Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remove a startup password before account screen


  • Please log in to reply
20 replies to this topic

#1 gmkj67

gmkj67

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 October 2012 - 09:59 AM

I recently had an Elderly friend who accepted one of the calls from "Windows Microsoft" and allowed them to access their computer. He gave them access to his computer but when he refused to give them a credit card number they installed a startup password which begins prior to the windows login screen. I can still get to the files on the computer by putting the hard drive in an external. I have tried a password reset tool but that only resets the windows passwords.

I don't want to have to move all of the data off of the disk and re-install windows if I can avoid it. Does anyone have a solution??? And warn everyone about the scam.

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 30,709 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:07 PM

Posted 04 October 2012 - 10:19 AM

Hi,

this password is actually a windows feature, the caller has added the encryption of the SAM hive in the registry. What passwords have you tried to get passed it? Often they will use the same password as the windows login password.


What you could try is to use a system restore point to restore the settings, but it is somewhat risky. I would only attempt this once his data has been backed up.

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#3 gmkj67

gmkj67
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 04 October 2012 - 10:37 AM

System restore would be a great idea if I could get in far enough to run it. I can't get to the actual account login screen. I tried the normal passwords but I didn't try the user password. I will give that a shot tonight but I doubt that it will work. If you have any idea how to disable it while it is in the drive box that would be wonderful.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 30,709 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:07 PM

Posted 04 October 2012 - 11:08 AM

Hi,

you can restore a registry hive from a system restore snapshot from outside windows, however when you're doing this for the SAM hive and you choose the wrong date in time, user accounts may get deleted, which would lead to your friends data being deleted along with his account. As this is a risk, I would recommend a backup of the C\documents & settings folder before starting this. Let me know if the backup is an option, then we can go ahead with the restoring.

Do you have your Windows CD at hand? If so we could create a live-CD to facilitate the replacements (and work on the disk while it is inside the PC)

regards myrti


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#5 Allan

Allan

  • BC Advisor
  • 7,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:04:07 PM

Posted 04 October 2012 - 11:21 AM

Hi,

this password is actually a windows feature, the caller has added the encryption of the SAM hive in the registry. What passwords have you tried to get passed it? Often they will
regards myrti

Not in this case. This was a scammer trying to get money out of the user. The password was put on and they will want money to remove it.

You can try a repair installation:


Boot to the XP CD and choose the SECOND repair option, allowing XP to install on top of itself. After completion you'll need to go to Windows Update and download & install all updates (except for hardware & driver related updates, which should never be downloaded from Windows Update - only from the OEM websites). Here is a clear tutorial on how to perform a repair install: http://www.geekstogo.com/forum/topic/138-how-to-repair-windows-xp/

Admin, Tweaks.com Forums

#6 caperjac

caperjac

  • Members
  • 1,619 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NS. CAN
  • Local time:05:07 PM

Posted 04 October 2012 - 12:51 PM

hi, try hitting f8 on boot up and see if you can get to safe mode and if so go to control panel /users and remove password ,hope you can get into safe mode . if not try the repair install suggested by Allan





And warn everyone about the scam.



its been going on for a few years now , I thought everyone knew

they call my home phone # at least once a week sometime more ,we just tell them we have a phone virus ,and now they have it ,and they hang up.

Edited by caperjac, 04 October 2012 - 12:54 PM.


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 30,709 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:07 PM

Posted 04 October 2012 - 01:10 PM

Not in this case. This was a scammer trying to get money out of the user. The password was put on and they will want money to remove it.

Actually it is, I've seen a number of those scams and they've all been adding the password by enabling the hive encryption, which will prompt for an additional password that you don't know.

The prompt should look like this:

Posted Image


If it DOES look like this I strongly recommend not to try a repair install, as this may easily break your install further as detailed here: Windows NT System Key Permits Strong Encryption of the SAM

After installing the System Key hotfix, and you have not enabled strong encryption, if you attempt to repair the system files using a repair disk created before installing the System Key hotfix (that is, using the "pre- hotfix" repair disk) you also MUST repair the SYSTEM and SAM registry. If you do not repair the registry, the system files and registry format will not match. You will get an error (error number C00000DF) when you attempt to log on. When the registry and system files are mismatched, the recovery procedure is to repair matching system and registry files. Either repair the registry hives from the same "pre-hotfix" repair disk, or use the "hotfix - Before Encryption" repair disk, which has a registry format that matches the System Key hotfix system files.


regards myrti

Edited by myrti, 04 October 2012 - 01:17 PM.


If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM!
Please don't send help request via PM, unless I am already helping you. Use the forums!


sig3.png

Follow BleepingComputer on: Facebook | Twitter | Google+

#8 Allan

Allan

  • BC Advisor
  • 7,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:04:07 PM

Posted 04 October 2012 - 01:21 PM


Not in this case. This was a scammer trying to get money out of the user. The password was put on and they will want money to remove it.

Actually it is, I've seen a number of those scams and they've all been adding the password by enabling the hive encryption, which will prompt for an additional password that you don't know.

Okay - my apologies :)
Admin, Tweaks.com Forums

#9 Sarah_Anderson

Sarah_Anderson

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 04 October 2012 - 04:49 PM

Wow, a SysKey password. What a sneaky trick!

I think I've only ever seen about half a dozen computers with SysKey passwords in my whole life. Outside of the computer tech community, very few people seem to know that the SysKey utility even exists.

I have a boot disk which can automatically remove SysKey passwords. But it's not a free program, so I don't think the rules of this forum would allow me to upload it for you to use. (Copyright regulations and whatnot.)

So I think your best bet is to follow myrti's advice and manually restore the SAM hive (and maybe also the other hives) from a recent restore point snapshot folder with a Linux or BartPE boot disk.

Good luck. :thumbup2:

#10 eric512

eric512

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 08 December 2012 - 04:31 PM

Wow, a SysKey password. What a sneaky trick!

I think I've only ever seen about half a dozen computers with SysKey passwords in my whole life. Outside of the computer tech community, very few people seem to know that the SysKey utility even exists.

I have a boot disk which can automatically remove SysKey passwords. But it's not a free program, so I don't think the rules of this forum would allow me to upload it for you to use. (Copyright regulations and whatnot.)

So I think your best bet is to follow myrti's advice and manually restore the SAM hive (and maybe also the other hives) from a recent restore point snapshot folder with a Linux or BartPE boot disk.

Good luck. :thumbup2:


Hey Sarah - what paid program is that to remove the Syskey password? I'm playing with a VMware image of a system that was hacked by a telephone scam and the Syskey password was enabled. I'd love to be able to uncover the password for my own education. I've tried some trialware Syskey password tools, but none of them work.

I ultimately had to do a complete fresh install of XP for this user to get their machine back up and running. Luckily the install did preserve the My Documents and other files for the user. The hacker did not turn on the file level encryption.

Edited by eric512, 08 December 2012 - 04:32 PM.


#11 ds_jon

ds_jon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 27 March 2013 - 05:52 AM

I know this thread is a little old, but mary_anderson, was wondering if you could tell me the name of the purchased program you have to remove the syskey password.....in the same situation here with a customer that fell for this scam.  I run a computer repair shop and mostly likely would be able to supply my customers with a better service if I were able to reset vs. reload.



#12 ds_jon

ds_jon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 27 March 2013 - 05:53 AM

Sorry, early morning.....SARAH_Anderson, would you be willing to help me out?  :orange:

 

I know this thread is a little old, but mary_anderson, was wondering if you could tell me the name of the purchased program you have to remove the syskey password.....in the same situation here with a customer that fell for this scam.  I run a computer repair shop and mostly likely would be able to supply my customers with a better service if I were able to reset vs. reload.



#13 hamluis

hamluis

    Moderator


  • Moderator
  • 40,853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:07 PM

Posted 27 March 2013 - 07:49 AM

Member addressed was last active 12 Nov 2012.

 

Louis



#14 ds_jon

ds_jon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 28 March 2013 - 10:19 AM

Thanks Louis....unless anyone else knows the name of the software she referenced?  I'll keep looking, I guess.....or factory reload.....



#15 mrob

mrob

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Location:Oceanside, CA
  • Local time:01:07 PM

Posted 28 March 2013 - 02:50 PM

Thanks Louis....unless anyone else knows the name of the software she referenced?  I'll keep looking, I guess.....or factory reload.....

 

This web site may help:

 

http://msmvps.com/blogs/sp/archive/2008/01/27/disabling-syskey-startup-password.aspx






3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users