Use SysKey Utility to lock Windows computer using USB stick

SysKey is an in-built Windows utility that can help you secure the Security Accounts Management or SAM database. In case you do not know, the SAM Database stores hashed copies of our user passwords, which is encrypted with a locally stored system key.

The Windows operating system prevents the use of stored, unencrypted password hashes and requires that the password hashes and user information be encrypted. These crypted versions of the passwords are usually stored in a file called sam, found in system32\config folder. This file is a part of the registry, in a binary format, and not easily accessible.

If you wish to provide additional security to the SAM Database, you can use SysKey to move the SAM database encryption key off your computer. Moreover, using SysKey, you can also configure a start-up password to be entered in order to decrypt the system key, so that the SAM database can be accessed.

In this article, I will tell you how you can use SysKey or the SAM Lock Tool to further secure the Windows Security Accounts Management database.

UPDATE: Syskey.exe utility is no longer supported in Windows 10 v1709 and later. If you want to use boot-time OS security, you may use BitLocker.

Syskey Utility

To open the SAM Lock Tool, type syskey in start search and hit Enter.

Click on Update, for the default option of Encryption enabled.

Select the Password Startup option, if you want to require a password to start Windows. Make sure you use a strong password – you can use one here which is 12 to 128 characters long! If you do not want to exercise this option, keep it unselected.

If you choose to Store Startup Key Locally, it will store a key as a part of the operating system, and no interaction is required from the user during system startup. If you chose this option, i.e. Store Startup Key Locally, and click OK, you will get a message saying that the Account database start-up key was changed.

Click OK again, and the utility will exit. Now every time your computer boots, if you had opted for the Password Startup option, you will be asked to enter a Startup Password, before you can proceed to log in using your login credentials.

If you select Store Startup Key on Floppy Disk, to store the system startup password on a floppy disk and clicked OK, you will be asked to insert your floppy, or in our case, the USB stick – no one uses a floppy these days – so you may use a USB stick.

It is important to note that the media has to be mounted on Drive A. Using Disk Management, you can of course always first assign this drive letter to your USB thumb drive, before running SysKey.

Once you have inserted your USB stick, click OK. The Startup key will now be saved on your USB stick!

Now to login into your computer, you will need to insert the USB stick first, when you boot your computer. If you do not insert the USB stick, you will not be able to log in. When you insert the USB stick, Windows loads the encryption key from drive ‘A’ – which is where you will have inserted your USB. If you have set a password, you will be asked to enter it, before you can proceed to enter your login credentials.

Syskey Removal

To reverse this action and disable SysKey, run SysKey again and this time choose to Store Startup Key Locally.

Incidentally, way back in 1999, a security hole was found in SysKey which allowed it to be hacked with the help of some brute force attacking tools. But a fix for this SysKey Bug was later released and the hole patched up.

The SAM Lock Tool may not provide fool-proof security – at least not from professional hackers – but at least it is one additional layer of security – apart from using BitLocker – you can give to your Windows 7 computer.

Some of you may want to check out this list of free software that helps you lock Windows using USB Pen Drive.

Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.


  1. Phrozencrew2020

    Thanks. I already use this built in security features.

  2. bogidu

    So, here’s a question. When a user loses the usbkey, what do you do? Logic would dictate having a backup of the usbkey, however when you insert a different key it is assigned a different drive letter rendering the backup useless.


    Also with the microsoft support scan being so prevalent how can you reset the syskey once they’ve used it to lock you out? particulalrly hard to do on the uefi systems.

  4. Dave Earle

    How come when I type in ‘syskey’, I get a message from Windows that it can’t find ‘syskey’? I on Windows 10; is that not necessary, or built into Windows 10? I was just curious, because I know that Microsoft tech support scams use syskey, to lock users out of their own computers, so I was researching ways around that; of course, the BEST way around that, is to just hang up on them! lol

  5. Syskey.exe utility is no longer supported in Windows 10 v1709 and later.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 1 =