10931419_10152524230236587_4253503813420642869_n

So a customer calls me and is a little hesitant to explain what’s wrong with her computer. Almost without fail when they dance around what happened – you know it’s likely the Microsoft Tech Support Scam. (See Snopes). Not a big deal – we scan their computer, ensure nothing is lurking in scheduled tasks or startup, and point them to information related to reversing any charges if it got that far.

Well this time was different. “They changed my password on my computer and now I can’t log back in. Can you reset it?” That was new for me and pretty clever. I told her absolutely – we reset passwords often. A quick boot into System Rescue CD, mount the drive, and run chntpw. Voila!

So I get the computer (running Windows 8.1), boot it up, and see this:

syskey

“This computer is configured to require a password in order to startup”. This looked vaguely familiar, and not in a good way. Especially on Windows 8 since that popup has a very Windows NT vibe. A quick trip to Google and it all comes back. Syskey allows for encrypting the SAM hive where all the password hashes are stored. This was going to be harder than I thought… So I called the customer to get a little more info…

The customer had a Dell support plan, so when she realized she’d been had – she had Dell login to clean the computer, which they did. (TDSS Scans, CCleaner, Malwarebytes, ADWCleaner, and more had been run). Then they restarted the computer and up popped the Syskey prompt. The scammers had encrypted the SAM hive and it was just waiting for a restart. Not long after, the scammer called back asking the client how their computer was and did they need help with it. Crafty.

So now what? Maybe a registry restore? I’ve used that technique a number of times. Sure enough – some searching and I found another IT shop that had done that very thing:

The ONLY solution is to find a clean copy of the registry hives from before this occurred. This scammer knew this, however, and as such, he took an extra step to block any repair or recovery attempts: he deleted all System Restore points on the machine, which normally house backup copies of the registry hives.

  1. Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%\system32\config folder.
  2. Backup the registry hives in this folder to a temporary location.
  3. Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
  4. Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
  5. Reboot the PC.

Easy enough right? So I whip out System Rescue CD, boot into the recovery prompt, and try to mount the main partition:

SYSRESCUECD_20

I tried rebooting a few times, but you can’t properly shut down Windows 8 because Fastboot is enabled by default (though I’ve mounted Windows 8 partitions in SysResCD plenty of times). So whatever they had done was causing an odd shutdown leaving the file system in a sketchy state. I would click Restart on the Syskey prompt and then boot into SysResCD. No luck.

The Windows 8 recovery console was no help because it requires you login to a user account, which can’t be done since SAM is encrypted. I could not get a Command Prompt to pop up. Before I tried to force mount the partition in SysResCD, I tried my USB Windows 8.1 Recovery Stick. Interestingly, this allowed a Command Prompt without login AND the C: drive was mounted. *SCORE*

So I went into the RegBack directory, copied out the backup that the scammer overlooked (it was from a few days before the scam), and the system booted normally. Sadly – I suspect the scammers will start wiping out RegBack pretty soon, and then you’re in trouble.

No RegBack Directory? Here are some sites I stumbled across in my research that may help, though I didn’t need to try any of these so YMMV.

  • http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html
  • http://www.passcape.com/reset_syskey
  • http://www.oxid.it/ca_um/topics/syskey_decoder.htm