Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to remove syskey on Windows 10 (first post)


  • Please log in to reply
15 replies to this topic

#1 Ethan_PCG

Ethan_PCG

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:19 PM

Posted 13 July 2016 - 02:19 PM

Hello.

 

I've always wanted to know how to remove Syskey. I'm not sure how to remove Syskey on a computer, but I've seen people with Virtual Machines use a key logger, so that if someone tries to put a Syskey on the computer they can see the password they put.

 

If someone puts a Syskey on your real computer do you have to boot into Safemode with Networking? And then after that what would you do? 

 

 

 

I'm really confused, and no I don't have a Syskey on my computer.. 


Edited by hamluis, 13 July 2016 - 04:14 PM.
Moved from W10 Spt to Gen Security - Hamluis.

"I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone."
- Bjarne Stroustrup
 
 
 

BC AdBot (Login to Remove)

 


#2 Ethan_PCG

Ethan_PCG
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:12:19 PM

Posted 13 July 2016 - 02:22 PM

I didn't really explain this forum post well. I'm talking about Technical Support scammers who pretend to be Microsoft and remotely control your PC/Computer. Most  Technical Support scammers normally put a Syskey on when they are told that the company they are working for is a scam. 


"I have always wished for my computer to be as easy to use as my telephone; my wish has come true because I can no longer figure out how to use my telephone."
- Bjarne Stroustrup
 
 
 

#3 CKing123

CKing123

  • Members
  • 1,463 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:British Columbia, Canada
  • Local time:04:19 AM

Posted 13 July 2016 - 02:29 PM

Unfortunately because they encrypt the SAM database, you can't login even in Safe Mode or in any other way! 

 


I'm talking about Technical Support scammers who pretend to be Microsoft and remotely control your PC/Computer. Most  Technical Support scammers normally put a Syskey on when they are told that the company they are working for is a scam. 

 

Don't give them access to control your computer

 

That is the best way to prevent them from doing it

 

-CKing


If I am helping you and I don't respond within 2 days, feel free to send me a PM

Sysnative Windows Update Senior Analyst 

Github | Keybase


#4 FreeBooter

FreeBooter

  • Members
  • 3,137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Turkey - Adana
  • Local time:02:19 PM

Posted 13 July 2016 - 10:28 PM

Are you asking information about encrypting SAM database?

 

 

 

Use SysKey Utility to lock Windows computer using USB stick

Posted Image


#5 usasma

usasma

    Still visually handicapped (avatar is memory developed by my Dad


  • BSOD Kernel Dump Expert
  • 25,091 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Southeastern CT, USA
  • Local time:07:19 AM

Posted 14 July 2016 - 05:12 AM

At work we do a manual registry replacement (5 hives, I can't recall which one's right now).  Using the backup registry keys to replace the one's that Syskey has taken over.

I suppose that there's more elegant ways, but this way works for us.
If you don't have backups, then it's going to be a wipe and reinstall.


My browser caused a flood of traffic, sio my IP address was banned. Hope to fix it soon. Will get back to posting as soon as Im able.

- John  (my website: http://www.carrona.org/ )**If you need a more detailed explanation, please ask for it. I have the Knack. **  If I haven't replied in 48 hours, please send me a message. My eye problems have recently increased and I'm having difficult reading posts. (23 Nov 2017)FYI - I am completely blind in the right eye and ~30% blind in the left eye.<p>If the eye problems get worse suddenly, I may not be able to respond.If that's the case and help is needed, please PM a staff member for assistance.

#6 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:19 AM

Posted 15 July 2016 - 03:48 AM

Boot from a cd and run the cli....

 

X:\windows\system32>copy c:\windows\system32\config\regback c:\windows\system32\config



#7 Mikesco3

Mikesco3

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 06 February 2017 - 03:38 PM

Find a way to get to the registry files offline (startup repair, bootable disk, plug the hard drive somewhere else, etc)

 

1) navigate to 

c:\windows\system32\config

assuming your windows drive is C:, or replace with whatever drive letter your windows ended up getting in the bootable environment.

 

2) make a folder and backup the following files:

DEFAULT
SAM
SECURITY
SOFTWARE
SYSTEM

3) Navigate to a folder called:
        C:\Windows\System32\config\RegBack

 

and copy the same 5 files listed right above back into:

        C:\Windows\System32\config

 

reboot, then scan with something like Malwarebytes



#8 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:09:19 PM

Posted 06 February 2017 - 04:54 PM

Find a way to get to the registry files offline (startup repair, bootable disk, plug the hard drive somewhere else, etc)

 

1) navigate to 

c:\windows\system32\config

assuming your windows drive is C:, or replace with whatever drive letter your windows ended up getting in the bootable environment.

 

2) make a folder and backup the following files:

DEFAULT
SAM
SECURITY
SOFTWARE
SYSTEM

3) Navigate to a folder called:
        C:\Windows\System32\config\RegBack

 

and copy the same 5 files listed right above back into:

        C:\Windows\System32\config

 

reboot, then scan with something like Malwarebytes

This is what i was about to say but you saved me the time, i use Hirens to boot in and access the disk.

If you dont have Hirens then take the disk out and plug it in another PC.



#9 lenella

lenella

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 14 April 2017 - 05:30 PM

I came up with the password but when I try to remove the syskey  I don't get the update button or window I get a SAM Lock tool that ask if I want to allow it to make changes to my device and if I click no it goes back to the open syskey window. I can't get past that! Is there another way I can remove the syskey for signing in?  I am assuming the the system is locked. I had tried a System restore when I first cracked the key and got in, but there was only one restore point to select and the person who this computer belongs to did get in on another password that she just tried and tried the system restore and it started and then just ran till she finally shut it down.  Then that password she had would not work again. Would that have locked the computer up?  I need some advice please. It's a windows 10  (I think updated from 7 or 8). HP15  I think, that's what it says on the info tape on the front.  She's not reachable right now.


Edited by lenella, 14 April 2017 - 05:33 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:19 AM

Posted 14 April 2017 - 05:44 PM

Security Colleague Demonslay335 has said this here.

You can either boot the system to an external OS, or connect the drive to another computer, and use the trick with restoring the registry SAM from the REGBAK folder. We've done it successfully a dozen times on customer's machines.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 lenella

lenella

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 14 April 2017 - 08:26 PM

Oh, I remember reading that too. But I had checked for the regback and there wasn't one.  So I'm going to have to get another friend to take the laptop apart for me (arthritis in the hands) and I've got the reader to hook it to my drive and do it.  So one more question, can I restore that part of the registry from my computer. Lenovo Desk Top Windows 10 upgrade. I also have an MSI gaming computer with Windows 10 factory installed. So I can use either?

And thank you very much!



#12 kirashi

kirashi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nanaimo, BC
  • Local time:04:19 AM

Posted 15 April 2017 - 08:48 PM

--SNIP--

So one more question, can I restore that part of the registry from my computer. Lenovo Desk Top Windows 10 upgrade. I also have an MSI gaming computer with Windows 10 factory installed. So I can use either?

 

Hopefully your friend will be able to read the drive in the drive reader and move the backup registry files from the Regback folder as @technonymous and @Mikesco3 suggested.

 

I DO NOT ADVISE restoring registry files from a different computer. In fact, it simply won't work - registry files are specific to your Windows installation, and moving them between computers will break things like logging into user accounts, program preferences and installations, and many other things.

 

Been a tech for 10+ years, and a frequent visitor of BleepingComputer, but I only just realized I've never created an account yet. D'oh! I literally JUST cleaned a clients' syskey'd computer an hour ago via restoring registry files from the Regback folder, and this was the first post that came up in Google when I was trying to remember where the regback folder was stored.



#13 lexipad

lexipad

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:19 PM

Posted 17 April 2017 - 11:48 AM

Here's one that i watched in youtube



#14 lenella

lenella

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 17 April 2017 - 02:06 PM

 Ok, I just realized  that the post from Demonslay335, on 16 Mar 2017 was last month and I was trying to follow that! The problem is that I believe that the SAM Lock Tool was activated as I can't get in past the the SAM Lock Tool after entering the SysKey. The window for the tool has yes or no options. If I use no it goes back to the previous window (SysKey) I have not pushed yes for fear that would activate it. But when I first got in using the Key I went to RegBack and there was nothing in it.  This is a Windows 10 upgrade. HP15 Notebook PC 64bit based. I did take the HD drive out and put it in my External HD reader and Checked for the RegBack and in there is shows SAM Modified 4/134/17, size 72.KB, create 4/13/17. But in the config folder it list below it (not in the regback folder) amoung other things is 1 SAM  modified 4/13//17 file  and 2 SAM.gu.bak  modified 9/23/16, Size 128KB, Created 7/15/16

Is there any way I can get that password/or setting that's locking it cleared?  Right now I still have that HD in my external drive, but can reassemble back in the laptop it today?



#15 AnotherZero

AnotherZero

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 01 May 2017 - 04:36 AM

I see about a dozen or so of these a day since I work with the general public and they usually outright delete the regback files or corrupt them to a point where it will look it everything's going to go smoothly but the restore doesn't help or outright blue screens the computer. 






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users