10931419_10152524230236587_4253503813420642869_n

So a customer calls me and is a little hesitant to explain what’s wrong with her computer. Almost without fail when they dance around what happened – you know it’s likely the Microsoft Tech Support Scam. (See Snopes). Not a big deal – we scan their computer, ensure nothing is lurking in scheduled tasks or startup, and point them to information related to reversing any charges if it got that far.

Well this time was different. “They changed my password on my computer and now I can’t log back in. Can you reset it?” That was new for me and pretty clever. I told her absolutely – we reset passwords often. A quick boot into System Rescue CD, mount the drive, and run chntpw. Voila!

So I get the computer (running Windows 8.1), boot it up, and see this:

syskey

“This computer is configured to require a password in order to startup”. This looked vaguely familiar, and not in a good way. Especially on Windows 8 since that popup has a very Windows NT vibe. A quick trip to Google and it all comes back. Syskey allows for encrypting the SAM hive where all the password hashes are stored. This was going to be harder than I thought… So I called the customer to get a little more info…

(more…)