SOLUTION: “This is Microsoft Support” telephone scam – Computer ransom lockout

A trend of the past couple of years has been for scammers to contact computer owners directly via telephone in the United States in an effort to convince them that there is a problem with their PC and they’ll need to pay to have it fixed.  In general, these people cannot fix anything, and instead they merely charge exorbitant fees for absolutely nothing. In other words, they scam you.

The call generally goes something like this:

  1. A foreigner with a thick Indian accent identifies himself as a member of Microsoft Support or similar.
  2. He informs you that you have a number of critical problems with your PC and that you will need to have it fixed.
  3. To convince you, he offers to connect remotely and pulls up your Event Log (eventvwr.msc).  He then filters for Warnings, Errors, and Critical events and uses that as evidence that your PC will soon fail to work correctly if you do not pay him to correct it.

The astute among you have probably already sensed that something here is seriously wrong, and it’s not your PC. It’s the fact that someone is calling you to tell you there is a problem with your computer. No one will ever do that. The only way they could possibly know there is a problem is by hacking or guessing.

In this case, it’s mere guesswork, and it’s not even correct most of the time. The Event Log is supposed to log warnings and errors, and even on the healthiest of PCs there are plenty of Error Events that can be safely ignored, as they often don’t amount to anything. The important thing to remember is to never trust someone who calls you about a problem with your PC, and never, EVER let them connect remotely to your PC.

If you do make the mistake of letting them connect, but then you happen to get cold feet and refuse to pay the $180+ they request via credit card, the next thing that happens isn’t pretty. This scammer proceeded to actually follow through on his promise of the PC “not working” if they don’t agree to have him fix it, and so in a few quick steps, behind the user’s back, he enacted what is known as SysKey encryption on the SAM registry hive.

SysKey encryption is a little-known feature of Windows which allows administrators to lock out access to the Security Accounts Manager (SAM) registry hive so that login specifics cannot be stolen and the PC cannot be accessed without knowing the proper credentials. The problem is, unlike other scams, there is no way around the problem; you can’t simply remove the password, as the actual SAM hive has been encrypted entirely by the process. If your Windows installation has had SysKey activated, you’ll see the following message:

Startup Password

This computer is configured to require a password in order to start up. Please enter the Startup Password below.

The window which appears looks like this:

This computer is configured to require a password in order to start up. Please enter the Startup Password below.

The ONLY solution is to find a clean copy of the registry hives from before this occurred. This scammer knew this, however, and as such, he took an extra step to block any repair or recovery attempts: he deleted all System Restore points on the machine, which normally house backup copies of the registry hives.

Unfortunately for him, I’m a much better technician. When the customer suspected foul play and decided to call me instead of proceeding, I immediately instructed them to power off the PC. Here’s how I fixed the problem without having to reinstall Windows.

FIRST, ensure you don’t have any Restore Points to work with:

  1. Check to ensure that the folder %SYSTEMROOT%\system32\config\RegBack exists.  This is the folder which contains the last known good backup of the hives following a boot.  If it exists, continue.  If not, stop and consider contacting a technician instead.
  2. Reboot the PC and repeatedly press F8 to reach the Advanced Startup Options menu.
  3. Choose Repair your Computer from the menu.
  4. Cancel the automatic repair attempt and instead instruct the system to perform a System Restore to a date prior to the incident occurring.

If no Restore Points exist, your scammer intentionally removed them to prevent this from occurring.  If this happens to you, follow these additional steps to resolve the problem:

  1. POWER OFF your PC immediately.
  2. Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%\system32\config folder.
  3. Backup the registry hives in this folder to a temporary location. The files are:
    1. SOFTWARE
    2. SYSTEM
    3. SAM
    4. SECURITY
    5. DEFAULT
  4. Navigate to %SYSTEMROOT%\system32\config\RegBack as mentioned earlier.
  5. Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%\system32\config folder.
  6. Reboot the PC.

This solution only works if you have not already tried to reboot the PC subsequently.  If you have, it may still work, but that is entirely dependent upon whether or not Windows created a new RegBack copy following a successful boot.

In the case of my customer, it worked, and they were back in Windows, just like it never happened.  Nice try, scammer.  You’ll have to try harder to beat me though. 🙂

Addendum A (update 6/26/2015):

Thanks to FUScammers for pointing out this more involved, alternate method of actually removing the SAM encryption.

  1. Download this file and burn the .iso to a CD.
  2. Boot to the CD on the affected system.
  3. Follow the instructions to select the proper system drive and partition (NTFS is the partition type you are looking for).
  4. Type the path to the registry files (it’s most likely Windows/system32/config).
  5. Choose option 1 for Password reset (sam system security).
  6. Choose option 2 for Syskey status & change.
  7. Confirm that you wish to disable Syskey, then quit and confirm writing the new changes to the hive.
  8. Reboot the PC and check.

For more detailed instructions, check out this link (scroll down to “How to disable Syskey startup password”):

http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

In Windows 8, the GPT partition type makes the use of this utility impossible.  However, you can still manually copy the hives to a supported filesystem (NTFS or FAT32), mount that filesystem instead, and follow the steps from there, then copy the hives back over the originals.  I can confirm that this method does work and that even in Windows 8.1 recovery is possible using it.

Donate to say "Thanks" if this post has helped save you time and money! :-)

148 thoughts on “SOLUTION: “This is Microsoft Support” telephone scam – Computer ransom lockout

  1. Thank you for taking the time to discuss this scam. I have read several complaints posted at http://www.callercenter.com but I didn’t think it’s this complicated. One thing I know for sure, though, is that Microsoft never initiates a call.

  2. Thanks for this procedure! Fortunately, the RegBack files were intact and modified only a few days earlier. Booting into Linux, copying them back to the Config folder did the trick. After trying other measures, no other options were seemingly available. And YES, they trashed System restore.

    This scam occurred on a friends computer; however, he was not clear on just how they gained access to his system after walking him through various menus, etc., while on the phone. I still wonder if they have access to the system.

  3. No RegBack – I now assume a new Windows must be installed?
    Even Renamed the SysKey.exe to SysKey.org – no difference. Still asks for a Password.

  4. Hey Peter,

    No restore points either?

    Renaming will not work as the problem is encryption of the SAM registry hive itself, which is required to boot into Windows.

  5. Thanks for posting your solution. My friend was also a victim of this scam. Fortunately, she did have RegBack and I followed your example and got her computer backup and running. Saved us valuable time from reinstall.

    Thanks again.
    Del

  6. This scam just happened to a family member of mine. Should they be concerned about identity theft and such or is this just a scam to get a credit card number and mess up the computer?

  7. Lisa,

    Unfortunately, there is no way to know for certain. Such unscrupulous individuals are likely just after quick money, but who is to say that once they’ve gotten control of your system, they haven’t found a way to transfer data to themselves or otherwise steal information?

    The best course of action is to change all passwords just to be safe. You can also alert your bank or credit card company to let them know to be on watch.

    -Steve

  8. Thanks Steve, I wish I had answered the phone instead of my trusting father. Fortunately i started to listen in on his conversation when he was about to give his credit card info. When we shut down the call they locked up the computer. I’m sure it will cost more to unlock and fix the computer then what these sleaze balls wanted to charge him.

  9. Thanks so much. After much searching i found your solution and was able to get into the system. They did more damage but being able to get into the system was huge for me. I have transferred all my important items and did a full system restore to brand new and they just restored my files and all works great again. Only about 4 hours of my day wasted on this for a customer.

  10. This is the 2nd time I have seen this, first time was able to system restore. This time however they had teamviewered into computer and wiped out system restore points. This solution worked perfectly as I had found the files in regback which were 8 days old. Followed instructions and it worked. Thank-you and my friend thanks you. And the guy in Italy is kinda upset (John Mensah) who wanted money.

  11. I’m a tech. These f***wits call me at least once a week, following which I usually suggest they carry out some rewarding physical exercise.

    However, this time it was a customer who got scammed with the SysKey method, losing files in the process and being locked out of her computer. I’d never seen this level of attack before, and wasn’t sure how to handle it, so I first tried KonBoot, which usually takes you past the password entry point and into the system. (You can’t change the password but at least you can get into the system) However, this didn’t work with this attack.

    Next I tried ERD Commander, both their old versions and the newer DaRT versions. No joy.

    Finally got rid of the thing with Passware Windows Key Enterprise 9.3.815, which actually recognized the attack system. First I set a password for Admin and removed all others. After that I was able to enter the system (W7HP) and tidy up the User accounts. The customer had lost documents – apparently the sleazebags got pissy with her when she refused to pay and deleted a bunch of files. However, I’d backed them up a few weeks earlier so no prob there.

    Couple of points to pass on to your friends: No matter what we think of Microsoft’s foibles, failings and f***ups, phoning customers like this is something they’d NEVER do. Also, there’s no way of accessing a computer system without the owner’s cooperation. So there’s NO WAY the caller can know if there are any bugs, errors or faults in the computer system, UNLESS they get invited in. Personally, I always turn off Remote Control (on by default) whenever I service a computer. Finally, all someone has to do if they’re beginning to smell an Indian rodent, is press and hold the power button (desk or laptop) for about 10 seconds and the machine will power off.

    Good luck folks 🙂

  12. Hello. I have a customer’s PC in my shop which experienced this. I am currently to the state where Windows boots normally and by appearance all looks normal. Except….the following programs are either disabled or missing the appropriate registry/service to operate:

    1) Windows Update (it causes Dell’s update program to not work either)
    2) Windows Defender
    3) Windows Restore

    I am sure that there are others that I have not noticed yet. I have run scans from malewarebytes to microsoft fix-it to Kaspersky. I ran others that I’m too tired to mention. I’ve run into this before and just rebuilt the PC. I’m not against it since I already have an image loaded to a disc for this model, but I’d really like to learn how to repair this for future knowledge.

    Thanks in advance,
    Brian

  13. Hey Brian,

    My very first thought with those symptoms is the ZeroAccess rootkit. Check to be sure the relevant services exist (you can start with these commands at the Command Prompt):

    sc query MpsSvc
    sc query bits
    sc query wuauserv
    sc query WinDefend

    If any of the services are not installed, you will need to restore their functionality using the relevant registry keys for each service based on the OS version that’s installed. However, if MpsSvc and bits are missing, it’s probably the work of ZeroAccess.

    On the other hand, I would also check to see if any NTFS junctions have been placed overtop the Windows Defender files in the Program Files folder. If so, it’s a surefire dead giveaway that this machine is infected with one of the latest variants of the ZeroAccess rootkit, which uses those junctions to block access to those files and prevent reinstallation of the security. It is sophisticated stuff as far as malware goes, though I remove it at least once per week these days!

    Hope this helps!

    PS– System Restore can also be broken if either (or both) VSS and WMI are corrupt. You can repair the Volume Shadow Copy Service (VSS) using utilities such as Windows Repair All-in-One and WMI using similar utilities. They’re a bit risky, but in situations like this where such deep damage has been done it’s a great place to turn. I personally use FoolishIT’s D7 for such repairs now, but it’s nowhere close to free. 🙂

  14. Steve,

    Thank you so much for taking the time to respond to me specifically. I did operate the run command to learn that all four services are available and their status was set at running.

    I ran Windows Repair All-in-one (aware of the risks, that it okay because I cloned the original drive and I am working on the clone) to no avail. It appeared to be repairing quite a few services, but afterward (and after a restart) I am still at the same status as before.

    I suppose I’m going to try some other rootkit options now. If I don’t find a solution by tonight I’m going to have to rebuild. This is a business computer and needs to be back into service soon.

    Thanks for the help,
    Brian

  15. If you haven’t already, make sure to also run a chkdsk on the machine ( chkdsk /f %SYSTEMDRIVE% ) to ensure no filesystem corruption. Then, you can always try:

    net stop wuauserv
    net stop bits
    ren %SYSTEMROOT%\SoftwareDistribution %SYSTEMROOT%\SoftwareDistribution.old
    net start wuauserv
    net start bits

    And see if that corrects anything on the Windows Update side of things. However my guess is that you may still be looking at a WMI problem. There are various other ways to repair a corrupted WMI repository if it needs to be done… if you need help I can try!

  16. From the Command prompt, I ran:

    net stop wuauserv = this worked
    net stop bits = the background intelligent transfer (bit) service is not started
    ren %SYSTEMROOT%\SoftwareDistribution = The syntax of the command is incorrect.

  17. A friend of mine has been a victim of this scam and I’m attempting to recover her files as there is no way in heck I am able to bypass the Startup password. My operating system is WIN XP Home Edition SP3 – I can’t boot to command prompt in safe mode because it asks for the password, it won’t boot to anything at all. How do i boot to an external media to access the %SYSTEMROOT%\system32\config folder?

    Thanks,
    Sean

  18. Thank-you so much. I used this program and was able to access all the data which was thought to be lost. Great program… I may use it permanently 🙂

    Thanks again Steve,

    Sean

  19. Pingback: Increase In Hacking Attempts » Tech Guru Squared

  20. Pingback: Windows 8 Boot problems after using chntpw utility | Ubuntu InfoUbuntu Info

  21. Heyy Steve Schardein.. thanx for your suggestion, but I am unable to rectify this error on my windows 7 (Home edition) PC. i followed all of your steps, but it could not help me. i dont have any system restore point. please Help.

  22. Worked a treat (used hdd in another PC to copy in old reg files …. knew by date stamps that they were ok).
    Thanks a lot.

  23. Hello Steve,

    Thank you for this explanation. I’ve also helped a customer on XP with this scammer problem and stumbled upon this page for help. He had turned the computer back on with no backup to speak of so there was a big problem.

    I tried the Offline NT Password removal which removed the initial Startup Password screen but seem to damage the account passwords for all current users. I couldn’t even get in using the administrator account. I was able to finally add a new user for the customer to use via command line – using a command line backdoor. It was a lot of stuffing around.

    I also used EaseUS Data Recovery which did a fantastic job at recovering the deleted files this scammer started deleting.

    Microsoft should really disable Syskey for its Home editions of Windows – a very dangerous system program in the wrong hands. Still available in Windows 8 too.

  24. Hi everyone!

    First of all… I am by no means a tech. I like to think that I can get around a PC quite well for someone who doesn’t have any formal training. My uncle had this happen to his PC (Windows 8 – which I have only spent about 10 minutes on the system to-date). I haven’t read all of the comments yet but the first question that comes to mind is: how can I search for the registry folder if they can’t even get into windows (because of the ransomware asking for a password). Please note that I don’t have access to the PC as I live too far and I will be attempting to do this with them over the phone (they aren’t so tech-savvy). I’m hoping to avoid re-installing windows since I don’t think they received a recovery CD or anything with their laptop.

    Any help would be greatly appreciated! 🙂

  25. Steve,

    This just happened to my father (exactly the way you described it above). Although they threatened that he would “never use his computer again” after he made the error of letting them on his computer via TeamViewer, I was able to go in (it’s Windows 8), change the computer password and get past the Startup password window that came up because, obviously, they activated SysKey. I uninstalled the TeamViewer program and everything seems to be okay. However, I tried to complete a System Restore and a window came up following the attempt that said that it could not be completed because, possibly, one of the drives might be corrupted. It recommended running “chkdsk /R” but I’m not sure how to do that. Are we at the point now where I need to have someone like yourself look at it? Are there any other options I can try in order to complete a System Restore? Should I just reset everything to the default settings (my father has only had the laptop for a few months)? Any help or guidance would be GREATLY appreciated. Thanks.

  26. Hey Vanessa,

    Sorry–there is literally no way to do this without physical access to the PC! The best option in this case is certainly to reformat. If there is no CD with the Windows installation you might need to contact the manufacturer about this (I know it’s not what you want to hear :)).

    Jeremy,

    Same goes for you too… it sounds like you may have multiple issues on your hands, but it’s unclear. It may also be infected, or it could actually be a storage device failure. Either way, your safest bet, especially if everything is already backed up, is simply to start from scratch. Or, of course, bring it to a good tech!

  27. Pingback: ALERT: Fake "Microsoft Support" Telephone Scam - BCCS Computer Systems :: BCCS Computer Systems

  28. Thank you very much! Worked for me on a Windows 8 laptop which had been started and switched off dozens of times since the problem first occurred, which means that the backups of the registry hives must occur later in the startup than the point at which the system prompts for the syskey password. I used a copy of Microsoft’s DART utilities to run a command prompt on the affected machine and backed up the old files and copied the backups into their place. I was unable to run ANY local recovery tools as without access to the SAM, none of the tools could detect a local administrator account.

  29. Hey Guys,

    I had a call from a client tonight who’d been called by “Windows Best Help” Who gained access to the clients machine and installed rubbish “clean up tools” and charged them $200.

    If you’re like me – you want these filthy creatures to rot in hell.

    Fortunately my client called me and we were able to kick them out of the system before anything bad happen. Last week I had a client who had their registry SAM file encrypted and password protected by these scammers just like in this article.

    ANYWAY – I got their 1800 phone number and have been calling them non-stop all night in order to tie up their phone line. This is a simple way to help prevent others getting scammed and it’s frustrating the hell out of them!

    If you want to join me in this mission, then call them on 1800 427 765 and WASTE as much time of theirs as possible.

    Be careful not to call from your mobile (As you’ll get charged) and they’ll get your number.

    I call from Skype, which shows up as private for them and doesn’t cost a cent.

    I’ve spoken to them over 20 times and had all sorts of fun. They are no longer answering but know that this also stops legitimate victims from getting scammed.

    Also remember, as it’s a 1800 number, they pay every time they answer. It’s pure gold!

    I’ve also recorded all the calls and did a screen recording and have some really funny recordings – let me know if you want me to post them.

    Cheers
    Richard

  30. Hi – – My girlfriend fell for this scam. She has winxp pro on her computer.
    I haven’t used xp in a while, so I’m stuck.
    How can I get into system restore (her restore points are still there), if I can’t get into any safe mode, or recovery console (even that asks for a password)?
    Or if I put her hard disk into my computer, is there a way to do a system restore to that disk? Any help. or links would be appreciated… thanks!

  31. By the way, in xp there is no “Repair your Computer” option in advanced startup options, otherwise it’d be fixed by now… thanks!

  32. Hey baz,

    Well, for starters, I’m assuming you already are aware that her running XP is a HUGE security risk in and of itself. It is going to be a veritable hotbed for malware going forward now that Microsoft has finally officially revoked support for it. So it may not be a bad idea in this case to simply wash your hands of it all, boot to another OS/slave the drive to another machine, back up the user data, and reinstall 7 or 8.

    Having said that, to get her back in, it’s a little trickier on XP. Here is a post I made a while back on the subject:

    http://triplescomputers.com/blog/casestudies/when-last-known-good-configuration-fails/
    (see the XP paragraph)

    If the RP folders are missing, the attacker deleted the RPs. In that case, you can try C:\Windows\restore and see if the hives are there, but if they are, they are likely VERY early versions of them. So it’s not a good solution.

    By the way, LKGC won’t work here anyway. The SAM hive is not included as a part of that recovery operation; the system merely switches the CurrentControlSet to a different number in that case instead. This is all, of course, to avoid subversion by an attacker should an admin ever enact SysAdmin encryption. It is not *meant* to be subverted.

    Good luck–if those RPs don’t exist, you’re probably SOL on this one!

    Steve

  33. I’m just posting this as an additional solution for anyone who has this problem in the future and finds this topic:

    I recently encountered this problem and found that the password needed to get into Windows was 123. I’ve read others that had 1234 or 12345 as their passwords. So before going to great lengths booting into Ubuntu and trying to mess with Registry files from there, simply try those three passwords.

    If the password works, you will get back into Windows, but you will still have the password prompt popping up every time you re-start Windows. To disable the password prompt I followed the steps here: http://www.sevenforums.com/tutorials/243880-syskey-set-startup-password-lock-unlock-windows.html (Before doing this procedure, I tried a few different system restore points, and although they each finished the restore process, I got an error once booting back into Windows, saying the restore failed, and the password prompt kept popping up. There was also no Regback folder to be found.)

    Additionally, once getting back into Windows and disabling the password prompt, you should run scans with the following programs to clean up leftovers from the scammers:
    ADWCleaner download here: http://www.bleepingcomputer.com/download/adwcleaner/
    aswMBR download here: http://www.bleepingcomputer.com/download/aswmbr/
    TDSSKiller download here: http://www.bleepingcomputer.com/download/tdsskiller/
    Malware Bytes Anti Malware download here: https://www.malwarebytes.org/free/
    Avast Anti-Virus download here: http://www.avast.com/index

  34. Pingback: The Easiest Way To Tell If The Windows 8.1 Update Is Installed On Your Computer | What's On My PC

  35. Just recieved a clients notebook with Win 8.1, who also chatted with this Indian crooks… this installation is totally toast! Their normal password window pops-up and accept any password you type, i thaught this will be a quick-fix…… but after accepting the password it takes you straight to “Preparing automatic repair” screen, and stucks there. Connecting the hdd via usb drive bay to desktop pc shows that the registry and regback is corrupt. There is no system restore files, User folder has two “new user” profiles. I backed-up the guys data, hdd back in notebook and tried to fix –

    Access to the BIOS is available, but changes don’t “activate” anything… can’t boot from any other media than the Hdd. Onekey Recovery was the only option.

  36. Yes, in some weird way everything was blocked? Now that the Recovery is done it is possible to change boot media after disabling UEFI Secure Boot. I don’t know what the Indian guy did, and how long he had access to the notebook, the customer it seem went for a jog and left this guy “fixing” his pc – lol

  37. This worked like a charm, thought I was going to have to start repairing the OS and hope I overwrote enough files to get in and still have this functional. Thanks for the help.

  38. Thanks for the advice Steve. When I got the Access Denied message trying to get to System32 folder, I pulled the hard drive and connected to another computer via a USB Adapter. I was then able to navigate to the RegBack folder, and copied the five files to the config folder. After putting the dive back into the computer, Windows 7 booted normally, and everything seems to work just fine.

    Thanks again

  39. Thanks for the great info, first tried copying the on from the backup folders but didn’t work. Then copied the same ones with the .old extension and removed the .old and things worked great.

    Thanks for the info.

  40. Thank you so much. Read the review we posted. What a horrible feeling to fall for this scam and it helps to know you are not along. Our call came from
    “POTS Phone 246-624-9999” We will try to report it. Thanks again. It really is like getting robbed, and I hope those HACKERS PAY dearly for all the damage they do. Karma baby!!!

  41. Can you please tell me how to

    Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%\system32\config folder.

    Where I can create a bootable media and how ?

  42. One More question, If I re install windows 8.1 on my acer aspire notebook, it will work right ? although I lose my data but the problem will go away right ?

  43. Not sure if it has been mentioned, but assuming the RegBack folder has not been tampered with this work just fine with windows 8. Great info.

  44. I was able to unlock and log into a scammed Windows 8 laptop by booting an Ubuntu live CD and copying the RegBack files into place. THANK YOU! Please spread this link around! We did tons of reboots and password login attempts but copying RegBack files into place still let us log right in like normal. We had tried all the common passwords others had posted with no luck.

    Be brave and go slow, you can fix it and spread awareness!!!

    Follow this guide if you don’t know how to create and boot an Ubuntu live CD:
    http://www.ubuntu.com/download/desktop/try-ubuntu-before-you-install

    Once it is booted, you can explore your local disk disk using their file manager, and copy the files into place.

    You could also yank the drive and manipulate the files on disk with another computer.

    The support number they left on this computer is 1-844-278-0197

  45. I had to work on a client’s computer today that had this scam perpetrated on it.

    I was prepared to manually copy back the files but I tried the system restore first. There was only a system restore button on the startup screen in Windows 8 and it didn’t give me a choice of dates to restore to. It churned for about 10 minutes but when it came back, it was back to normal.

    One thing I will add is it’s a good idea to make a full image backup of the computer. Programs like Acronis TrueImage and Macrium Reflect Free Edition can make a fully bootable image to an external drive. If your system is compromised, you can install a new drive or wipe your current drive, restore the image and boot up to exactly the way it was at the last backup time.

  46. I tried copying the files in SYSTEMROOT%\system32\config\regback to SYSTEMROOT%\system32\config and that didn’t work. It’s still asking for a password. I can try it again but I expect the same thing to happen. Any other ideas?

  47. Hey Michelle,

    It’s probably because the system was rebooted too many times and the Regback entries were already replaced with the compromised/encrypted entries. Unless there’s another copy of the hives someplace or System Restore is still active, you unfortunately are probably looking at a data backup/reinstall.

    -Steve

  48. Im lost i cant even get into the laptop as obviously that password is there, when you say about doing that regback thing and having system root etc can u elaborate please as i dont understand it

  49. Hey Rhys,

    You have to boot to some sort of external media / another operating system first, or slave the drive to another working system. If you aren’t familiar with this sort of process you are MUCH safer bringing this to a professional to have it resolved. You can print my instructions and bring them to the tech and they should be able to have it resolved relatively quickly.

    -Steve

  50. This has just happened to me. I have wiped my computer to start again. Do you know if they can still access my computer.

  51. @Joann:

    I can’t say for sure as I haven’t been involved in the repair, but wiping and reinstalling removes all conventional software, including remote access software from the machine. So you should be all right if that’s the case.

  52. Just wanted to say i ran into this here at my store and the regback was too new and had the encrypted SAM… i booted to hirens cd in XP mode… ran recuva on my c:\systemvolumeinformation and pulled out a good sam from the day before…

  53. Interesting Robert, that’s a method I haven’t tried yet, though it makes sense if the SVI folder stores uncompressed/unobscured copies of the registry files. Thanks for the helpful information!

    -Steve

  54. Just wanted to share that the process shared here was spot on and worked like a charm. Very simple solution I must say. Only took a few minutes to carry out. For people looking for “bootable external media” take a look at this site. http://windowsmatters.com/2013/04/30/windows-8-based-pe-boot-disk-with-explorer-shell-and-all-my-favorite-apps/ Just a download of an ISO and burn do DVD. Very slick Windows 8 based PE boot disk loaded with a ton of utilities.

  55. they called me from +919811308281.i just said its strange MS called me when im on Linux then they hang-up quickly

  56. I’m a tech,but I hadn’t seen the scamming pricks lock it like this before.They got remote access to my customer but he got suspicious they were scamming him so he hung up but didnt call me till the next day,duh! They had all night connected to have a play.
    Booted to a Live disc ,moved the reg hives around and bingo!
    Cheers for the fix ,Superb work!

  57. They used 12345m for the computer they stuffed for a friend and deleted all her files – was able to recover the files using free recovery software and simply reinstalled the OS – lesson learnt by young lady never believe random phone calls

  58. We had a client with this EXACT situation. We had to pull the drive, copy her data and just do a system reset back to factory specs because she had rebooted several times before bringing it to us, and the VERY helpful article you wrote didn’t work. I wish we could prosecute these jackasses and sue for damages.

  59. I had to respond and thank you for this solution! Fortunately the regback folder had not been cleared yet, and that fixed the problem completely! Fantastic.

  60. Some preventative workarounds before the fact. They may not help naïve users who may fall for this fraud, but technicians, computer suppliers, and tech-savvy friends can install them. They’re workable round by scammers, but they have to realise what’s happening:
    1. Remove c:\windows\system32\syskey.exe. It’s pretty useless if you don’t intend to use it; you can keep a copy if you want. You can also create, in the same folder, a text file syskey.cmd which could display a message. I suggest “SAM on this computer has been locked against encryption. Enter your master password to enable encryption. Please contact your friend John Smith who set this up for you for more details” The script could then go into an infinite loop prompting for a “password”, responding “not recognised”, and asking again (a little knowledge of scripts and maybe a simple program required). Alternatively, a very visible message (flashing red?) “SCAM! SWITCH OFF! NOW!” (very visible at a glance, the scammer will close it ASAP), followed by “contact your friend …”. This may alert the scammer to lock the computer another way (I won’t say how), so the first variant might be better.

    2. There’s a program called ERUNT which backs up the registry the first time the computer is started on any day, keeping by default the newest 30 backups. To restore, someone (the user or an expert consulted) boots with a Windows (not Ubuntu) boot disc (I use a BartPE) and follows a simple procedure explained in the ERUNT docs. (This is also useful to correct any sort of registry corruption, e.g., after a bad installation.) The ERUNT backups are of the registry only, not the huge System Restore backups. Obviously won’t repair other damage to files.

  61. Two of my clients were hit in the last two days. Copying back the hive files worked for me via a Live CD. Thanks for your good work.

  62. Just worked through this on my Gran’s laptop as she fell to the telephone malware scam a few weeks ago and it worked a bloody charm!
    I just briefly installed her HDD in to my desktop, found the Sys32/config/regback files, replaced the ones in Sys32/config with the ones from regback. Now she doesn’t get this BS login screen. Thank you. 🙂

  63. I just got this call! When the guy told me that iIn would need to pay $399 for a Lifetime Windows Installer ID and License ID for Windows Firewall, I got suspicious! I have deleted all of my temp internet files, cookies, history, etc. I re-booted my computer and disconnected it from my wireless internet. I turned the computer off. Now I am concerned that this guy will be able to get into my computer when I re-connect to the intrnet. Is there a way to know whether he has moved on to some other victim?

  64. Thank you for your guidance. I was able to get a coworkers laptop back with your help. I was successful by doing the following procedure: Pull the compromised hard drive and hook up to another pc via USB to SATA Drive Adapter. Copy the SOFTWARE, SYSTEM, SAM, SECURITY, DEFAULT registry files from %SYSTEMROOT%\system32\config\RegBack folder and overwrite the same files in the %SYSTEMROOT%\system32\config folder. Reinstall the compromised hard drive back into original pc and power it up. Allow windows to do a repair operation and voila! Back in business.

  65. Thank you!
    Your solution (copy back the data form RegBack) worked for me.

    Most virus-removal / support-forums (at least in my native language where those scam calls are a younger phenomenon than in the US) are still clueless about this one and suggest tons of useless malware-scans and system recoveries.
    I’m glad I found this.

  66. This SCAM happened to me yesterday and I fixed it today, luck for me I was able to reset my computer to default settings.

  67. I have a client who fell for the phone call scam not once, not twice, but 3 times! I hope he has learned his lesson. This time the used the syskey startup password thing. The client convinced the scammer to give him the password on the promise he would pay. The password was the client’s phone number, so try that (area code & number with no spaces or dashes). The restore points are all gone, so I was not able to re-copy the hives. The backup in the windows\system32\config\regback folder is 4 years old, so no help.

  68. Hi there. Great explanation of this issue, but I am assuming this PC was rebooted making the hive repair worthless. The good thing is that the computer is fine if you just press enter at the password screen, I can access everything. However, we would still like to remove the password request when windows 8.1 boots. Is this possible? Also, can you take hive files from another source (Win 8 media or otherwise)? Thanks in advance for the help.

  69. An idiot employee (19yo too!) at one of our stores fell for this scam after we left him alone for just 10 minutes! Scammer must’ve felt like he hit the jackpot when he discovered our computer wasn’t just an ordinary computer but one that contained valuable information. Anyways, after the comptuer was shipped to me to inspect it, I came upon this site then a few other sites. Ultimately, this method worked for me:

    http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

    You create a boot CD and the website walks you through everything step by step (although I had to do the last part which was clear the admin password). Now I’m back into the system with all information intact. Whew!

  70. Thank you very much. Clear and helpful instructions that actually work.
    Appreciate that this support is offered freely. A donation will be pending 🙂
    Cheers

  71. Had one of my customers hit with this. Instructions apply to Windows 8 as well, fortunately she still had a good Regback.
    Note regarding trying system restore that I have found on Win8 – as the SAM is encrypted, it actually states you need to have an administrator to do the restore, and it couldn’t find any… (as the SAM is encrypted – DOH). Restore points had been wiped by them anyways…

  72. So I unfortunately fell for the scam but my dad luckily did not give them his credit card info. Stupidly, I gave them access to our desktop though and they configured the account which led me to the startup thing with the password. I was able to restore the system and everything seems to be working fine..should I be worried about them getting passwords and such or did I stop them?

  73. One of our customers had this prolem. Parents on holliday. Their son (alone at home) was so kindly to help Microsoft…… Anyway all data is now back. We performed the RegBack by connecting the harddisk via an externaldisk enlosure to the usb of a Laptop. It worked. THANKS!!!!

  74. Thanks for this as this happened to me today & I have been locked out & felt smarmy about not paying until this bug appeared & prevented me from getting in..

    AM currently in work & glad/optimistic I have found a solution & am not “the only victim”

    I would say am not racist or narrow-minded & yes the person on the phone was Indian & very sneaky. Also after I said after being told you need to pay £39.99 for 5 year protection I protested & offered me a 1year for £19.99 & the 2nd man also Indian was even smoother until I hung-up

  75. Nothing wrong with identifying a caller by their accent. “Racism” in that sense is part of compartmentalizing/categorizing the attacker, and there is absolutely nothing to be ashamed of in that.

    The men speak with a thick Indian accent every single time I have encountered this scam, thus it is a critical profiling aspect. No need to apologize; this world has everyone on pins and needles when referencing nationalities, but it ought to be no different than a notation of hair color or eye color.

  76. Hi. So, I got scammed and didn’t even know it. However, I can’t bypass the Startup Password. How do I begin there?

    THANK YOU

  77. Where are the Passwords stored so I can delete it. That should work. Because the alibaba deleted the back-up and the files in the %SYSTEMROOT%\system32\config
    The ones in the %SYSTEMROOT%\system32\config\RegBack folder are still there but they were altered that day.
    There has to be a way to just delete the password? I have the hard drive plugged into another computer and I can get into it now, so where are the passwords stored? Any help would be appreciated.

  78. Actually there is. Are you running Windows 7 or before? If so, you can follow the instructions at this link (scroll down to “How to disable Syskey startup password”):

    http://computernetworkingnotes.com/xp-tips-and-trick/remove-administrator-password.html

    If it’s Windows 8, write me back and I’ll see if I can walk you through the procedure. I successfully completed it on a Windows 8.1 machine just the other day.

    Also, credit to “FUScammers” on this find. It was my first attempt at actually removing the SAM password and I can confirm that it does in fact work with Windows 8.

  79. We are recent victims of that “Start up password required” scam, too.
    Windows 8.1
    Dell XPS 8500
    Tried to boot that download you recommended but unsuccessful at rebooting pooter.
    We may be tech-challenged on “how to” do this.
    Really would appreciate help!

  80. Can they gain access just by calling and talking with you, or do you physically have to let them into your computer by following the steps they ask? or if your computer is on can they auto take over simply by it being on during your conversation, and how long does it take for them to have access?

  81. Luckily for me the regback folder was there. I followed your instructions copying the files from the regback folder to the config folder and low and behold it worked!! Thank you so very much for sharing this info about how to do this. Nothing else i tried was working.

  82. My grandmother was trying to download games on her computer and the website she went to told her that she needed an administrative password. They gave her a number to call and said that they were from bestbuy. She let then into her computer and now she said that there is this safe mode message that pops up and won’t let her on her computer. There is no message asking for a password. I’m going to check it out tomorrow to see if she’s just in safe mode or if they did something else. However, the person she spoke to was indian but it was a woman. Has anyone encountered this type of problem before? Someone did try to scam me but when they found out I was tech savy, they hung up.

  83. I’m unclear of the instructions for Windows 8/8.1, can you help? I’d really appreciate it.

    Thanks!

  84. Hi, followed the steps to remove/disable syskey passwords on XP machine, it still prompts for admin and user passwords and setting them to blank does not help. Any advice?
    Thank you

  85. Another modus operandi also from a guy with thick Indian accent claiming to be calling from Windows support in the US, that the Windows license you’re currently using had been identified as being involved in cyber criminal activities and it will be deactivated. He’ll add that it may not be you as the same Windows license can some time be hijacked by other people, so he will offer you help to solve this problem and if you reject that then he’ll said it was indeed you who conducted the criminal activity and threatened to file charges against you. Don’t fall for it, no legit company will call up people about this kind of thing, just hang up and ignore the guy, don’t even entertain him with a conversation, unless if you want to play dumb and turn the scam on him!

  86. Since being scammed I have noticed that I have had 5 caller’s saying a similar script. For a laugh 1 time I played along and after the 1st lady (who could hardly speak English) I was passed too an smoother sounding man who’s english was really good he tried to gain remote access and seemed angry after 17 mins. I kept or tried my best too keep him talking but he clicked I was wasting his time and hung up on me. & yes Indian every-time calling my mobile

  87. I’d like to add my thanks to you for posting this valuable information. It allowed me to help a friend who had a foolish moment.

  88. They are at it again. Now they claim your Windows license is expired and they show you (if you give them remote access) what information in your computer can be compromised; and for $200 they can renew your license. They are very slick….

  89. Olá Pessoal estou agora com um cliente com o mesmo problema, em um Servidor com a configuração Windows Server 2012.
    Porém tentei seguir os passos mas sem sucesso ao reinciar volta a janela de senha como antes, alguem passou por isso com um servidor ou ainda não temos solução para 2012 Server.

  90. Hello everyone I’m going through this agora with a client with the same problem on a server with a configuration of Windows Server 2012 .
    However I tried the Next Steps but without success . Reinciar back to the Password window as before, someone went through it with a server or we have no solution for Windows Server 2012 .
    Thanks in advance!

    Leonardo Gimenez

  91. I picked up the phone asked who’s this and he answered my name is “Steve Smith” from microsoft support with an indian accent thats when i hung up and went to sleep hahaha but on another note try using these passwords before doing all these procedures they are very common : ari123
    123 1234 123450 12345 123456 N123

  92. Hello, I was unfortunately a victim of the indian scam and the only thing i could do was a complete system wipe since my keyboard and mouse didnt connect for some reason. The question itself is if it works to wipe the harddrive or if the syskey enacts upon every piece of hardware. Could buying a new harddrive solve it?

  93. Thanks for the comments everyone!

    Joel, no sweat; as syskey is merely an encryption of the SAM registry file specifically, even simply reinstalling Windows will solve the problem. No wife of the data is necessary, and no replacement of any hardware is required.

  94. In Windows 8.1 & Windows 10 there is a very good option of resetting your computer to default settingsby going to advanced boot options reset your computer.
    All the data will be lost however you will get your computer back.

  95. Worked perfectly thanks. Downloaded the ISO and burnt it to a CD. Popped that into the laptop of the 80+ year old who had fallen for the scam and the password was removed. We were then able to restore to the previous day’s restore point. Lucky the laptop had a CD !

  96. Unfortunately my mother-in-law fell for one of these scams. it was from a “tech” named Patrick Wilson with a thick Indian accent calling from 1-800-857-1898. He claimed he was affiliated with Microsoft and after charging her $99.95, actually sent her a receipt from Mea Solutions. I am trying to get her money back while spreading the word.

  97. First I want to say THANK YOU to everyone on this post for helping me past feeling like a complete dunce!!!! Now, I was scammed yesterday and I’m getting the infamous Startup Password screen….. I’ve read all the comments and I’ve tried the password 1234 once the screen boots and something happens……. Here’s where it gets interesting! My mother decided that since she gave me the laptop as a gift, I should be happy that it came on, even though I require an HDMI cord to use it because the screen is broken! Now anyone who is a tech knows immediately what my problem is……. All these solutions are great for someone who can see their screen, but I Sir Diddly Dumdum can’t, so I can’t do any of these things! I just want to know if there is a way to fix this or should I just chalk it up as a loss and buy a new computer?

  98. I’ve read every thread, tried all passwords listed, and am stuck with win 8.1 on an HP 110-406 that will not allow backup through the system recovery program via cyberlink to DVD or external drive but I booted to Hiren’s and went straight to Mini XP but it doesn’t see the main drive, nor is the drive visible when removed, placed in a chassis and connected to other OS’s. Any ideas from other tools on Hiren’s or other distros?

  99. I also am trying to recover from scam and syskey set on. However, I have Windows 10 and have tried an image file but the option to set the syskey did not come up.
    Really struggling even tried to resore to previous point which still exist on the machine but it can’t install that correctly either.

    If only there was an easy way, maybe the scammers are the people who sell the application that can sort it all out at a cost…

  100. Huh , me to , same problem . I had backup of whole windows installation ,from before 3 weeks . Mounted in empty folder , copied whole NTUSER files from doc.setings.user.+ whole config folder from system 32 ,overwriten existing files and it WORKS !! Thanks a lot , ,

  101. “I have Windows 10 and have tried an image file but the option to set the syskey did not come up.”

    Not sure what this means exactly, however there is no reason to believe that the method I mentioned earlier to correct this in Windows 8 would not also work in Windows 10.

  102. I can not thank you enough for the tutorial on how to pass through these crooks..yesterday I had one call me lock me out my laptop and keep calling asking for money..when I said I couldn’t pay they got rude and kept demanding money..when I hung up they kept calling back…well I came across this after a Google search and tried it and it worked..thank you..

  103. The startup password is ALWAYS “1234” I have yet to see a scammer set it to something different

  104. Had this SCAM hit yesterday, and learned the hard way.. However I out scammed the scammer. When I had the password screen appear and they wanted their payment for their services I told them I can’t process a credit card online with out using my system. Gave me the password “WINDOWS123” which I wrote down. Told them to “F” off and hung up. Was able to have system open and changed the SYSKEY back to BLANK.
    Everything fine now. Found out they want the funds to go to “Stanbic IBTC” a BANK in Nigeria!!

  105. Have a Dell Laptop belonging to a friend which was on 8.1 but been upgraded to 10, and she has unwittingly been struck by these plonkers.
    None of the above tricks have worked, and I’m looking for a way to get the machine to boot from the Recovery Partition, so I can cleanly reinstall windows 8.1 factory image.
    Any pointers? I’m figuring it can’t be too hard, but it is a UEFI system (which I have imaged).

  106. I really wish one of these jerks would call me. I’d troll them so hard. I’d make a virtual machine for them to mess with, with snapshots, and they’d hate me, I’d act dumb and then screw with them. I work in IT so i’ve seen this kind of scam.

  107. Dear Steve, thank you so much for your article. Nearly 3 years after you posted it, it still does the trick, even with Windows 10. For those interested, here is the sequence of the actions that allowed me to unlock my sister’s PC (an ASUS N61J): 1°) I powered it on while pressing the key, to obtain the menu allowing me to boot on the CD-drive, where I inserted a DVD+R containing a bootable Linux Mint 17.2 Operating System; 2°) Inside Linux, I was able to copy the (unharmed) 5 files in scope from …system32/config/RegBack to …system32/config; 3°) Shutdown; 4°) Start the PC normally… —> back on tracks.

  108. Just wanted to say thank you! My son’s teacher had this happen to them, I was all set to reinstall Windows but thought I’d check to see if I could find an easier workaround. Your regback trick did it, much less time consuming than having to reinstall everything!

  109. So I just managed to get out of this scam with being able to do a system restore since I shut down my computer before they did too much damage. My question is should I have to worry about them having anymore access to my pc or having any malicious software left over? I already changed all my passwords and cancelled my card just in case.

  110. Thanks for the reply Steve one other thing I forgot to ask should I be concerned about identity theft since they got my full name and card details? I am unsure what else I should do. I have already alerted the bank/cancelled my card and changed all my passwords as I mentioned before, would it also be worth advising the police of potential identity fraud? I already submitted a report to “https://www.scamwatch.gov.au/” which is a federal site in Australia but I don’t know if I should bother contacting the police as well?

  111. THANK YOU SO MUCH!! this actually worked fine for my friend’s pc.
    I did have to overwrite the other files. this is a great knowledge base man!

  112. @Daniel – You’ve done all you can. Cancelling the card and changing passwords should be plenty to keep them from trying anything more. (They are after the “low-hanging fruit” and likely won’t go to the trouble to do anything else with your info.) Don’t concern yourself with alerting the police. There is little to nothing they can do as these scammers cross international borders and no one will go after them since it’s so many little jobs… if you can even identify who they are.

  113. I also have the box saying startup pass ward needed, now I got into the troubleshoot part of my laptop. I tried refresh & reset. I went to advance option where do I go from here? I am confused with this stuff?

  114. Hey Patricia,

    If you are having trouble there is no safer advice than to have a professional solve this for you. I would recommend printing out my instructions here and handing them to the technician you choose. Explain to them that you would like for them to follow these directions to a T and they should have no issues if they are experienced.

    One piece of advice: look for an independent, well-rated tech. It is not worth saving 50% on someone who’s terrible… and there are plenty of them. Likewise with the big-box stores; their feedback speaks for itself 🙂

    Good luck,

    Steve

  115. I was just called in the same way. They make you focus on writing some numbers so you are not focused on the screen. Meanwhile they try to op syskey and change the password. I was able to stop him and disconnect the Remote Desktop program before he was able to do anything. I called my phone company to block them. I am not sure if anything is change so hopefully I can restart my pc without any problems.

  116. Thank you so much! This was so helpful! Unfortunately I’m a tech at Staples so I don’t make shit for money, but I am bookmarking this page so I can donate as soon as I get a better job.

  117. Can this be removed via internal factory reset? I cannot see my screen because of it being cracked but I can naviagte to the factory reset well. Im locked out and my usual access to my screen is an external desktop screen. However to sensitive information windows locks out my external screen so I cannot see what Im doing.

  118. Absolutely amazing find and post on this site!

    This totally saved one of my co-workers Windows 10 All-in-one computers. The method of booting with a Linux Live CD and then copying the backed up files in RegBack to the config folder is what worked.

    It was a little tricky because I had to disable SecureBoot first to get legacy boot devices and then I was enable to re-enable SB after and it booted up just fine. It’s too bad people fall for these scams though…

Leave a Reply

Your email address will not be published. Required fields are marked *


Time limit is exhausted. Please reload CAPTCHA.