A New Hampshire customer called in for on site technical support explaining that her Windows 10 computer all of a sudden comes up with the password prompt unlike any she’d ever seen before. The Prompt says;
Startup Password This computer is configured to require a password in order to start up. Please enter the Startup Password below.
Password: OK button Restart button.
It appears that the system requires a password to start. The mouse cursor does not work on the screen and isn’t even visible. Upon entering the password 3x times incorrectly the computer automatically restarts and then it’s back to the same screen again. When Windows boots up the mouse cursor works on previous screens but when it’s on the password dialog box the mouse won’t move at all.
Upon arrival the customer later told us that it had appeared at the bottom right corner of the screen in what’s known as the taskbar. This spyware scam reporting to be Windows Microsoft gave a toll free number for her to call. The number is +1-855-220-9416. When she dialed this number a man with a heavy Middle Eastern accent told her that her computer got hacked from Russia, and he could diagnose and attempt to fix the problem online. He pointed her to a website and logged into her Windows installation remotely controlling her computer over the internet from some unknown location. Remotely connected to the computer the technician tried punching in a bunch of commands (to make them scam look good) and the technician informed her computer was severely infected with viruses, spyware, adware and malware. There were big problems with her computer and would need to purchase additional software to fix the problem she was told. This so-called hack technician informed her that the problem can be resolved but she would need to purchase a new Windows 10 Pro CD for $199.99 from his repair company and a backup system with a one year warranty for $59.99. Apparently, something didn’t seem right to this customer so she said, “I’ll think about it and can I have your direct number?” The Conman replied, “Sure it’s +1-877-256-0833 extension x0400 and my name is James Morris (Morose)”.
After getting off the phone with the culprit our customer booted her Windows computer and almost immediately before completing loading a login screen popped up that was unfamiliar to any she had ever seen before. There was no password on a customer’s computer as it was previously configured not to require a password to be used. Our customer was perplexed and tried entering in every password she thought that she knew to no avail. She was completely locked out of computer and stood to lose all of her personal file such as pictures, spreadsheets, documents, as well as her favorites/bookmarks
At Fowler Computer Repair we attempted to recover her computer using an old windows system restore point and save/keep her existing files, settings, and program configurations, but all the restore points are now gone from the computer. Someone had deleted every restore point on the hard drive, and disabled system restore altogether. We tried reinstalling Windows to the recovery partition and chose to keep her data files and documents Library files.
After reinstalling for half an hour the computer rebooted and came up to the same log on screen prompting us to enter a password to use Windows.
we ask the customer how important your personal files were to her to which she replied all of her pictures of her grandchildren and tax documents were still probably still on her computer and she really liked them back if possible. We researched removing the syskey password and found many technicians had run into this problem, however we couldn’t find one person that actually had fixed it without completely reinstalling Windows from a fresh copy. There were a couple of computer technician experts with claims to have the solution. One solution that we came across was to download a boot CD called Hiren’s boot CD that would help disabled the system Key password that had been instituted deep inside the registry hive. This program is very useful for the tech savvy. This program can be downloaded at the official website http://www.hiren.info/pages/bootcd
We tried the Hiren’s boot CD solution but received errors when trying to run the program. It would appear to work but the the syskey password would still popup when we restarted the system with the message This computer is configured to require a password in order to start up. Please enter the Startup Password below. We continued trying to remove syskey password using other methods without any luck, and after a few hours we made the decision to back up all of the user files on the hard drive to an external drive. We recovered all pictures, documents, spreadsheets and favorites our customer had previously enjoyed.
This time we didn’t use the recovery partition of the hard drive to recover the Windows 10 operating system with the user files, but this time we elected for the factory reinstall method that removes all files and settings and since the computer back to the original state in which it was bought.
One hour later Windows 10 was asking itself to set up for the first time and there was no syskey password screen popping up at all.
All of our customers critical pictures and documents remain intact on our backup hard drive so we simply transferred them back over to the computer once it was done reinstalling. This time we set up a strong Windows password that enables you to protect against people logging on to the computer, and also the best of the best in antivirus and spyware programs protected from future intrusions to ensure that this won’t happen again.
If you experience this issue or similar issue of not being able to login to windows please leaving a comment below and let us know if this article has been helpful for you. For on-site computer repair in Lakes Region and Seacoast New Hampshire please feel free to give us a call.
Here is a list of links we’ve found to attempt to remove Windows syskey password (please be cautious).
If you have a friend or family member with another computer you can try this first as it doesn’t require much technical know how. Take the hard drive out of the PC or laptop and connect it to another computer using a USB>Sata Adapter. You can buy this adapter at any computer shop or electronics store in NH.
Once the drive is connected via the adapter to a second computer, open C: drive on the infected hard drive and navigate to the RegBack folder at Windows\system32\config\RegBack folder, and copy the five files to the config folder.
The files are:
It will tell you that these files already exists but allow the system to replace the current files with the files from the RegBack folder. Put the hard drive back into the computer/laptop and start up the computer as normal. It should now allow you to either log in or go direct to the desktop.
If no other computer is available continue as below:
FIRST check if you have any Restore Points to work with:
Restart the PC with a Windows 8.1 disk or a Recovery disk or any boot disk that will allow you to get to a command prompt.
- Type the following command in the Command Prompt window:rstrui.exe…and then hit the Enter key
- The System Restore wizard will open immediately. Either select the ‘Recommended Restore’ date offered by windows or click ‘Choose a different restore point’. You’re advised not to go back too far, usually a couple of days will do. Follow the instructions on the screen to complete the System Restore.
- If System Restore works your back in business.
If no Restore Points exist, your scammer intentionally removed them to prevent this from occurring. If this has happened to you, follow these additional steps to resolve the problem:
Return to the command prompt window or start the PC with a Windows 8.1 disk or a Recovery disk or any disk that will allow you to get to a command prompt.
Do not just restart your computer as normal without a boot disk, because this can lessen the chances of success.
Check to see that the folder %SYSTEMROOT%\system32\config\RegBack exists.
If so, continue.
If not, stop and immediately contact a technician.
Navigate to the %SYSTEMROOT%\system32\config folder
Backup the registry hives in this folder to a temporary location.
The files are:
SOFTWARE, SYSTEM, SAM, SECURITY, DEFAULT
To backup these files you can use Robocopy a program incorporated within windows.
Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
Reboot the PC.
You should now be able to either log in if you have a password or boot to the desktop as normal.
Scammers usually contact computer owner identifying himself as a member of Microsoft support team. They will informs you that your PC have number of critical problems, those need to be fix immediately or your system will fail to work properly. They will convince you to allow them to connect system remotely and fix the issues. If you do make the mistake of letting them connect, they will ask you to pay $$$ for fix. If you refuse to pay, they will enacted SysKey encryption on the SAM registry hive.
Syskey appears to be a rather braindead idea under Windows 7. On the one hand it prevents the user from launching Windows unless he remembers the syskey password. On the other hand it does nothing whatsoever to protect the user’s data files. You can boot up a syskey-protected machine with any boot CD (e.g. the Windows 7 Repair CD) and immediately gain full access to all files stored on the disk.
There are two options to undo the activation of syskey:
- Boot the machine with a Repair CD, then use System Restore to set Windows back to a time before you activated syskey. Note that this method could cause Windows to report after the third boot that this is not a genuine version . . .
- Restore the System partition from an image that you took previously.
If you really need to protect your data then you must encrypt your files. Note that file encryption has its own set of traps for the novice, which can and does cause permanent loss of all encrypted files.
Step 1: Boot up your computer to Hiren’s boot cd and use ‘Offline NT/2000/XP/Vista/7 Password Change’
Step 2: Chose partition in disk where your window on . Here i chose ‘1’ because i have only one partition
Step 3: press Enter when chose ‘Select Path and registry files’
Step 4: Press ‘1’ to chose ‘Password reset’
Step 5: Press ‘2’ to chose Syskey status & Change
Step 6: Press ‘y’ & press Enter to confirm disable SYSKEY
Step 7: You can press 2 to check SYSKEY status again. OK
I have had a couple of customers fall for the “This is So and So from Windows 7 Tech support, we have detected malicious software on you PC“. The customers have given the scammers access to the PC and its now locked with What looks like the XP Syskey lock screen. There are reports the Password are 123 or 1234 or ABCD. But that all failed. If you have this problem:
THIS IS FOR WINDOWS 7 ONLY, MAY WORK ON OTHER OS!!!!
I have repaired the syskey issue when created by scam call from “Windows 7 Tech Support” in windows 7. I repaired customers computers (1 32-bit and 1 64-bit) successfully, To remove following the steps below:
1. Boot from windows 7 install cd.
2. When the Install Windows page appears, click Repair your computer to access system recovery options.
3. Run System Restore to last point before syskey password blocked access. (This will fail, but must be done). Click run system restore again (this will take you back to the options list)
4. Open Command Prompt from the options list.
5. Open Regedit (Type regedit into the command prompt). Regedit will open.
6. Navigate to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, and change ‘SecureBoot’ value to 0.
7. HKEY_LOCAL_MACHINE \SAM\SAM\Domains\Account Change F value to 0000
8. Reboot and Login
This has worked for me on two machines. After reboot I ran Super-anti Spyware, Ad-Aware and Hitman Pro to confirm, found 68 items on Super-Anti Spyware, 5 more on ad aware and no further detection’s on Hitman Pro. The PC now runs fine with not Lockouts or Passwords.
You may also need to reset the user account password if they have changed that also, the above will get you past the Syskey lock but not past user login if they changed that. For help with that: http://pcsupport.about.com/od/windows7/ht/reset-password-windows-7.htm
Hope this helps everyone with this problem.
MICROSOFT / WINDOWS 7 SUPPORT WILL NEVER RING YOU UNLESS YOU HAVE REQUESTED THEM TO DO SO!!!!!!!!!!!!!!!!
There are a number of programs in the Net that proclaim they can reset SYSKEY. But none of them works correctly at the moment. The reason is that SYSKEY resetting requires a lot of additional operations for your system to prevent it from being broken. For example you need also to zero out SAM domain session key(s), reencrypt and reset local user hashes, LSA secrets, etc. Reset Windows Password has 2 algorithms for resetting SYSKEY. Once the primary one fails, another one runs. After SYSKEY is reset, all local user passwords will be set to blank automatically.
Data Recovery and Backup- for when your computer crashes and you need back valuable documents or pictures.
Spyware Removal-when you get too many popup ads and the computer doesnt respond the way it used to
Virus Removal– Get rid of those pesky viruses slowing down your computer systems performance.
Computer Upgrades– To get the best performance out of an existing computer system.
Custom Built Computers-for those that know the quality difference between buying a computer at a box store versus having a computer built to suit your needs.
User Training– Getting to know how to use your Personal Computer or laptop, online banking training, email, internet searches