The SysKey utility, also called the SAM lock tool, is a built-in Windows tool that allows you to secure the Security Accounts Management (SAM) Database. It can be helpful for preventing hackers from cracking Windows passwords, and it is also a way to stop some cleaning lady cracks.

I will first show you what you can do with the SysKey utility and then discuss how much extra security SysKey protection really brings.

The SAM database is part of the Windows Registry and stores information about user accounts such as user names and password hashes. The corresponding Registry file is located in c:\windows\system32\config. Since Windows NT 4 SP3, the SAM file is partly encrypted. The SysKey utility allows you to move the SAM encryption key off the computer and/or configure a startup password.

Using the SysKey utility ^

To launch the SysKey utility, type “syskey” at the Start Search prompt of Windows Vista or Windows 7, or use the "run" option of the Windows XP Start Menu.

SysKey

To move the SAM encryption key off the computer, you have, click "Store Startup Key on Floppy Disk." The tool claims that you will need to insert a floppy disk on startup, which is not really true. Modern computers no longer have floppies, and this storage medium isn't reliable enough anyway. You can also store the SAM encryption key on a USB flash drive.

Configure Ssyskey

However, the USB stick has to be mounted on drive "A:". You can assign this drive letter to your thumb drive in Windows Disk Management. If the drive letter A is not available, you have to first disable the floppy disk in the computer BIOS.

The SysKey utility will then allow you to store a file with the name StartKey.Key on your USB drive. This file contains the SAM encryption key. Without it, you won't be able to log on in the future. Thus, whenever you boot up your computer, you have to insert this USB stick. Windows will always automatically load the encryption key from drive A:, and if you set a password with the SysKey utility, you will have to enter this password whenever you boot up the computer.

SysKey startup key SysKey Startup password

What extra security does the SysKey utility bring? ^

First of all, neither storing the SAM encryption key on an external drive nor protecting it with a password can prevent tools such Kon-Boot or the Trinity Rescue Kit from manipulating the SAM database. These tools are still able to set an empty password on all accounts. However, after such a manipulation, it is not possible to boot up Windows without the encryption key on the USB drive or without the startup password.

Hence, this method will prevent the majority of wannabe hackers from logging on to the computer with administrator privileges. It won’t, however, stop real hackers. As long as an attacker has physical access to an unencrypted system drive, everything is doable because every system file can be replaced as I demonstrated in my article about the Sticky Key trick. By the way, this trick will no longer work if you secure the SAM encryption key because an attacker wouldn't be able to reach the logon screen without access to the encryption key.

So does it make sense to protect all your PCs with the SysKey utility? I don't think so. The fact that the tool tries to store the encryption key on a floppy disk shows that this method is a bit outdated. It is too much hassle for your users to mess with a USB stick or to use an additional password compared to the extra protection the tool offers.

However, I think, the SysKey utility is still useful in some environments. For instance, you can use the tool to protect laptops or servers where you don't want to disable booting from external drives or where many people would have the time to open the PC and access the system drive. It might also make sense to protect your own PC this way. Wouldn't it be embarrassing if your colleague’s eight-year-old daughter hacks your PC while you take a coffee break?

The point is that 99% of all kids out there who call themselves hackers know about Kon-Boot and the myriad of similar tools, but they don't know how to handle SysKey. SysKey was originally introduced to prevent hackers from cracking passwords in the SAM database with brute force attacks. And popular hacking tools such SAMInside still can't handle a protected SAM encryption key.

Of course, SysKey can't stop the bad guys and gals disguised with vacuum cleaners from shoving some nasty rootkits on the system drives of your PCs. But BitLocker will do the job in 99.999% of all such attacks. Thus, I believe encrypting all hard drives in your organization is a must!

6 Comments
  1. Monica 9 years ago

    This SAM Lock Tool was used by a scammer on me and locked me out of my computer.
    They claimed to be from Windows Help and Support ,( I was having issues with Microsoft Excel at the time they called)they called me from 323-522-5942
    They said I have to pay them to unlock my computer!Reason they said was that my Windows Licence ID number was expired.
    So now I have to get a techniction to unlock if they can.\It shows you can't trust anyone.

  2. Graham 8 years ago

    This was posted by Monica = This SAM Lock Tool was used by a scammer on me and locked me out of my computer.
    They claimed to be from Windows Help and Support ,( I was having issues with Microsoft Excel at the time they called)they called me from 323-522-5942
    They said I have to pay them to unlock my computer!Reason they said was that my Windows Licence ID number was expired.
    So now I have to get a techniction to unlock if they can.\It shows you can’t trust anyone.

    I had exactly the same today from phone number 009999100157. They gave a helpline number 0131 5100072 with the name MS business solutions.

    • donna 5 years ago

      So how did you fix the computer cuz it just happened to e also

  3. Syskey.exe utility will no longer be supported in Windows 10 Fall Creators Update. Microsoft recommends to use Bitlocker.

    avataravatar
  4. jack 3 years ago

    for removing syskey you can use system restore point.

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2022

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account