How to use Syskey to make it more difficult to break into your laptop(s) via offline password guessing

Windows XP (and Server 2003) rely upon a series of “Master Keys” to protect both user specific secrets (including EFS and S/MIME key) and computer secrets (such as IPsec keys and SSL keys). The Master Keys are themselves encrypted with a “computer startup key” – this is a symmetric key.

For those of you who may be unfamiliar with symmetric key cryptography (such as DES & AES) it’s worth pointing out that the same key is used to both encrypt and decrypt the secret information. This is the converse of asymmetric key cryptography (such as RSA) which uses a pair of keys, one of which is used to encrypt, the other is used to decrypt.

When the operating system starts up the system will automatically decrypt the computer start up key to provide access to the Master keys and unlock the Security Account Manager(SAM) database (for local accounts) and Local Security Authority (LSA) secrets.

Syskey is a utility that’s part of Windows that can be used to change the storage location of the computer’s startup key. By default the startup key is located within the machine’s registry – it’s actually broken up and scattered throughout many locations in the registry using an algorithm that uses different locations on each machine – this makes it very difficult for a malicious user to recover should they gain physical access to your machine.  

Syskey provides the means to store the computer startup key on either removable media (such as a floppy disk – remember those?) – bear in mind that the media must be available to the machine at boot time so using this method on a server that doesn’t have the luxury of 24*7 onsite operator support may not be a good idea. Nor of course is it a good idea to leave the media in the system

Syskey also enables you to configure the machine to prompt for the computer startup key at boot time (this can be up to 128 characters long) – this is a great option for laptops as it simply takes the form of a password(phrase) that you enter before logging into Windows. The beauty of this approach is that the key nor any form of the key (such as a hash) are actually present on the machine so there’s nothing to crack unless you count brute forcing the encryption of the Master Keys which would take significant computational effort – read (a very long time!) = longer than the data’s likely to be of value

The following steps show you how to configure Syskey to require the person using the machine to enter the startup key each time the system boots.

I suggest playing in a Virtual Machine before using this for real – make sure you remember the password(phrase) as you’ll be looking at a system recovery otherwise!

Whilst logged in as an Administrator click on “Start, Run”, enter “syskey” and click on “OK” (or hit return) – alternatively type “syskey” from the command line. You’ll receive the following interface…

Click on “Update” to proceed to the following interface…

Click on “password startup” and enter your password(phrase) – make sure you write this down and store it somewhere safe unless you’re 100% sure you won’t forget it.

Click on “OK” 

Note of caution! The changes will have already been made to the system at this point – even if you “Turn off” a virtual machine they will still take effect @ the next reboot.

When the system comes back up you’ll see the following dialog 

Once you enter the computer startup key the system will proceed to the GINA (Graphical Interface for Network Authentication) that you normally see – by default it’s the standard “Control-Alt-Delete” screen – now login as normal.

To reverse the change simply run “Syskey” again (whilst logged in with Administrative privilege) and select “System Generated Password” and take the default of “Store startup key locally” at which point you’ll be prompted to enter the startup key you chose previously.

One last observation: You can enter the startup key incorrectly as many times as you like at this stage though at boot time you only get three attempts before the system reboots.

There’s an old vulnerability bulletin that explains more about Syskey and it’s use.

Comments (9)

  1. Blake Handler says:

    Sorry to ask a naive question – but does removable only mean "floppy", or can this be put on a USB device or CD? I’m just thinking about the reliability of floppies.

  2. Katherine Coombs says:

    It’s now officially Friday night…stop working!! 🙂 And before you call me a hypocrite, I’m not working; I’m e-baying 🙂

  3. Ned (PSS) says:

    I would add – once you have physical access, all bets are off except if it’s a DC and SYSKEY 3. Tools out there can defeat SYSKEY (with or without floppy) in a few seconds. NTPassWd is one of them, but there are plenty of black and white-hat versions. DC’s are a little different, as password replacers can only bust into local SAM for DSRM, and attempts to change the domain admin account lead to an unmountable DIT (at least, I’ve never found otherwise). If you combine Encrypting File System with SYSKEY though, you can at least make sure your data reasonably unrecoverable – since the SYSKEY defeating tools have to replace the password in the local SAM, the private keys become useless and your data is safe. In theory. 🙂 Excellent writeup though – not enough people use SYSKEY on mobile machines.

  4. Steve Lamb says:

    Blake> a USB token will do just fine 🙂

  5. Blake Handler says:

    I’m going to test the USB devices later this week, but I’m still unclear "how" it will read the USB devices before the USB drivers are loaded? KB310105 didn’t shed much more light on this, but I’m wondering if the SysKEy process is "locked" to the floppy? It’s not that I don’t believe you, just want to see if work on USB for myself. (Many portables do NOT have floppies anymore.)

  6. Steve Lamb says:

    Blake> I’ll post a new entry to properly answer your question – please comment to that one and let me know what you think