt from this method, this method will not work for you. Use next method which does not require administrative authentication to start command prompt.

If you are able to access command prompt, run following commands to restore the backup files from RegBack folder

Command Description
cd Windows\System32\config\RegBack To move in RegBack folder
dir To check the size of files.
copy * ..\* To copy all files from this folder to config folder

remove syskey from regback folder

Now close the command prompt and restart the Windows. If Windows boots normally and user login screen appears, syskey password has been removed successfully.

Through Windows installation disk

Boot system with Windows installation disk and click Next on Language and preferences screen.

boot system with windows cd

On next screen click Repair your computer instead of Install Now.

repair your computer option

On next screen choose Troubleshoot option and in Troubleshoot option screen click Advanced Options to launch the command prompt.

advanced options

Since in this method command prompt is provided by installation disk instead of installed Windows, administrative authentication is not required. But at the same time, in order to restore the files, we have to figure out the partition in which Windows is installed. If you know the partition in which Windows is installed, switch to that partition. But if you do not know in which partition Windows is installed, check all available partitions in hard disk.

To learn the disk layout, we can use logicaldisk get caption command. This command prints all used drive letters from partition table. Once we know the used drive letters, reset can be done with dir command.

Use dir command to list each partition listed in partition scheme (starting from C:) to figure out the Windows partition.

finding used drive letter in windows

Once Windows partition is located, we can copy the files from RegBack folder to config folder by following the same commands which we used in first option.

remove syskey from windows installation disk

Now remove the installation disk and restart the system. If Windows boots normally and login screen appears, syskey password has been removed successfully.

Removing Sykey startup password from Ubuntu

Boot system with Ubuntu installation disk and select Try Ubuntu. This option will run Ubuntu from installation disk without installing anything in hard disk.

try ubuntu option

Once Ubuntu is loaded, click Files icon

ubuntu desktop

Click Windows partition in left pane, if Windows was properly shutdown, Ubuntu will mount the partition and display it in right pane.

If Windows was not properly shutdown or turned off in hibernate condition, Ubuntu will not be able to mount the partition. If mount process fails, some additional steps need to be performed at command prompt which I will explain shortly in next section. At this moment let’s assume that Windows was properly shutdown and Ubuntu is able to mount the partition.

In right pane, navigate to config folder. In config folder select RegBack folder and do right click. In right click menu click Open in New Tab.

mounting windows partition

Depending on settings, failed boot process may trigger Windows default backup. If you have made several failed attempts to boot the Windows, you may see additional log files here. Remove all additional log files from this folder.

removing additional files

Once additional files are removed, copy the original backup files.

copy files from regback folder

Paste copied files in config folder

paste copied files

Confirm the replacement

confirm replace

Once all files are replaced, remove the installation disk and restart the system.

If system was powered off without shutting down the Windows, above process will not work with following error.

ubuntu mount error

Mounting a hibernated Windows partition

A hibernated, crashed or corrupted Windows partition need to be clean before it can be mounted. To clean and mount it, use following steps: -

Access Terminal

access termininal

And run following commands

sudo /bin/bash Administrative privilege is required to perform this task. This command is used to get the administrative privilege.
mkdir /media/disk This command creates a directory which we will use to mount the Windows partition.
fdisk –l This command lists all partitions from all attached hard disks. Note down the device path (Windows partition) for next commands.

mounting hibernated partition

Once device path (Windows partition) is located, use following commands to clean and mount it.

ntfsfix /dev/sda1 This command will remove hibernate state and clean the Windows partition.
mount –t ntfs-3g /dev/sda1 /media/disk –o force This command will mount the Windows partition in /media/disk directory.
cd /media/disk This command will change directory to /media/disk
ls This command will list all data from directory (partition).

mounting windows partition

Now use following commands to copy backup files from RegBack folder to config folder.

cd Windows/system32/config/RegBack This command will change directory to RegBack folder
ls This command will list all data from RegBack folder.
rm *.* This command will remove any additional log files
cp * /media/disk/Windows/System32/config This command will copy all files from RegBack folder to config folder.
exit This command will close the terminal

copy files form regback folder

Once all files are restored, shutdown the Ubuntu.

shutdown ubuntu

Now remove the Ubuntu installation disk and restart the system to confirm the removal of Syskey.

Syskey can be removed from RegBack folder only if Windows default backup is taken. But if Windows default backup is not available or scammer has deleted all files from RegBack folder then above methods will not work. In that case we have only three options left; user third party Syskey recovery tool, change registry key or reinstall the Windows. Unless you have technical knowledge, do not use these options. These options are only for advanced users.

Using third party Syskey removal tools to clear the Syskey

There are several third party Syskey removal tools available. Some are version specific while others are universal. Which tool should you use is completely depend on situation and your personal choice. Regardless which tool you select, use it with additional care only after reading all related documents carefully, because Microsoft neither recommends nor provides any support for damage in Windows causing by any third party tool. More information about this policy is available at following URL

https://support.microsoft.com/en-us/help/189126/microsoft-policy-about-lost-or-forgotten-passwords

In order to understand how third party tools are used to remove Syskey, let’s take an example. This example tool is based on open source Linux script. It can remove Syskey from Windows XP.

Don’t use this script to remove Syskey from other Windows, which is higher than XP in version such as Windows7, 8.1 or 10. This script supports only Windows XP or Windows which is lower than or equal to Windows XP in version.

Download following script and extract it

Linux script to remove syskey

downloaded zipped file

It contains a bootable ISO image file.

extracted iso file

To boot system form this image, we have to burn this ISO image in a disk. You can use any freeware ISO burner software for this purpose such as

http://infrarecorder.org/?page_id=5

Or

http://www.freeisoburner.com/

Once bootable disk is prepared, boot the system with this disk.

boot from disk

Script makes a quick scan of hard disk and returns with all available Windows partitions. Unless we have dual installation, there should be only one Windows partition.

Type the Windows partition number (Most probably one, or see the returned result for appropriate number) and press Enter

select windows parition

In next step script needs registry files path. Usually it automatically selects the correct registry files path but if not, set it to Windows/System32/config.

select registary path

Type 1 and press Enter key

type 1

Type 2 and press Enter

type 2

Type y and press Enter. This will disable the Syskey.

type y

Type q and press Enter to return in previous menu

type q

So far nothing is changed in disk. Script asks for final confirmation before it writes the change in disk. Type y and press Enter to confirm the action.

save change

Finally type n and press Enter key to close the script.

exit from script

Now remove the disk and reboot the system. Syskey has been removed.

Changing registry key to remove the Syskey

In boot process, Windows reads following registry keys to determine the Syskey state.

Key Configuration Default Value
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa SecureBoot 0
HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account F 0000

When Syskey is implemented, default values of above keys are changed. If we reset the default values again, Syskey will be removed.

In order to change the registry key we have to access the command prompt. I have already explained how to access it in Windows 8.1 and in Windows 10, so let’s use Windows 7 this time.

Boot system with Windows 7 installation disk and click Next on language preference screen. On next screen click Repair your computer instead of Install now

boot with windows disk

This will scan all attached hard disks for Windows partition. If any partition with Windows installation is found, it will be listed in System Recovery options wizard at next screen.

Select Restore your computer using a system image that you created earlier and click Next.

restore option

Since we did not provide any system image, wizard will fail to locate to it. Click Cancel two times to close the wizard.

cancel restore

This will bring System Recovery Options wizard again. But this time it has more options to recover the Windows. Click Command Prompt.

command prompt

Now locate Windows partition and move in it. In Windows partition, switch to Windows directory and run regedit.exe command to open the registry editor.

I have already explained how logicaldisk get caption command can help us in finding Windows partition. If require, you can take the help of this command. The regedit.exe command will works only if it is executed from Windows folder of Windows partition. Windows partition is the partition of hard disk where Windows is installed.

regedit.exe command

In Registry Editor, navigate to following key in left pane

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

In right pane, select SecureBoot and double click to open it.

regedit lsa key

Change value data to 0 and click OK

lsa key updated

Now navigate to following key in left pane.

Computer\HKEY_LOCAL_MACHINE\SAM\SAM\Account

In right pane, select F key and double click to open it.

registery f key

Change value data to 0000 and click OK.

domain keyupdated

Now remove the installation disk and close the Registry editor and click Restart

restart option

Since Syskey has been removed, Windows will boot normally and present login screen.

window login screen

I have explained all possible methods of removing Syskey without reinstalling the Windows. If nothing works for you, consider reinstalling the Windows. Instead of paying ransom money to a scammer, it’s always good to get a local technician from same money. He will reinstall and reactivate the Windows on a very nominal charge.

That’s all for this tutorial. In next tutorial l will explain another topic in detail with examples.