If you have syskey enabled on your system
What is syskey?
SysKey is an in-built Windows utility that can help you secure the Security Accounts Management or SAM database. In case you do not know, the SAM Database stores hashed copies of our user passwords, which is encrypted with a locally stored system key.
The Windows operating system prevents the use of stored, unencrypted password hashes and requires that the password hashes and user information be encrypted. These crypted versions of the passwords, are usually stored in a file called sam, found in system32\config folder. This file is a part of the registry, in a binary format, and not easily accessible.
So basically the criminals have used a legitimate process in windows to lock you out of your own computer using the SysKey program to configure a start-up password which over-rides your password and has to be entered in order to decrypt the system key, so that the SAM database where your password is can be accessed and you can then log-in normally.
For syskey infections try this step first:
If you have a friend or family member with another computer you can try this first as it doesn’t require much technical know how. Take the hard drive out of the pc or laptop and connect it to another computer using a USB>Sata Adapter.You can buy this adapter at any good computer shop or electronic store.
Once the drive is connected via the adapter to a second computer, open C: drive on the infected hard drive and navigate to the RegBack folder at Windows\system32\config\RegBack folder, and copy the five files to the config folder.
The files are:
It will tell you that these files already exists but allow the system to replace the current files with the files from the RegBack folder. Put the hard drive back into the computer/laptop and start up the computer as normal. It should now allow you to either log in or go direct to the desktop.
If no other computer is available continue as below:
FIRST check if you have any Restore Points to work with:
Restart the PC with a Windows 8.1 disk or a Recovery disk or any boot disk that will allow you to get to a command prompt.
- Type the following command in the Command Prompt window: rstrui.exe then press the Enter key
- The System Restore wizard will open immediately. Either select the ‘Recommended Restore’ date offered by windows or click ‘Choose a different restore point’. You’re advised not to go back too far, usually a couple of days will do. Follow the instructions on the screen to complete the System Restore.
- If System Restore works your back in business.
If no Restore Points exist, your scammer intentionally removed them to prevent this from occurring. If this has happened to you, follow these additional steps to resolve the problem:
Return to the command prompt window or start the PC with a Windows 8.1 disk or a Recovery disk or any disk that will allow you to get to a command prompt.
Do not just restart your computer as normal without a boot disk, because this can lessen the chances of success.
Check to see that the folder %SYSTEMROOT%\system32\config\RegBack exists.
If so, continue.
If not, stop and immediately contact a technician.
Navigate to the %SYSTEMROOT%\system32\config folder
Backup the registry hives in this folder to a temporary location.
The files are:
To backup these files you can use Robocopy a program incorporated within windows.
From another computer see this site for examples of what command to use/details on how to do it.
Of course if this is beyond your technical ability contact a computer technician for help and if necessary refer him to my site for the instructions on how to do this.
Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
Reboot the PC.
You should now be able to either log in if you have a password or boot to the desktop as normal.
As mentioned this solution only works if you have not already tried to reboot the PC subsequently. If you have, it may still work, but that is entirely dependent upon whether or not Windows created a new RegBack copy following a successful boot.
If this method has been successful for you or you have any questions please contact me here.