16 Jan
So a customer calls me and is a little hesitant to explain what’s wrong with her computer. Almost without fail when they dance around what happened – you know it’s likely the Microsoft Tech Support Scam. (See Snopes). Not a big deal – we scan their computer, ensure nothing is lurking in scheduled tasks or startup, and point them to information related to reversing any charges if it got that far.
Well this time was different. “They changed my password on my computer and now I can’t log back in. Can you reset it?” That was new for me and pretty clever. I told her absolutely – we reset passwords often. A quick boot into System Rescue CD, mount the drive, and run chntpw. Voila!
So I get the computer (running Windows 8.1), boot it up, and see this:
“This computer is configured to require a password in order to startup”. This looked vaguely familiar, and not in a good way. Especially on Windows 8 since that popup has a very Windows NT vibe. A quick trip to Google and it all comes back. Syskey allows for encrypting the SAM hive where all the password hashes are stored. This was going to be harder than I thought… So I called the customer to get a little more info…
So now what? Maybe a registry restore? I’ve used that technique a number of times. Sure enough – some searching and I found another IT shop that had done that very thing:
The ONLY solution is to find a clean copy of the registry hives from before this occurred. This scammer knew this, however, and as such, he took an extra step to block any repair or recovery attempts: he deleted all System Restore points on the machine, which normally house backup copies of the registry hives.
- Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%\system32\config folder.
- Backup the registry hives in this folder to a temporary location.
- Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
- Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
- Reboot the PC.
Easy enough right? So I whip out System Rescue CD, boot into the recovery prompt, and try to mount the main partition:
I tried rebooting a few times, but you can’t properly shut down Windows 8 because Fastboot is enabled by default (though I’ve mounted Windows 8 partitions in SysResCD plenty of times). So whatever they had done was causing an odd shutdown leaving the file system in a sketchy state. I would click Restart on the Syskey prompt and then boot into SysResCD. No luck.
The Windows 8 recovery console was no help because it requires you login to a user account, which can’t be done since SAM is encrypted. I could not get a Command Prompt to pop up. Before I tried to force mount the partition in SysResCD, I tried my USB Windows 8.1 Recovery Stick. Interestingly, this allowed a Command Prompt without login AND the C: drive was mounted. *SCORE*
So I went into the RegBack directory, copied out the backup that the scammer overlooked (it was from a few days before the scam), and the system booted normally. Sadly – I suspect the scammers will start wiping out RegBack pretty soon, and then you’re in trouble.
No RegBack Directory? Here are some sites I stumbled across in my research that may help, though I didn’t need to try any of these so YMMV.
30 Responses for "Unlocking After the Microsoft Support Phone Scam"
Hey,
thanks for all these very helpful tips and hints! I had a customer who was exactley trapped by this. But thanks to your site I was able to help her.
Keep your good work on!
— Jesper
I placed infected HD in another machine, copied over the RegBack files to Config dir, Restarted and password popup was gone. I updated machine to Win10. Then a popup looking like a blue screen saying machine was infected appeared. I ran task manager it showed “DV.EXE running.I stopped it and popup disappeared. I deleted DV.exe, restarted and the machine has been clean since with no problems.
how can i decrypt files that are locked by the syskey scam password.
@Robert, Thanks I managed to bypass the Syskey password by inserting the laptop drive in a external caddy and then connecting it to my PC. I then copied the contents of c:/windows/system32/config/RegBack into c:/windows/system32/config . I replaced the drive back into the laptop and it booted into windows as normal.
Once in, I completed a system restore dated 2 weeks back and then made sure there was no left overs of installed programs in the program folders that the scammers had used to access the system. So far all good.
found regback, did as posted, took a while but back in business!
Nice.
Cheers from Australia!
Worked like a charm
Thanks for the great advice on this
sometimes you spend hours trying to search which solution may work.
I need help in this matter from a scam. I do not have another PC 2 use 2 help me. Do I need a disk/DVD or can I plug my PC 2 my phone? I really need help. PLEASE. I am not a computer wiz at all….
I need help with lock out of pc
Thank you so much Jake!!!! Worked like a charm.
When I try to access the locked drive (attached to a second computer) I cannot access it (Access denied). (I am connecting to my main computer via USB.) So I can see the drive….mounted as drive I
try this before any other solution; put a Windows disc in the dvd drive, boot from that and select ‘repair’.
Just worked like a charm for me! It over-writes vital Windows files.
Download ISO of Windows on another machine if you need to.
Or you can delete the syskey program and let them try and tinker around. At that point, after they have found you don’t have it anymore, you can use the program they are using to connect to your computer and use the file transfer system in it and try to copy his files without him knowing, and then cut the connection and then remove the internet plug. Then call the police and give them the files or the FBI. Your choice in the matter since they might have to go through Interpol.
Here’s how to get rid of the syskey program and no, it won’t damage your computer even if it says it. It’s just getting rid of the program and nothing else.
1.) Go to your system32 file and search for syskey by searching in the search box.
2.) Right click and go to properties.
3.) Go to the security tab and click on advance.
4.) On the top, click on change and type administrator and then click on check names, if it says your user name/administrator and underlined, click on OK and then OK on the next window.
5.) Next, go to the Group or User Names: click on administrators, and then click on Edit.
6.) Check box Full Control and then apply and ok.
7.) Go to advance again and now look for Administrators and click on change permissions, click on administrators, Edit, Check mark full control and apply and then ok.
8.) That point, you can delete it as normally.
9.) Watch them suffer trying to use the program.
10.) Laugh like an evil Overlord
11.) Calm down and call FBI or Police, let them track your call and connections.
I had a customer bring in a computer with this problem.
I had no idea that the security aspect of it went so deep.
What happens iffn when the scammers start erasing not only the system restore files, but the regbackup files as well.
I was lucky though, I actually guessed the password that the hacker put on the computer, and apparently bypassed a lot of work. It still has the pwd dialogue box, but since I know the pwd I can bypass the problem. I want get rid of it though anyway now that I can boot into windows.
AWESOME thanks people. I did the same as most but I just booted Ubuntu live USB, opened the Windows disk and copied the contents of
c:/windows/system32/config/RegBack/
into
c:/windows/system32/config/
Then rebooted and it went to automatic repair (HP UEFI), clicked advanced and continue to windows, and straight to the login and Desktop! YAYY! – Stupid Scammers targeting my friends, SHAME ON THEM!
I follow the same, with Windows 10 have to remove HD and access with another machine. Unfortunately when ZI copied the reg backups and then reinstalled HD and rebooted there was no change it still asked for the syskey password
Thank you so much for this. Worked like a charm on a clients laptop!!
Thanks for the post, helped with our similar issue. Much appreciated.
How can i fix my computer without a cd, ive been scammed, my windows xp edition has a password now and i cant long in please help.
My daughter fell victim and allowed a remote login on a fairly high end HP Win 8.1 PC now sees the Startup Password prompt you display above. Entering the original admin psswd the 3rd time gets you to a Windows recovery panel of options but none work since it says there is no administrator assigned and it wont run any options. I tried to install a brand new WIN10 HOME OEM CD but the BIOS now seems corrupt as well since it doesnt display teh typical options and tho it detected the DVD it gives an “ERROR: can’t boot from boot device or BAD DVD error”… we’re going to basically give up and buy a new PC cause I see no easy way to resolve this without a BIOS we can trust.
OMG! I knew better than this but the caller knew my name and my caller id said microsoft. I’m locked out of my PC and I’m not a computer guy. Does anyone know a password? I read in another site someone had the same issue and one of the members of the forum sent them a password and it worked. Please help!!!
Worked. So cool. Thanks for this post. Appreciate it
they’ve changed their name to windows support. To see there
new game in action check rainierland.is and select john wick 2
they’ll tell you about how your computer has 3 viruses. Oh and yes they still call.
Fell for the scam, I’m need help, locked out completely
So this isn’t a new thing but it’s just happened to me on my HP ENVY 23 desktop all in one . I have that exact need a password screen. We didn’t have Internet for awhile so it’s back on and after a week or so I just thought it was all due to it needing missing updates and such…I have windows 10 but it came with 8.1, I think, when I bought it around Dec of 2015…no problems til this…NOW WHAT DO I Do?? All that stuff you mention is Greek to me…
Thank you for this, one of my clients had a call and looking at the win+R history it shows the person who remoted on used SYSKEY. The steps you placed above worked a charm!
Soooo.. since my client hasn’t had the machine for long, I’m guessing you can just run the recovery CD, format the drive and reload?
Thank you! I was able to recover the \Regback files from the Win10 repair console (no external boot media required).
Jake your the man. Thanks, your fix worked like a charm
I have this problem now, yes, I was a dumbass and called the number that popped up on to my screen. And now idk how to fix it. I don’t know much about computers, is their anyone that can walk me through the process?
Thank you very much! This worked for me as well.. 🙂
Leave a reply