Solved

Windows XP Startup Password

Posted on 2013-05-18
6
1,083 Views
Last Modified: 2013-05-23
I have a computer that when it starts I get a small box with a message that says "this computer is configured to require a password. In order to start up please enter the start of password below. Then there is a text box to enter a password with 2 buttons one says okay and the other says restart.

I have tried to replaced the LSASS.exe file from the original i386 directory and that has had no effect. This problem also shows up when I press F8 and boot into safe mode with command prompt. I have also tried to remove the passwords using a password removal tool with a Linux based system.

This problem started after an unsuspecting person took a call from people who said they were from "Windows" and indicated that this computer was sending out information over the Internet. That person allowed the caller to log onto the computer and once she realized that it was a scam she unplugged the computer from the Internet and shut it down.

This system is running Windows XP home premium with service pack 3.

Does anyone know how to bypass this problem?
0
Comment
Question by:Pat Clancy
6 Comments
 
LVL 23

Expert Comment

by:tailoreddigital
ID: 39177689
This tool will remove the password.
http://pogostick.net/~pnh/ntpasswd/

Burn it to CD, then boot off the CD and follow the steps carefully.    I've used this for about 8 years and it has never failed.   I've used in on XP, Vista and 7, haven't tried it on 8 yet.



If i was working on a computer with that history, i'd pull the drive, extract any important data and format.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39177729
This is a fairly well known 'repair' scam.  The people say they are calling from Microsoft or AOL or some other well known computer organization and ask for remote access.  Then all they really do is create a password to block access to the computer.  They usually ask for money to unlock it.  But they often don't unlock it even if you send them money.

It might as well be a virus but in the other questions, the scammers have used 'legitimate' Windows tools and programs to block access to the computer.  That means that anti-virus programs usually don't find anything.
0
 
LVL 91

Accepted Solution

by:
nobus earned 500 total points
ID: 39178191
maybe a "system restore " like this can get you going again:

http://support.microsoft.com/kb/307545
----------------------------------------------------------------------------------------------
An easier way is to boot from a Bart PE CD (or UBCD4Win CD) and use the file manager for manipulating files. Here  the procedure :
1. rename c:\windows\system32\config\SYSTEM to c:\windows\system32\config\SYSTEM.bak
2. Navigate to the System Volume Information folder.
it contains some restore {GUID} folders such as "_restore{87BD3667-3246-476B-923F-F86E30B3E7F8}".
The restore points are in  folders starting with "RPx under this folder.
3. In such a folder, locate a Snapshot subfolder. This is an example of a folder path to the Snapshot folder:  C:\System Volume Information\_restore{D86480E3-73EF-47BC-A0EB-A81BE6EE3ED8}\RP1\Snapshot
4. From the Snapshot folder, copy the following file to the c:\windows\system32\config folder
 _REGISTRY_MACHINE_SYSTEM
5. Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
6. Exit Bart PE, reboot and test

Use a fairly recent restore point from at least a day or two prior to problem occurring .

** you can add the other hives also with this procedure

http://www.nu2.nu/pebuilder/       BARTPE
http://www.ubcd4win.com/            UBCD4WIN
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 88

Expert Comment

by:rindi
ID: 39178209
Most of those scams apply some encryption to your folders / files, and only after you pay them do they give you a password to disable the encryption. So my best advice here is to install the OS from scratch or do a factory restore from the recovery partition/media, and then restore the data from your customer's backup. Any new data that was created or changed between the last backup and the start of the scam you should regard as lost. Don't ever pay the criminals, or they will keep on blackmailing "customers".

As encryption can't be decrypted without knowing the decryption keys, that is the only working way to get the system back in working order.
0
 

Author Comment

by:Pat Clancy
ID: 39178524
Thank you all for your posts. I had tried the Pogostick paswword recovery CD before asking my question but that failed. I will try the system backup on my next go around. I am able to use Bart PE and can see that the files are all there and can access them so I can copy them onto an external drive of some kind so if I need to I can just format and start the system again. I don't think anything has been encrypted (that I can see anyway).  My customer realized that this was a scam a little too late she didn't give the crooks any money.

I will give the system restore a try and if that fails I will try an in place install. If that fails then we all now there is a final solution. Format!

Thanks for your help I'll post my findings next week.
0
 

Author Closing Comment

by:Pat Clancy
ID: 39190909
The solution actually came when I did a "restore" of the system/security hive of the registry. Nobus got me started in the right direction.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now