Use the SysKey utility to secure the Windows Security Accounts Manager database

The Security Accounts Management Database (SAM) stores hashed copies of user passwords. This database is encrypted with a locally stored system key. To keep the SAM database secure, Windows requires that the password hashes are encrypted. Windows prevents the use of stored, unencrypted password hashes.

Syskey was introduced with Windows NT 4.0 SP3. It was meant to protect against offline password cracking attacks by preventing the possessor of an unauthorised copy of the SAM from extracting useful information from it. However, these days the feature is being misused by scammers to lock naïve victims out of their own computers and so coerce them into paying a ransom.

In what has been called the technical support scam, scammers claiming to represent Microsoft, Windows, Google, the FBI, or another group attempt to extort money from unsophisticated computer users, usually over the telephone. Using various social engineering techniques and pretexts (e.g., claiming that the victims' computers are infected with a virus, contain illicit content, or are about to fail due to "serious" errors that are in fact normal), scammers often try to fool victims into believing that their computers are in need of support or maintenance which the caller will provide on payment. If the direct approach fails, the scamming party will invoke the syskey command and configure a password known only to them, thereby locking the victim out of their own system after the computer is rebooted.

You can use the SysKey utility to additionally secure the SAM database by moving the SAM database encryption key off the Windows-based computer. The SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database. This article describes how to use the SysKey utility to secure the Windows SAM database.

 Configure Windows System Key Protection

1 From Start Menu search box or from Run dialog box type syskey, and then press ENTER key.

Securing the Windows Account Database.jpg

2 In the "Securing the Windows Account Database" dialog box, note that the Encryption Enabled option radio box is selected and is the only option available. When this option is selected, Windows will always encrypt the SAM database.
3 Click Update button.

4 Click Password Start-up if you want to require a password to start Windows. Use a complex password that contains a combination of upper case and lower case letters, numbers, and symbols. The startup password must be at least 12 characters long and can be up to 128 characters long.



5 Click System Generated Password radio box, if you do not want to require a startup password.

Select either of the following options:

  • Click Store Startup Key on Floppy Disk to store the system startup password on a floppy disk. This requires that someone insert the floppy disk to start the operating system.
  • Click Store Startup Key Locally to store the encryption key on the hard disk of the local computer. This is the default option.

Click OK two times to complete the procedure.

Remove the SAM encryption key from the local hard disk by using the Store Startup Key on Floppy Disk option for optimum security. This provides the highest level of protection for the SAM database.

Always create a back-up floppy disk if you use the Store Startup Key on Floppy Disk option. You can restart the system remotely if someone is available to insert the floppy disk into the computer when it restarts.

The Microsoft Windows NT 4.0 SAM database was not encrypted by default. You can encrypt the Windows NT 4.0 SAM database by using the SysKey utility.