Phone scam startup password/syskey

Discuss Malware removal, techniques, trends, etc. and repairing Windows after removal.
Forum rules
1. Try to give more than you take, when possible.
2. Don't be a prick.

Phone scam startup password/syskey

Postby xide » Fri Aug 15, 2014 2:52 pm

Just wanted to give some information that may help some people in the future. Recently I had a client that was victim to one of the popular phone scams and they had put a "Start up password" aka syskey. I read on bleeping computer that some people have tried 123, 1234, or 12345 and was able to get in....none of these worked for me, so my guessing game began....finally I figured it out, it's "boot" now this may now work for everyone obviously but its worth a try.
for easier reading.....

Possible passwords:
    123
    1234
    12345
    123456
    boot
After you get in, you will probably want to remove it I assume. Here is how to do so for you that may be unfamiliar.

  • Open run command (windows key + R i like to use)
  • Type syskey and press enter
  • Encryption should be enabled so just hit OK
  • For the startup key screen, select "System generated password"
  • Make sure "Store startup key locally" is selected
  • Hit OK, it will prompt for the old password, type it in and hit OK

Now you're all set! I hope this information helps.
If I had a world of my own, everything would be nonsense.....Who in the world am I? Ah, that's the great puzzle. I'm afraid I can't explain myself, sir. Because I am not myself, you see?
User avatar
xide
 
Posts: 450
Joined: Tue Mar 19, 2013 12:43 am

Re: Phone scam startup password/syskey

Postby Nick » Fri Sep 26, 2014 10:48 am

nice!!!

FYI, worth repeating, but CryptoPrevent can and will disable syskey.exe by default, preventing this issue.
Author of d7x and other PC technician's tools. http://www.d7xTech.com

Image
User avatar
Nick
Site Admin
 
Posts: 2792
Joined: Mon Nov 19, 2012 7:54 pm

Re: Phone scam startup password/syskey

Postby Psychlone » Tue Sep 30, 2014 11:55 pm

I just had a new syskey locked computer come in and tried all the usual passwords - 123, 1234, 123456, everything from 1 to 0. I also tried some basic words like boot, start, etc. but to no avail.
Thinking about it, these scam companies need to keep their password fairly simple so it's easy for them to remember if someone actually pays them to unlock their machine, but I couldn't figure out what they had used.

So, I started thinking about the entire process of using syskey and had an epiphany. Syskey relies on the SAM registry hive to lock the current user(s) down with encryption and a password, so why not just replace the affected registry hive with a recent backup?
It works. Like any other time you have to replace a registry hive, you need to replace ALL of the registry hives with their other date replacements, but it's easy enough to do.

Boot into your PE (or if you're comfortable you can do this via command prompt from a recovery console)
Once inside your PE, the only requirement is that you DO NOT mount the offline registry of the affected drive.

Open a Windows Explorer (or other preferred explorer if using a Linux-based PE) and navigate to:
C:\Windows\System32\config

Inside there, right-click and rename each of the following files:

default to default.bak
SAM to SAM.bak
SECURITY to SECURITY.bak
SOFTWARE to SOFTWARE.bak
SYSTEM to SYSTEM.bak

Alternately, you can create a new folder (I usually call it REGISTRY ORIG, but you can call it whatever you like) and then simply copy all of the above registry hives into that folder.

Delete each of the original registry hives only after you're sure you've backed them up.


After you've backed up the registry hives and then deleted the originals, look for the folder called RegBack ( C:\Windows\System32\Config\RegBack) inside the Config folder. Inside here are the most current settings that are likely PRE-syskey.
Copy each of those registry hives over into the Config folder.

After copying the registry hives from RegBack into the Config folder, reboot and you're good to go.

If for some reason that doesn't work, you might have recent restore points you can work with from inside the System Volume Information at the root of the affected drive. Open that folder from inside your PE and find the most recent restore point, copy the registry hives from there into the System32\Config folder and you're done.


Here are the command line instructions for those of you that don't have a PE, or are just comfortable with command line in an RC: (this creates a folder called REGISTRY ORIG and copies all the affected registry hives into it, removes the originals and then copies the good registry hives from RegBack)

Code: Select all
md REGISTRY ORIG
copy c:\windows\system32\config\system c:\windows\REGISTRY ORIG\system.bak
copy c:\windows\system32\config\software c:\windows\REGISTRY ORIG\software.bak
copy c:\windows\system32\config\sam c:\windows\REGISTRY ORIG\sam.bak
copy c:\windows\system32\config\security c:\windows\REGISTRY ORIG\security.bak
copy c:\windows\system32\config\default c:\windows\REGISTRY ORIG\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\system32\config\RegBack\system c:\windows\system32\config\system
copy c:\windows\system32\config\RegBack\software c:\windows\system32\config\software
copy c:\windows\system32\config\RegBack\sam c:\windows\system32\config\sam
copy c:\windows\system32\config\RegBack\security c:\windows\system32\config\security
copy c:\windows\system32\config\RegBack\default c:\windows\system32\config\default


FWIW, I've done this all 3 ways on different syskey locked machines in the past, and this always has worked for me when I can't guess the password.
Light in the absence of eyes illuminates nothing.
User avatar
Psychlone
 
Posts: 69
Joined: Thu Jan 16, 2014 8:58 pm


Return to Malware Removal