Solved

Windows XP Locked with "Windows XP Startup Password"

Posted on 2014-09-25
8
542 Views
1 Endorsement
Last Modified: 2014-11-23
Today I encountered an XP computer which starts up presenting a login window titled:
"Windows XP Startup Password" with a blank space to enter a password.
There are numerous references to this around.  It comes as a result of nefarious "social engineering" which lets strangers into the computer.
My understanding is that they use a Windows "feature" / syskey to force the use of an additional logon  password.
That's not much understanding!  :-)

Anyway, I want to know an effective way to FIX this situation.  I have all manner of live CDs but I haven't got the foggiest idea what to do.
What is the best recommended fix procedure?
My belief so far is that this is NOT a parasite that can be found and removed.  Rather, it's a Windows setting having been made.  Right?
1
Comment
Question by:Fred Marshall
8 Comments
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 40345284
There is only one way to fix this.  Wipe the contents of the drive, re format and reinstall windows.

Not a fix, but a work around:   If you have a backup from before the intrusion occurred you could try restoring that as well so long as you have access to the backup from this compromised system.

Now the question becomes:  can you trust a backup from yesterday?  How about last week?  How about last month?  I would not trust any system that has been compromised because I don't know when the intrusion occurred.

Contact your bank and credit card companies and take action to secure your finances.
0
 
LVL 70

Expert Comment

by:KCTS
ID: 40345299
This is nothing to do with Windows. Its either a BIOS password that is being requested or its a 3rd party utility.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 40345361
Sounds like diagnostic and Recovery recommendation and usage.
Have you tried using blank password yet?
You may want to locate startup disc, and/or (always should) make one.

How to install and use the Recovery Console in Windows XP
http://support2.microsoft.com/kb/307654
4. When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER

How to get into Windows XP recovery console without a Windows XP CD
http://www.computerhope.com/issues/ch000635.htm
Microsoft has made a set of boot disks that can be downloaded and used to get into the recovery console
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40345444
This one?
SM Password
If so the computer is probably uninfected (although take Larry's point about if you can be foolish enough to get a problem like this through a social engineering scam what else might you have, but here the vulnerability is the user not the PC(!)).

As you've probably already discovered this is a security setting on XP that's been changed  remotely  it normally has a hidden system set value but has been changed to a separate code.

If you can get to a Safe Mode command prompt (from F8 at boot) you can try restoring Windows' built-in password by following the instructions here

Knowing what it is however is simpler than fixing it.  This can be undone if you have some restore points set on the PC, although the person (usually from "Microsoft") who set the new password will usually set the restore files to delete in reboot so you may be out of luck.

To check you'll need to be able to boot to an alternative system and then use that to examine the contents of the affected drive (either a boot CD or by slaving the drive to a working PC - again the risk of this drive having any other form of infection s remote but bear it in mind when connecting to another machine).

Open a file browser in the booted system and then navigate on the affected hard drive to the Windows folder.  Check for the presence of a folder at system32\config\RegBack  if it is there and have content (depending on the system you have booted to you may need to allow Hidden and System files to be visible) then they didn't complete removal of the files.  If it is empty you will need to use the Hive back-ups from the original XP installation (on OEM machines this may fail).

Fingers crossed you find registry backup files at system32\config\RegBack - if this is the case:

Reboot the PC and  press F8 to reach the Advanced Startup Options menu & choose Repair your Computer.  When Windows offers to automatically repair cancel this and select a System Restore date that is earlier than the date the password setting was hacked.

If your System Restore files were deleted by the hacker you will need to copy the backup registry hive from the Windows\Repair folder.  The process is outlined in this Microsoft KB article although this described using Recovery Console to do it and you may be doing this through whatever system you have booted to.

How to recover from a corrupted registry that prevents Windows XP from starting


In summary, this is a deceptively easy thing to set up maliciously on a user's computer and complex, sometimes impossible to recover from - although no data is lost and can be recovered ultimately you may need to reinstall the operating system if the registry hive back-ups have been intentionally deleted.

Good luck!
0
 
LVL 92

Accepted Solution

by:
nobus earned 500 total points
ID: 40345466
i suppose you saw this already :  http://blogs.msmvps.com/sp/2008/01/27/disabling-syskey-startup-password/
it confirms the scam password, and suggest fresh install
0
 
LVL 25

Author Closing Comment

by:Fred Marshall
ID: 40346417
This is obviously a Windows feature and not a parasite.  Bad actor not bad software!
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 40346523
Just for future reference - that link  does miss that the Windows System Service password for Syskey can be recovered in some instances, so the actor can be prompted to perform correctly :)
0
 
LVL 25

Author Comment

by:Fred Marshall
ID: 40346919
I meant that this is often set up by a charlatan who is given access to the system.

But, I'm very curious, how to recover his nefarious password?
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

CSS is a visual language used to classify objects and define rules about how they should be displayed. CSS skills aren’t restricted to developers anymore, there is a big benefit to having a basic understanding of the language, regardless of your occ…
One of the biggest challenges facing freelancers is balancing multiple projects and deadlines. Organizational skills and time management are key to keeping up with projects and staying on track. Luckily, we’ve curated seven tools to help you focus o…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question