If this is a shady thing I'm asking for, admins are welcome to delete my post.

I have a new client who unfortunately fell for "the Microsoft call" enough to let the caller onto her computer. She didn't give them any personal information, but now her computer is locked at the syskey level

Is there any way around this? All my searching has led me to some sites that don't engender much trust.

I have used this bootable CD in the past (Windows 2000 & XP era). It worked to reset the password.

Thanks for the recommendation! Unfortunately I can't get it to work. I downloaded and burned the disc, but when I boot to it I get halted at some point where it says it can't find "TRK." I thought this disc was TRK. I don't know where else it would find it...

What kind of PC is this? Some Linux distros won't boot unless you're using legacy boot mode (not UEFI) in your BIOS. If the PC is running Windows 8 from the factory, it's probably UEFI. Look around the bios to see if you can temporarily change it to legacy boot mode.

No UEFI. It's an Inspiron 620 with Windows 7. From what I've been able to find online, TRK has problems with some optical drives' chipsets or something along those lines. I don't think there's a fix.

I'm currently walking through these instructions, but I got to the point where I'm supposed to select "syskey status & change" but it's not there! Dang. Seemed like that one would work...

Take the hard drive out and put it in something that will properly boot from the CD?

Skip the optical drives' chipsets and boot from a USB drive?
http://trinityhome.org/Home/index.php?co...n&locale=en

Thanks guys, I ended up with a combination of the two. The USB stick wouldn't boot (most likely the PC's fault), but when I booted to the TRK CD, this time it was able to find what it needed from the USB stick. Neat. I'll report what happens.

Rob, did you use TRK to reset a syskey password or just a regular user account password? I don't see an option to do anything to the syskey password...

I have used this to reset the Admin password when it's been forgotten by the users. It's my understanding there is some function in this utility to disable syskey. This operation may come with consequences.

This looks like a fairly complete solution.
http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

Havent heard of this one before but have reset the odd local password in my time.

Indeed. I found the syskey option after my last post, but by that point I'd already tried the operation with Hirens Boot CD. It did not go well. To be fair to Hirens, it warned that the computer may end up in an endless boot loop, and that's exactly what happened. I'm going to check if the system has a registry backup from before the scam, but I'm not optimistic. I tried using a Windows 7 disc to do a system restore, which I assume would have put the system back to a point before the syskey was set up, but every time I tried the restore it ended up giving me some sort of error.

Oh well. Time to grab the data and reformat!

Huzzah!

I tried one last thing (I might have mentioned it earlier). Using a Windows 7 install disc, I went into repair mode and the command prompt. I then navigated to the config folder and found that the regback folder had files in it from a few days before the incident! I backed up the files, put the regback files in the main config folder, and rebooted. Hooray! The system booted and all is good. I'll be running my full suite of scans on this thing to make sure it's clean.

Thanks for the help. I'm going to hold onto this TRK disc for future use. It's certainly a much easier to use password cracking disc than others I've used like OPHCrack. Most of the time I get users who simply forgot their user account password.

You're good now. Save the data, wipe the drive. It's just not worth something lingering that scans don't find.

-jk

For posterity, I've been using this bootdisk for many years with great success:

http://pogostick.net/~pnh/ntpasswd/

Thanks! Though I don't see any mention of the syskey, which is different from the admin password.


Sometimes this is true, but in this case I can be fairly certain that all they did was create a syskey password as a lame ransom attempt. If the solution was always to back up the data, wipe the computer, and start over, I'd be out of business because nobody would pay for the time it would take to do that.

Question for those of you who have done password recoveries/resets.

I'm working on a computer that needs to be unlocked (users are always forgetting their passwords). I've tried several password recovery/clearing tools, from Rob's TRK to UBCD to a copy of OPHCrack. I've been able to use all of these in the past to reset a password, but this time I'm having a weird problem.

When I boot up the computer normally, I get to a login prompt with a username of "Shelly." When I load up any of these password recovery applications, that account isn't even listed. I can reset the administrator account's password, but I can't seem to be able to access the administrator account...

Any ideas why the account isn't showing up?

*Edit*
Nevermind! I totally missed the option in TRK to enable the Administrator account. Thanks again, Rob, for mentioning such a great resource. I've used it several times since you linked me to it in this thread.