Syskey


The SAM Lock Tool, better known as Syskey is a discontinued component of Windows NT that encrypts the Security Account Manager database using a 128-bit RC4 encryption key.
First introduced in the Q143475 hotfix which was included in Windows NT 4.0 SP3, it was removed in Windows 10 1709, due to its use of cryptography considered insecure by modern standards, and its use as part of scams as a form of ransomware. Microsoft officially recommended use of BitLocker disk encryption as an alternative.

History

First introduced in the Q143475 hotfix included in Windows NT 4.0 SP3, Syskey was intended to protect against offline password cracking attacks by preventing the possessor of an unauthorized copy of the SAM file from extracting useful information from it.
Syskey can optionally be configured to require the user to enter the key during boot or load the key onto removable storage media.
In mid-2017, Microsoft removed syskey.exe from future versions of Windows. Microsoft recommends the use of "Bitlocker or similar technologies instead of the syskey.exe utility."

Security issues

The "Syskey Bug"

In December 1999, a security team from BindView found a security hole in Syskey that indicated that a certain form of offline cryptanalytic attack is possible, making a brute force attack appear to be possible. The problem is that SYSKEY has RC4 keystream reuse problems.
Microsoft later issued a fix for the problem. The bug affected both Windows NT 4.0 and pre-RC3 versions of Windows 2000.

Use as ransomware

Syskey is commonly abused by "tech support" scammers to lock victims out of their own computers, in order to coerce them into paying a ransom.