SysKey is an in-built Windows utility that can help you secure the Security Accounts Management or SAM database. In case you do not know, the SAM Database stores hashed copies of our user passwords, which is encrypted with a locally stored system key.
The Windows operating system prevents the use of stored, unencrypted password hashes and requires that the password hashes and user information be encrypted. These crypted versions of the passwords are usually stored in a file called sam, found in system32\config folder. This file is a part of the registry, in a binary format, and not easily accessible.
If you wish to provide additional security to the SAM Database, you can use SysKey to move the SAM database encryption key off your computer. Moreover, using SysKey, you can also configure a start-up password to be entered in order to decrypt the system key, so that the SAM database can be accessed.
In this article, I will tell you how you can use SysKey or the SAM Lock Tool to further secure the Windows Security Accounts Management database.
UPDATE: Syskey.exe utility is no longer supported in Windows 10 v1709 and later. If you want to use boot-time OS security, you may use BitLocker.
To open the SAM Lock Tool, type syskey in start search and hit Enter.
Click on Update, for the default option of Encryption enabled.
Select the Password Startup option, if you want to require a password to start Windows. Make sure you use a strong password – you can use one here which is 12 to 128 characters long! If you do not want to exercise this option, keep it unselected.
If you choose to Store Startup Key Locally, it will store a key as a part of the operating system, and no interaction is required from the user during system startup. If you chose this option, i.e. Store Startup Key Locally, and click OK, you will get a message saying that the Account database start-up key was changed.
Click OK again, and the utility will exit. Now every time your computer boots, if you had opted for the Password Startup option, you will be asked to enter a Startup Password, before you can proceed to log in using your login credentials.
If you select Store Startup Key on Floppy Disk, to store the system startup password on a floppy disk and clicked OK, you will be asked to insert your floppy, or in our case, the USB stick – no one uses a floppy these days – so you may use a USB stick.
It is important to note that the media has to be mounted on Drive A. Using Disk Management, you can of course always first assign this drive letter to your USB thumb drive, before running SysKey.
Once you have inserted your USB stick, click OK. The Startup key will now be saved on your USB stick!
Now to login into your computer, you will need to insert the USB stick first, when you boot your computer. If you do not insert the USB stick, you will not be able to log in. When you insert the USB stick, Windows loads the encryption key from drive ‘A’ – which is where you will have inserted your USB. If you have set a password, you will be asked to enter it, before you can proceed to enter your login credentials.
To reverse this action and disable SysKey, run SysKey again and this time choose to Store Startup Key Locally.
Incidentally, way back in 1999, a security hole was found in SysKey which allowed it to be hacked with the help of some brute force attacking tools. But a fix for this SysKey Bug was later released and the hole patched up.
The SAM Lock Tool may not provide fool-proof security – at least not from professional hackers – but at least it is one additional layer of security – apart from using BitLocker – you can give to your Windows 7 computer.
Some of you may want to check out this list of free software that helps you lock Windows using USB Pen Drive.