Syskey
   HOME

TheInfoList



OR:

The SAM Lock Tool, better known as Syskey (the name of its
executable file In computing, executable code, an executable file, or an executable program, sometimes simply referred to as an executable or binary, causes a computer "to perform indicated tasks according to encoded instructions", as opposed to a data file ...
), is a discontinued component of
Windows NT Windows NT is a proprietary graphical operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems sc ...
that
encrypts In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can deci ...
the
Security Account Manager The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores users' passwords. It can be used to authenticate local and remote users. Beginning with Windows 2000 SP4, Active Directory a ...
(SAM)
database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
using a 128-bit
RC4 In cryptography, RC4 (Rivest Cipher 4, also known as ARC4 or ARCFOUR, meaning Alleged RC4, see below) is a stream cipher. While it is remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, ren ...
encryption key A key in cryptography is a piece of information, usually a string of numbers or letters that are stored in a file, which, when processed through a cryptographic algorithm, can encode or decode cryptographic data. Based on the used method, the key c ...
. First introduced in the Q143475 hotfix which was included in
Windows NT 4.0 Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...
SP3, it was removed in
Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...
's Fall Creators Update in 2017 due to its use of cryptography considered unsecure by modern standards, and its use as part of scams as a form of
ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...
. Microsoft officially recommended use of
BitLocker BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in ...
disk encryption Disk encryption is a technology which protects information by converting it into unreadable code that cannot be deciphered easily by unauthorized people. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that g ...
as an alternative.


History

First introduced in the Q143475 hotfix included in
Windows NT 4.0 Windows NT 4.0 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It is the direct successor to Windows NT 3.51, which was released to manufacturing on July 31, 1996, and then to retail ...
SP3, Syskey was intended to protect against
offline In computer technology and telecommunications, online indicates a state of connectivity and offline indicates a disconnected state. In modern terminology, this usually refers to an Internet connection, but (especially when expressed "on line" or ...
password cracking In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system in scrambled form. A common approach (brute-force attack) is to repeatedly try ...
attacks by preventing the possessor of an unauthorized copy of the SAM file from extracting useful information from it. Syskey can optionally be configured to require the user to enter the key during
boot A boot is a type of footwear. Most boots mainly cover the foot and the ankle, while some also cover some part of the lower calf. Some boots extend up the leg, sometimes as far as the knee or even the hip. Most boots have a heel that is cle ...
(as a startup password) or load the key onto removable storage media (e.g., a
floppy disk A floppy disk or floppy diskette (casually referred to as a floppy, or a diskette) is an obsolescent type of disk storage composed of a thin and flexible disk of a magnetic storage medium in a square or nearly square plastic enclosure lined w ...
or
USB flash drive A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since firs ...
). In mid-2017, Microsoft removed syskey.exe from future versions of Windows. Microsoft recommends using "
BitLocker BitLocker is a full volume encryption feature included with Microsoft Windows versions starting with Windows Vista. It is designed to protect data by providing encryption for entire volumes. By default, it uses the AES encryption algorithm in ...
or similar technologies instead of the syskey.exe utility."


Security issues


The "Syskey Bug"

In December 1999, a security team from BindView found a security hole in Syskey that indicated that a certain form of offline
cryptanalytic Cryptanalysis (from the Greek ''kryptós'', "hidden", and ''analýein'', "to analyze") refers to the process of analyzing information systems in order to understand hidden aspects of the systems. Cryptanalysis is used to breach cryptographic s ...
attack is possible, making a
brute force attack In cryptography, a brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct ...
appear to be possible. The problem is that SYSKEY has RC4 keystream reuse problems. Microsoft later issued a fix for the problem (dubbed the "Syskey Bug"). The bug affected both Windows NT 4.0 and pre-RC3 versions of
Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...
.


Use as ransomware

Syskey is commonly abused by "tech support" scammers to lock victims out of their own computers, in order to coerce them into paying a ransom.


See also

*
LM hash LAN Manager is a discontinued network operating system (NOS) available from multiple vendors and developed by Microsoft in cooperation with 3Com Corporation. It was designed to succeed 3Com's 3+Share network server software which ran atop a heav ...
*
pwdump pwdump is the name of various Windows programs that outputs the LM and NTLM password hashes of local user accounts from the Security Account Manager The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, ...


References

{{Windows Components Cryptographic software Microsoft Windows security technology Windows administration