Windows Syskey: Any way around it?

[Boatvan]

Hi everyone. Long story short, my elderly aunt and uncle were victims of a phone scam in which their financial information and computer were compromised. Luckily, the bank froze their accounts and credit files just in time.

I am tasked with trying to fix the smoking wreckage of a computer they have. Apparently, the scammer had my uncle allow remote access to his desktop and the scammer went to town. My first hurdle is that the scammer set up a windows syskey password. I have never seen this before to be quite honest. I learned that basically, the scammer encrypts the SAM database, which renders any password cracker useless (IE Hirens Boot CD, my go to in this situation). I was able to boot a live USB of Linux mint and copy some of their data over to a flash drive. I'm not sure what the scammer did to their pictures, but none of them will open. They have the proper file extension (jpeg) but bark at me that "the registry value is invalid" or something along those lines.

My gut tells me to blow away the OS and re-install windows 10 on it, but my morbid curiosity wants to know what that scumbag scammer did to this installation.

So tl;dr, any way to get past a syskey password?


Also, lol Microsoft will be getting rid of syskey because of ransomware and scammers in the creators update.
https://en.wikipedia.org/wiki/Syskey

 

[jboydgolfer]

Found this..... maybe?

1. Boot from windows install cd.

2. When the Install Windows page appears, click Repair your computer to access system recovery options.

3. Run System Restore to last point before syskey password blocked access. (This will fail, but must be done). Click run system restore again (this will take you back to the options list)

4. Open Command Prompt from the options list.

5. Open Regedit (Type regedit into the command prompt). Regedit will open.

6. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change 'SecureBoot' value to 0.

7. HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000

8. Reboot and Login

 

[cdawall]

http://www.thewindowsclub.com/inbuilt-syskey-utility-lock-windows-7-computer-usb-stick

https://www.passcape.com/reset_syskey

Ten seconds of google...This is a pretty common issue, I have a windows live boot for removing it at work, but obviously cannot post that.

 

[Boatvan]

I realize I could google it, but I wanted to see if you guys had any experience with it. Thanks for the suggestions, I will try some of those when I get home.

 

[jboydgolfer]

I realize I could google it, but I wanted to see if you guys had any experience with it.

thats what i gave,,,, my experience however is (with no back up) your SOL . so i tried to help despite that sorry it wasnt good news

 

[Boatvan]

thats what i gave,,,, my experience however is (with no back up) your SOL . so i tried to help despite that sorry it wasnt good news

Hey man, I appreciate it! It's not a big deal so I may just go with my gut and blow it away.

 

[Sasqui]

Here's another article: http://triplescomputers.com/blog/ca...pport-telephone-scam-computer-ransom-lockout/

Are you tryinh to open the jpegs on the encrytped PC, or another?

 

[Boatvan]

Are you trying to open the jpegs on the encrytped PC, or another?

I am trying to open them on another. It is weird because other recovered files open on this other computer, but the pictures all seem to have this issue. It is hard to tell what's going on without being able to log into the OS on the affected PC, perhaps further damage occurred with these files. When I get home, I'll try some of the methods listed in this thread. If worst comes to worst, I have a new installation usb ready to go. Thanks for all the suggestions fellas.

 

[Sasqui]

I am trying to open them on another. It is weird because other recovered files open on this other computer, but the pictures all seem to have this issue. It is hard to tell what's going on without being able to log into the OS on the affected PC, perhaps further damage occurred with these files. When I get home, I'll try some of the methods listed in this thread. If worst comes to worst, I have a new installation usb ready to go. Thanks for all the suggestions fellas.

Combination scam AND ransom encryption? I'm curious to see what you find.

 

[SnakeDoctor]

I would rather backup and format the PC .You never know what else they have done to the pc .Keyloggers ect
At least you know the Pc is clean then and no comebacks

The last syskey scam I battled to remove the syskey but after ,though a reload would be the best anyway

 

[Static~Charge]

It's not a big deal so I may just go with my gut and blow it away.

Whether you try to unlock Windows or not: save the data, erase the drive, and restore a system image (if you have one) or reinstall from scratch. If a scammer has screwed around with the PC, no one in their right mind would try to continue using it.

 

[Boatvan]

Oh I'm ultimately re-installing, I just am fascinated by what the scammer did. It is not connected to the network so I can explore freely if I get past. Just to be clear, no matter what I'm wiping.

 

[qubit]

Definitely format and reinstall, without hesitation.

I think it's even possible to infect another Windows PC just browsing the files on the infected install in some cases, especially if not patched. Certainly opening any files can have a payload. Sounds like he didn't have a backup?

Sorry your aunt and uncle were scammed by those vile criminals. Hopefully the experience will make them more wary next time. A good idea is to instill in them that no one goes near their computer unless it's family or good friends that they know and who have decent computer knowledge. This should help to keep them safe.