Windows 7 Locked after scam call with a SYSKEY login window
I have had customers fall for the “This is So and So from Windows 7 Tech support or Telstra support etc, we have detected malicious software on you PC. The customers have then given the scammers remote access to the PC. This is not their fault. They can be very convincing. If you do make the mistake of letting them connect, they will ask you to pay $$$ to fix your ‘problems’. If you refuse to pay, they will enact the SysKey log in encryption – see log in picture above.
Big Hint: If you get one of these calls, and they have connected remotely to your computer, the best thing to do is to go along with them and while you are talking to them act calmly and either…
2. Hold your finger down on the power button for your computer for at least 6 secs to forcibly shutdown the computer.
Option one is best but it maybe difficult to access the back of the computer if it’s in a desk cabinet.
What is syskey?
SysKey encryption is a little-known legitimate feature of Windows which allows administrators to lock out access to the Security Accounts Manager (SAM) registry hive so that log in specifics cannot be stolen and the PC cannot be accessed without knowing the proper credentials.
So basically the criminals have used a legitimate process in windows to lock you out of your own computer using the SysKey program to configure a start-up password which over-rides your password and has to be entered in order to decrypt the system key, so that the SAM database where your password is can be accessed and you can then log-in normally.
The problem is unlike other scams; you can’t just remove the password, as the entire SAM registry hive has been encrypted by the syskey process. The scammer has set this up beforehand, ready to go, in case you get cold feet or refuse to pay or if you hang up on them. There are reports that the password is sometimes very simple, such as 123 or 1234 or abcd. Try those first and if they fail then follow these steps..
THIS IS FOR WINDOWS 7 ONLY, IT MAY WORK ON OTHER Operating systems!! [Update: Windows 8 users click here]
I have repaired the syskey issue in Windows 7 running either 32-bit or 64-bit successfully using this method.
To remove following the steps below:
1. Boot from windows 7 install CD or System repair Disk.
2. When the Install Windows page appears, click Repair your computer to access system recovery options.
2A. Cancel the auto repair scan that comes up. Then from the menu select System restore. In some cases the scammer has deleted the system restores points. If that has happened these steps cannot help you with syskey.
3. Run System Restore and select a date before syskey password blocked access. The system may suggest a restore point and if it is not suitable click on show additional restore points. (The restore maybe successful or fail, but must be done).
If it fails click run system restore again (this will take you back to the options list)
4. Open Command Prompt from the options list.
5. Open Regedit (Type regedit into the command prompt). Regedit will open. Make sure you navigate to the exact key as shown, editing the wrong key can cripple your computer completely.
6. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change ‘SecureBoot’ value to 0.
7. HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000
8. Reboot and Login as normal or if no password computer should boot to desktop.
You may also need to reset the user account password if they have changed that also, the above will get you past the Syskey lock but not past user login if they changed that. For help with that: http://pcsupport.about.com/od/windows7/ht/reset-password-windows-7.htm or see this link.
Hope this helps everyone with this problem.
Be aware of ‘tech support’ scammers. Microsoft, Telstra or any Internet Service Provider will not ring you to tell you your computer is infected. Read about the scam here.
If you have had success or have questions contact me here