Results 1 to 5 of 5
  1. #1

    How to remove syskey

    First, a confession: I didn't fall for the phone call scam, but I may have done something even more embarrassing. I had a problem with a Mozilla Firefox update, so I did a search for Firefox help, and I found a post for Mozilla tech support. I called the number, and cooperated with the person who answered by installing logmein. I watched his every move, none of which was suspicious, but apparently he installed the syskey using a command file or application on his computer. Since he didn't appear to know anything about Firefox, I believe I orchestrated my own downfall by calling the scammer myself.

    After figuring out how to boot from a device other than my hard disk (see Can't boot from Windows install disk thread), I've unsuccessfully tried three main approaches to removing my syskey:

    (1) I used the Offline Windows Password & Registry Editor tool. Unfortunately, as noted in the very good forum posting User Account Password forgotten, by Duncan1892, the chntpw interactive menu's Option 2 - Syskey status & change doesn't work at all on Vista.

    (2) I downloaded and booted Ubuntu, then used it to edit my registry. First, I backed up the corrupted registry files. Simply setting SYSTEM\<various control sets>\Control\Lsa SecureBoot value to 0 doesn't work -- it causes an infinite reboot loop. Also setting SAM\SAM\Domains\Account F value to 0 still doesn't help -- still an infinite reboot loop. Note that in order to set the F value to 0 it was necessary to delete the value and re-create it as type 3.

    (3) Again using Ubuntu, I looked at my Windows\System32\config\RegBack folder. Although I found copies of the five registry files (DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM), they were dated on the day that the scammer changed them. However, I also found copies directly in the Windows\System32\config folder, named default_previous, sam_previous, security_previous, software_previous, and system_previous, dated 9 days earlier. After backing up the corrupted registry files, I made copies of these and used them to replace the corrupted files. Note that this overwrote the registry files I had edited in approach #2. Using chntpw, I verified that the SYSTEM registry had a lot more control sets, and all the ones I checked had a SecureBoot value of 1, indicating that the syskey value is stored elsewhere in the registry. I assume this is what I would have seen if I had examined them before the hack.

    I then tried booting from the hard drive, both in Safe Mode and regular Windows. As I hoped, the syskey prompt did not appear. However, after the initial boot phase (listing all the .sys files in Safe Mode, or watching the Windows animation in the regular boot), the screen went black. After about a minute, a working arrow cursor appears, but no other graphics. Except for the mouse cursor, all is black. And it stayed that way, even when I let it sit overnight.

    The good news is that the syskey is gone. The bad news is that my Windows Vista still won't boot completely.

  2. #2

    How to remove syskey

    In the other thread I noted I ran out of ideas but I did not realize the offline registry editor could also clear the SAM key. Do this at your own risk. Do not do this if your drive was encrypted.

  3. #3

    How to remove syskey

    That was my approach #1. If you read your first link (and my quote from another thread), it explicitly says it doesn't work with Vista. And it goes on to say that if you try it with Vista (as I did), it will cause endless reboots. That warning turned out to be incorrect -- it doesn't cause anything to happen, because the tool is smart enough not to do anything to a Vista registry.

    Which makes me wonder: if the tool is that smart, would the author consider making a version which DOES work with Vista?

  4. #4

    How to remove syskey

    Sorry, I didn't fully read the post. The only other option I have seen is paid and I am not sure it works for Vista . It is expensive. You probably already researched Reset Password by Passcape. The version that works for syskey is the standard version. It is supposed to see the Syskey password or reset it.

  5. #5

    How to remove syskey

    No, I didn't know about Passcape's Reset Windows Password tool, until I read your post. I tried it, and two things happened: It easily found my syskey password (which turned out to be 111), and it corrupted my system files in some way, so that I was no longer able to get as far as the syskey prompt. I kept getting blue screens and dumps, and I was back to an endless reboot loop.

    This forced me to finally figure out how to boot from my Windows Vista install disk. First, I had to set my BIOS boot priority correctly. Instead of setting CD-ROM as the first, I had to set it to my RW DVD drive. That's a peculiarity of my particular system. I don't actually have a conventional CD-ROM, but my BIOS evidently thinks I do, and that threw me off. Then I had to learn how to activate the boot. When the boot from the install disk begins, there is a period of 30 seconds or so where I have a black screen with a blinking underscore in the upper left. Then I get the "Press any key to boot from CD or USB" message, but it only lasts for about 3 seconds, and (I think) the key must be the return key.

    Having booted from my Windows install disk, I first had to do an unsuccessful system repair. This allowed me to get to the Advanced Recovery Options, which includes System Restore. I was able to restore to before the hack, and now after 11 days I'm back in business! A good side effect of the restore is that I no longer have logmein installed.

    In retrospect, I would have had a working computer 10 days earlier, if I had understood the names of the devices on the boot priority screen, and was attentive when prompted to Press any key. Aside from possibly causing some system file corruption (a small price to pay), I highly recommend Passcape as a way to find the syskey password. Nothing else works on Vista computers.

    To close this chapter, I'd like to post the phone number I called to get the scammer, who added my syskey. Unfortunately, I can't be certain about the phone number. But I tried to reproduce my earlier search, and came up with 855-848-1092. Actually, there are many phone numbers which came up in my search, but I suspect they are all scams. I suggest that for Mozilla Firefox support, one should only use their forum, never call.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts