Friday 8 August 2014

Scammers using SysKey

We had a home user give us a call saying he had a call from scammers who had convinced him to allow them to access his Windows 7 PC and had now 'irreversibly' locked the computer. He said he had called round a bunch of other companies in the area and they didn't want to touch it, being the helpful and being unable to say no to a challenge we took on the task.

When we booted it up it was not what we expected, we didn't think it would be a hard job and most likely some sort of randsomware we could easily remove, alas it was syskey. Reading up on it, there seemed to be a lot of people claiming it can be done and various methods.

One method mentioned was using DaRT from Microsoft and a load more using the ntoffline password re-setter from pogostick.net, and the other using chntpwd  - none of these worked for us.

Reading a bit more on what SysKey actually does gave me another idea on how to work around the issue, so I loaded up an Ubuntu Live CD from our Zalman drive which boots ISO's, tore into the Windows\System32\config directory renamed all the registry hives and copied the ones from the sub-directory RegBack to the config folder and rebooted while crossing fingers, toes, arms and legs crossed...

Thankfully that worked a charm!