I just had a new syskey locked computer come in and tried all the usual passwords - 123, 1234, 123456, everything from 1 to 0. I also tried some basic words like boot, start, etc. but to no avail.
Thinking about it, these scam companies need to keep their password fairly simple so it's easy for them to remember if someone actually pays them to unlock their machine, but I couldn't figure out what they had used.
So, I started thinking about the entire process of using syskey and had an epiphany. Syskey relies on the SAM registry hive to lock the current user(s) down with encryption and a password, so why not just replace the affected registry hive with a recent backup?
It works. Like any other time you have to replace a registry hive, you need to replace ALL of the registry hives with their other date replacements, but it's easy enough to do.
Boot into your PE (or if you're comfortable you can do this via command prompt from a recovery console)
Once inside your PE, the only requirement is that you DO NOT mount the offline registry
of the affected drive.
Open a Windows Explorer (or other preferred explorer if using a Linux-based PE) and navigate to:
Inside there, right-click and rename each of the following files:
default to default.bak
SAM to SAM.bak
SECURITY to SECURITY.bak
SOFTWARE to SOFTWARE.bak
SYSTEM to SYSTEM.bak
Alternately, you can create a new folder (I usually call it REGISTRY ORIG, but you can call it whatever you like) and then simply copy all of the above registry hives into that folder.
Delete each of the original registry hives only after you're sure you've backed them up.
After you've backed up the registry hives and then deleted the originals, look for the folder called RegBack ( C:\Windows\System32\Config\RegBack) inside the Config folder. Inside here are the most current settings that are likely PRE-syskey.
Copy each of those registry hives over into the Config folder.
After copying the registry hives from RegBack into the Config folder, reboot and you're good to go.
If for some reason that doesn't work, you might have recent restore points you can work with from inside the System Volume Information at the root of the affected drive. Open that folder from inside your PE and find the most recent restore point, copy the registry hives from there into the System32\Config folder and you're done.
Here are the command line instructions for those of you that don't have a PE, or are just comfortable with command line in an RC: (this creates a folder called REGISTRY ORIG and copies all the affected registry hives into it, removes the originals and then copies the good registry hives from RegBack)
- Code: Select all
md REGISTRY ORIG
copy c:\windows\system32\config\system c:\windows\REGISTRY ORIG\system.bak
copy c:\windows\system32\config\software c:\windows\REGISTRY ORIG\software.bak
copy c:\windows\system32\config\sam c:\windows\REGISTRY ORIG\sam.bak
copy c:\windows\system32\config\security c:\windows\REGISTRY ORIG\security.bak
copy c:\windows\system32\config\default c:\windows\REGISTRY ORIG\default.bak
copy c:\windows\system32\config\RegBack\system c:\windows\system32\config\system
copy c:\windows\system32\config\RegBack\software c:\windows\system32\config\software
copy c:\windows\system32\config\RegBack\sam c:\windows\system32\config\sam
copy c:\windows\system32\config\RegBack\security c:\windows\system32\config\security
copy c:\windows\system32\config\RegBack\default c:\windows\system32\config\default
FWIW, I've done this all 3 ways on different syskey locked machines in the past, and this always has worked for me when I can't guess the password.