Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

keysofanxiety

macrumors G3
Original poster
Nov 23, 2011
9,539
25,302
Hi all,

I've had a fair few calls recently from people getting their computers locked down with SysKey. As expected, the passwords are normally 1234 or 12345; completely synonymous with scammers setting this up.

However my clients have assured me that nobody has had remote access to their computer, they haven't had any cold calls from people pretending to be Microsoft, and haven't let anybody have use of their computers.

Just to give them the benefit of the doubt -- I was wondering if anybody else who works in customer care has seen this sort of thing pop up frequently in the last month? Can you also think of any way that malware/elevated applications can set this up without the users' knowledge, or would it have to have been activated manually?

Thanks for any advice or thoughts; just want to keep on my toes with this sort of thing.

SysKey-Dialog.gif
 
For malware, if their action needs user consent, then they are not malware at all.
Then, I was watching a ton of scammer expose videos these days so I am fully aware of this syskey thingy. Very annoying.
To remove it, you need tools to reset SAM to remove syskey password. I forgot where to find these tools though.
If your IT department has spare time, let them develop a fake syskey, and let those scammers enter whatever password they like. This is used to replace the real syskey so that next time those scammers would not be able to just lock users out.
 
For malware, if their action needs user consent, then they are not malware at all.
Then, I was watching a ton of scammer expose videos these days so I am fully aware of this syskey thingy. Very annoying.
To remove it, you need tools to reset SAM to remove syskey password. I forgot where to find these tools though.
If your IT department has spare time, let them develop a fake syskey, and let those scammers enter whatever password they like. This is used to replace the real syskey so that next time those scammers would not be able to just lock users out.

Ah yeah, not to worry as we're versed in how to remove it. Just wondering if it can be activated without anybody actively doing it remotely? As in, is the only way SysKey can be activated is by opening SysKey and setting a password?

Or can it be scripted, then the user just blindly clicks "OK" on the UAC prompt, and it's locked down?

Just trying to figure if they're telling porkies about somebody remote accessing their computer, or if malware/PUPs are getting cleverer. :)
 
Ah yeah, not to worry as we're versed in how to remove it. Just wondering if it can be activated without anybody actively doing it remotely? As in, is the only way SysKey can be activated is by opening SysKey and setting a password?

Or can it be scripted, then the user just blindly clicks "OK" on the UAC prompt, and it's locked down?

Just trying to figure if they're telling porkies about somebody remote accessing their computer, or if malware/PUPs are getting cleverer. :)
Hmm, the only way I know to put syskey is through graphical interface, not any programming method.
And the worst case of putting a syskey is losing all files encrypted using EFS without certificate backup. So this could not cause much actual harm, I think.
 
  • Like
Reactions: keysofanxiety
Hmm, the only way I know to put syskey is through graphical interface, not any programming method.
And the worst case of putting a syskey is losing all files encrypted using EFS without certificate backup. So this could not cause much actual harm, I think.

Thank you for taking the time to respond to my queries. Just as I thought -- it's likely that somebody got access to their computer and they were a little confused about who it was (as we frequently use remote access as well). So no need to keep on my toes with a new type of nasty malware!

Best wishes and hope you have a great weekend. :)
 
  • Like
Reactions: Shirasaki
Thank you for taking the time to respond to my queries. Just as I thought -- it's likely that somebody got access to their computer and they were a little confused about who it was (as we frequently use remote access as well). So no need to keep on my toes with a new type of nasty malware!

Best wishes and hope you have a great weekend. :)
Hope you have a great weekend too.
 
  • Like
Reactions: keysofanxiety
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.