Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Locked Out of System ~ Syskey Was Changed (By Scammer)


  • Please log in to reply
10 replies to this topic

#1 justlearning2010

justlearning2010

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 29 November 2017 - 08:02 PM

Dear All ...

I have read and studied about most everything on this SYSKEY and have tried everything to fix and get into a system that is owned by a friend who was scammed by I have no clue and could care less all i know is at one point of story (as my friend is older) it went from they got a text, then told me to get on pc to i am sure click this or that link etc to showing them data remotely etc. fact is the syskey was changed about the time of this scam ... it was told to me that a bank called my friend and say oh you were compromised etc etc ... anyway forget all that ... fact is for me a Systems Administrator I thought no problem! I will fix in an hour or two and you will be back in  your system kindly ... well days later and I could never get my friend back onto their pc as to bypass the syskey (please to all who read this ... most of you know what this is .. but to those who don't - it is not getting me pass the admin password etc etc ... i could only wish it was that easy, - heck i tried to study the registry keys far to in-depth for this ... but any knowledge is good knowledge.  That said the fact remains I have studied every solution and tried all .. yes i can get data ... yes i can get into the system via ultimate cd for win etc ... but i could not fix the issue! i could not get pass the window upon startup which states "This computer is configure to required a password in order to start up" ... its a little gui window ... ok that said ... fine, never could fix it yet to date 11/2017 ... so my only question here is, the one solution i have NOT tried and I cannot understand and or FIND ANYWHERE but NO WHERE within the entire internet (and i know how to do research) no where does it show how to change this key to which i will state below:

Many documents say CHANGE this Key ... i say GREAT!!! but yet!!! NO ONE but NO ONE within the entire internet shows an example as to HOW!! I could not believe and still cant believe such findings show a fix that may work (and i don't care anymore about the pc if i break it as i will extract the data) the fact is I think this key change may work but how in the world is it i cannot find ONE example as to exactly what to change within the key and how ... i have never but never been stumped on any one issue in my career in tech and more so i have never but never been able to not solve a problem till this one ... and i am not giving up! i want to try the key change

So please please please does anyone know how and can show very concisely how to change the below F key!  Others during my research have ask same question ... but still people are kind enough to post and copy and paste and post ... however ... I really think no one really understands how to change this key :|

Here is the instruction that are widely posted:

--------------------------------------------------------

I have repaired the syskey issue when created by scam call from “Windows 7 Tech Support” in windows 7. I repaired customers computers (1 32-bit and 1 64-bit) successfully, To remove following the steps below:
1.     Boot from windows 7 install cd.
2.     When the Install Windows page appears, click Repair your computer to access system recovery options.
3.     Run System Restore to last point before syskey password blocked access. (This will fail, but must be done). Click run system restore again (this will take you back to the options list)
4.     Open Command Prompt from the options list.
5.     Open Regedit (Type regedit into the command prompt). Regedit will open.
6.     Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change 'SecureBoot' value to 0.
7.     HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000
8.     Reboot and Login
This has worked for me on two machines. After reboot I ran Super-anti Spyware, Ad-Aware and Hitman Pro to confirm, found 68 items on Super-Anti Spyware, 5 more on ad aware and no further detection's on Hitman Pro. The PC now runs fine with not Lockouts or Passwords.

--------------------------------------------------------

The above 1 ~ 8 steps was not from me but from the internet ... but again no one but no one shows how to change the values as the values are in many ... many rows and columns within the gui box of the Value Data of the F key

So ... lets see whom here is with utmost knowledge on this please ... as-you will not find an image or video that shows how to change this Value Data properly ... oh you will find all over the place "just change the F value" ... love it ... just love it ... and the question remains for many i am sure "HOW".  How do change?, what to change?, change and delete all Value Data in the white gui box of the Value Data ... there is a scroll bar in the Value Data as well ... this is a lot of data and not just one Value ... to those whom not understand this please do not attempt to answer this as this is in the registry and only the advance will understand what i speak above

meanwhile I think you very much in advance and based upon my research not finding ONE example as to HOW and WHAT to change ... i am going to be very but very surprised here to see if anyone understands this within this site ... as this site is pretty strong users ... so lets see

Again thank you in advance!



BC AdBot (Login to Remove)

 


#2 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:08:38 PM

Posted 29 November 2017 - 08:42 PM

What registry editor are you using?  I missed it in your thorough opening.  I have been, but not always, successful using Resplendence's Registrar Registry Manager, beginning with the free version, presently have the pay-for version.

What I do not know:  exactly where within the registry, exactly which single line is that F key.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#3 cybercynic

cybercynic

  • Members
  • 560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:09:38 PM

Posted 29 November 2017 - 08:48 PM

Have you tried this:

 

 

http://triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/


We are drowning in information - and starving for wisdom.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,771 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:38 PM

Posted 30 November 2017 - 06:31 AM

If the password box look like this...

syskey.png

See these other related topics for solution suggestions:Windows 8/8.1 users can refer to the instructions (methods 4-6 or Shift+F8) in How To Access Advanced Startup Options in Windows 8 or 8.1

Windows 10 users can refer to the instructions from Security Colleague Demonslay335 in this topic.

You can either boot the system to an external OS, or connect the drive to another computer, and use the trick with restoring the registry SAM from the REGBAK folder. We've done it successfully a dozen times on customer's machines.


Some types of malware will modify the Master Boot Record (MBR) so that it displays a message indicating your computer has been encrypted and that you will be unable to access your data unless you pay a ransom to get a password. If the password box looks similar to those below, then refer to the Encrypted Boot Ransomware Support Topic.

ransomware.jpg
.
the-nastiest-of-all-ransomware-mamba-enc
.
bios-pass.jpg
.
C8hC4oWXkAA-Rxg.jpg
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 justlearning2010

justlearning2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 November 2017 - 04:52 PM

Dear RolandJS,

 

Thank you in response.  And to answer your question.

 

You ask what registry editor i am using ...

 

Answer is:

 

I am just going in using regedit ... from there I navigate to the keys ... quite simple and did make one of the recommend changes ... however the F key is able to edit in the little gui box when pulled up ... you know this correct?

 

you can edit on the fly in regedit.

 

what am i missing in your question ... as i am unclear ... you can do all and any edits in registry itself.

 

Thank you.

 

#6 justlearning2010

justlearning2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 November 2017 - 04:54 PM

Dear Cybercynic,

 

Yes i have tried all that ... i have that page saved as well ... trust me i have about every page / all research on this matter and understand the problem well ...

 

the only fix that may indeed work is the F Key registry ... that is the reason i posted this ...

 

I have never ever never been able to not fix something ...

 

 

cybercynic

#7 justlearning2010

justlearning2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 November 2017 - 04:55 PM

Dear Cybercynic,

 

Sorry i copy your name to reply to post and forgot to take link out above ... discard your linked / name in the response.



#8 justlearning2010

justlearning2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 November 2017 - 05:02 PM

Dear Quietman7,

 

Thank you for response ...

 

However i have tried all that ... and no go ...

 

But! unless you understand to which if you do please explain ... the only other thing i have not tried is to take drive and and do the backup etc ...

 

My question is why i need do this?

 

Why must i do this (or some say you don't need to and do what i did which is boot system etc and do via command)

 

But why must drive come on and slave it to another system etc and do the back up ... ???

 

I did it via using ultimate boot cd for win and i can do two things ... one command line or two go into windows and use the gui itself ... as ultimate boot cd will bring up a xp overlay os but you can access the folders ... but this way made me nervous as to if files were being used / and then locked etc but using the overlay OS of xp from ultimate boot cd ... so i just used the command prompt

 

now there is mentioning on some tools that say you must say or press F key etc to confirm change and all that but the depends on what tools you are using ... so fact of matter is yes i see some say take drive out adn some dont and both work for others ... so again why must drive be taken out when it work for other via command line?

 

Thank you.



#9 justlearning2010

justlearning2010
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 30 November 2017 - 05:06 PM

Again All ...

 

The issue i have is:

 

7.     HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000

 

 

How in the world do you do this!?

 

No ONE knows within the entire internet!! i challenge you to find anyone or any one tutorial that shows you how ... you see even to date you all kindly chimed in with this or that but no one knows how to do this ...

 

so but so so so weird ... i have never been stumped on such a simple matter.

 

more so i have never not found a tutorial or research or some type of something that shows how to do a change or something ... especially when may clearly say ... here you just "

7.     HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000" ... and yet within the entire internet there is NOT one page that shows how ...

 

its easy to copy and past and say there ya go ... but to know the stuff is better ...

 

and this one change i do NOT know and its more a wonder and challenge now for us all to say "ANYONE" out there know? :)



#10 xrobwx

xrobwx

  • Members
  • 197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Panama City Beach, FL USA
  • Local time:08:38 PM

Posted 01 December 2017 - 07:55 AM

 https://www.bleepingcomputer.com/forums/u/135621/jenae/ <--The force is strong with this one and maybe they can help.


7581204627.png


#11 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:08:38 PM

Posted 01 December 2017 - 01:25 PM

...what am i missing in your question ... as i am unclear ... you can do all and any edits in registry itself. 

I was curious.  I did not know if my registry editor suggestion would be useful.  I see others are much more helpful; I'll listen in and learn from them and from your experience.


Edited by RolandJS, 01 December 2017 - 01:26 PM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)





3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users