client had syskey installed on computer


  1. teebee
    Posts : 3
    10
       New #1

    client had syskey installed on computer


    Hey, new guy here. Tom is my name.

    I have a client who's computer was hacked by a scammer, she allowed them access and then set a syskey on the computer. After she paid them they told her the password. They came back several times and extorted money from her. I've removed everything so they can't access the computer, but the syskey is still there.
    Questions:
    1) The data....is it encrypted through syskey? Or can it be copied to use on another computer or after a re-install of the OS (win10)?
    2) Can I remove the syskey, beings we know the password and un-encrypt things? (I'm thinking NOT)
    3) Being we have access and I have disabled all outside access, are we good to go as is? (again I'm thinking not as Win10 won't let me install the latest updates)

    Thank you in advance for the help.
      My Computer
    Quote Quote

  3. essenbe
    Posts : 12,801
    Windows 11 Pro
       New #2

    What little I know, or think I know, about Syskey is, it is a registry feature of Windows for many years. It was originally designed for enterprise companies to restrict users from certain areas. If you have a system image of before someone installs the syskey, you can defeat it. If you have a registry backup from before syyskey was set, it can be restored. Windows keeps a backup of the registry. If you have not booted into Windows/ tried to boot into windows once it is realized that a syskey has been set, the backup registry can be restored. Once it is booted into, the syskey is usually a part of the backup registry.

    I would make sure we are dealing with a syskey and not something else. Even with a syskey installed, you should be able to boot into a rescue CD/USB and still have access to user files. Unless they have installed something else which gives them access to the machine, I wouldn't worry about them resetting it. I would recommend a good clean install to make certain. I know if it was my machine that would be the first thing I would do.

    The Registry Backup is located at C:\Windows\System32\config\RegBack and contains folders Default, SAM, Security, Software and System.

    Another option, while not foolproof, would be for you to set a syskey password. While a big pain, it would prevent others from setting one, in most cases.
      My Computer
    Quote Quote

  4. Brink
    Posts : 68,862
    64-bit Windows 11 Pro for Workstations
       New #3

    Hello teebee, and welcome to Ten Forums. :)

    In addition, here's some more information about the Syskey feature if this what is being used. It includes how to remove it using the password.

    SysKey - Set Startup Password to Lock or Unlock Windows - Windows 7 Help Forums

    SysKey - Create USB Key to Lock or Unlock Windows - Windows 7 Help Forums
      My Computers
    Quote Quote

  6. cereberus
    Posts : 15,480
    Windows10
       New #4

    The real issue is what else has been compromised. Advise your client, as an urgent prioriy, to change all online passwords (bank, amazon, paypal, ebay etc), and examine accounts for suspicious behavior.

    Your client may think that is overkill, but ask her if she can afford to take the risk.

    I also strongly advise clean installing from scratch, for same reasons.

    No amount of use of tools like malware removal can give you 100% certainty all is right.

    As you are undoubtedly a man of integrity, do you believe doing anything other than a complete reinstall is in your client's interests.

    You will (imo) provide a much better service if you help her backup valuable data, clean install and assist in reinstalling stuff if necessary. Do that and clients will always come back.
      My Computer
    Quote Quote

  7. teebee
    Posts : 3
    10
    Thread Starter
       New #5

    cereberus said:
    The real issue is what else has been compromised. Advise your client, as an urgent prioriy, to change all online passwords (bank, amazon, paypal, ebay etc), and examine accounts for suspicious behavior.
    She has done all those things. The banks, paypal are all working with her already.
    Your client may think that is overkill, but ask her if she can afford to take the risk.
    I also strongly advise clean installing from scratch, for same reasons.
    That's exactly what I was thinking too.No amount of use of tools like malware removal can give you 100% certainty all is right.
    You are hitting that nail directly on the head.As you are undoubtedly a man of integrity, do you believe doing anything other than a complete reinstall is in your client's interests.
    NO, I just wanted to hear this from someone else.You will (imo) provide a much better service if you help her backup valuable data, clean install and assist in reinstalling stuff if necessary. Do that and clients will always come back.
    That is going to be my plan as of right now. My concern is, will the data be clean? I've run scans (malware, viruses were detected and removed/quarantined). I would hate to do a clean install and then re-introduce something from backed up data.
    Thank you so much for verifying what, I guess, I already knew.
      My Computer
    Quote Quote

  8. cereberus
    Posts : 15,480
    Windows10
       New #6

    teebee said:
    Thank you so much for verifying what, I guess, I already knew.
    Data is usually ok. It is exe files etc that get infected. Infections of videos, photos etc is rare,word docs and excel etc less so.

    For most, it is photos that are the primary concern. You can scan data with a high degree of confidence.
      My Computer
    Quote Quote

  9. teebee
    Posts : 3
    10
    Thread Starter
       New #7

    While copying her 'documents' file, I got a "Your infected" warning, while moving through the docs. A file with no real name ("file") or extension set it off. I shredded that file then proceeded to fine-tooth-comb all the copied files. Anything that looked suspect was shredded. I then did a clean install of Win10. I then Installed Malwarebytes, CCleaner and AVG, ran thorough scans before I copied her data back to the clean install. Then again once the data had been copied. I believe that we are clean and nearly back again to where she was before this all happened.

    Thank you all once again, for proving to me that my gut was telling me the right things to do.
      My Computer
    Quote Quote

 

  Related Discussions
Did you have any problems installing it, any problems after installing it? Or anything else. Or is everything just fine? I have 1909 and 2004 was just forced on me and I wanted to know if it's going to be alright or not. I'm holding off on...
inquiry on the SYSKEY feature
in AntiVirus, Firewalls and System Security

ive never bothered to study about syskey until recently.. is it better to save the program onto flash drive? my pc was hijacked last year where a malicious program took control over it..so thats what got me thinking..:shock:
My older, non-computer savvy Dad was just taken by the oldest trick in the book. Hoping someone can help out. System: Toshiba Laptop. Windows 10 Home. Scammer from "AOL" calls my dad and says his computer is corrupted. My Dad (sadly) gave...
I have two computers that both got free upgrades from 7 Ultimate to 10 Pro. Would it work to swap the hard drive from one to the other, then update drivers as needed? I've done that countless times with Windows 3.0 through XP. Haven't tried it...
Hello, I have Windows 7 pc, installed 10 worked for two days, now won't start up. Tried repairing in safe mode, goes so far then says it can't repair. I have set Windows 7 as startup system, but says api-ms-win-core-libraryloader-l1-2-0.dll missing....
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 07:46.
Find Us




Windows 10 Forums