Topic: Syskey Recovery Tool - Simple CMD tool - Plugin Attached  (Read 465 times)

0 Members and 1 Guest are viewing this topic.

Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« on: October 22, 2017, 04:40:53 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
THIS IS TO UNLOCK A MACHINE THAT WAS MALICOUSLY LOCKED WITH SYSKEY ONLY --- IT IS --> NOT <-- TO BE USED IF YOU USE SYSKEY ON PURPOSE AND FORGOT YOUR PASSWORD

This is so simple I really shouldn't be making this post -or- calling this a "Tool" BUT too many people do not know how to recover from syskey without 3rd party applications!  This process can only easily be done from bootable media, so this is actually the perfect place to provide a 1-click fix for general public.

This is really just a batch file.  It does the SUPER simple task of restoring the host machines registry to previous backup from the system32\config\RegBack folder.  Current 5 main registry hives get renamed to .OLD and the RegBack versions get copied into the system32\config\ folder.

This has proven useful countless times when scammers have used Syskey to lock unsuspecting users machines.

This is the first level of repair you should try for this type of attack.  If this doesn't work the scammer most likely was very clever and damaged\deleted your RegBack folder. 9 times out of 10 they do not.  If this is the case, you will need 3rd party tool like Passcape Reset Windows Password boot disc to make a more advanced attempt at recovery.

----> THE HOST MACHINE DRIVE LETTER MUST BE SET AS C: FOR THIS TO WORK <---- This is HARDCODED, If anyone wants to modify this using variables to make it universal or improve on it please do and post for all. (i.e. %systemdrive% type of variables etc etc) I originally compiled this into an EXE but it won't run correctly in the PE environment (probably choice issue but doesn't matter batch works fine) so at this time it is being left as a CMD file to ensure proper function. This was made for my build and works so I am finished with my modifications for now.

There is NO error checking - Use at your own risk - Make sure you have an idea of what the tool is doing and how it works, and how it can be reversed, before using..

Source, CMD, and Plugin Below----

Source:
Code: [Select]
@ECHO OFF
MODE CON COLS=44 LINES=30
IF EXIST C:\Windows\System32\Config\RegBack\ ( GOTO START ) ELSE ( GOTO ABORT2 )
:START
CLS
TITLE Syskey Recovery Tool v1.0
ECHO --------------------------------------------
ECHO                 ! WARNING !
ECHO --------------------------------------------
ECHO.
ECHO This tool will make changes to the registry
ECHO located on the current C:\
ECHO.
ECHO IF YOU DO NOT NEED THIS TOOL AND YOU USE IT
ECHO IT COULD CAUSE YOUR SYSTEM TO CRASH. NEVER
ECHO USE THIS TOOL UNLESS YOUR SYSTEM WAS LOCKED
ECHO WITH SYSKEY BY SOMEONE OTHER THAN YOU. THE
ECHO CHANGES MADE BY THIS TOOL ARE EASILY
ECHO REVERSIBLE, BUT THE TOOL SHOULD STILL BE
ECHO USED WITH CAUTION..
ECHO.
ECHO DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM
ECHO registry hives will be renamed to *.OLD
ECHO.
ECHO The registry state before Syskey lock will
ECHO then be restored.
ECHO.
ECHO Note: If there are any problems after using
ECHO this tool, simply delete the restored files,
ECHO and delete the *.OLD extension off of the
ECHO originals in C:\Windows\System32\Config
ECHO.
ECHO --------------------------------------------
ECHO.
CHOICE /M "Are you sure you want to continue?"
IF %ERRORLEVEL%==1 GOTO UNLOCKSYSKEY
IF %ERRORLEVEL%==2 GOTO ABORT
:ABORT
CLS
ECHO.
ECHO Operation cancelled. No Changes were made.
ECHO The tool will now exit.
ECHO.
ECHO.
PAUSE
EXIT
:ABORT2
CLS
ECHO.
ECHO HIVE backups are not present!! Either they
ECHO were removed or the system drive is not
ECHO mounted as C:\ with WinPE
ECHO
ECHO The tool cannot continue and will now close!
ECHO.
ECHO.
PAUSE
EXIT
:UNLOCKSYSKEY
CLS
ECHO.
C:
CD\Windows\system32\config
ECHO Moving Syskey Locked Registry...
REN DEFAULT DEFAULT.OLD
REN SAM SAM.OLD
REN SECURITY SECURITY.OLD
REN SOFTWARE SOFTWARE.OLD
REN SYSTEM SYSTEM.OLD
ECHO.
ECHO Restoring Previous Registry...
ECHO.
CD RegBack
COPY DEFAULT ..\DEFAULT
COPY SAM ..\SAM
COPY SECURITY ..\SECURITY
COPY SOFTWARE ..\SOFTWARE
COPY SYSTEM ..\SYSTEM
ECHO.
ECHO.
ECHO Syskey Recovery Complete! The program will
ECHO now exit.
ECHO.
PAUSE
EXIT

« Last Edit: October 26, 2017, 03:19:38 PM by bob.omb »

Re: Syskey Recovery Tool v1.0 - Simple CMD tool
« Reply #1 on: October 24, 2017, 10:36:22 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
Thanks for sharing.  :thumbsup:

Just an info, one can use small utility 'BL MountVol' to quickly get Windows drive C:

Downloads\ComponentsY\Tweaks\Remove Floppy ALL Mount Point 'BL MountVol'

--> Plugin as default only adds 'BL MountVol'

+
Edit:
There is also
Apps\System Tools\LetterSwap

that would probably mostly change windows drive to C: after PE boots.

****
Tip:
You can create plugin following:

*
Syskey Recovery Tool v1.0.cmd
Rename to -->
Syskey Recovery Tool.cmd

*
Utils\PC Packed
1) .......\Syskey Recovery Tool.cmd
2) Syskey Recovery Tool.cmd
3) Goooo

:turtle:
« Last Edit: October 24, 2017, 12:00:07 PM by Lancelot »

Re: Syskey Recovery Tool v1.0 - Simple CMD tool
« Reply #2 on: October 24, 2017, 10:42:13 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
*
If this doesn't work the scammer most likely was very clever and damaged\deleted your RegBack folder. 9 times out of 10 they do not.

Well it is also good to advice
 "be sure you made full shutdown" before starting PE
    ( to avoid faststartup and hibernation cause trouble !?!? )
+
 "be sure you do not have encrypted files on drives"





*
Thanks again for sharing this nice little cmd batch file. :thumbsup:

:turtle:

Re: Syskey Recovery Tool v1.0 - Simple CMD tool
« Reply #3 on: October 24, 2017, 05:24:04 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
"be sure you do not have encrypted files on drives"

Only for situations where user never could log in after scammed.  If user never logged because scammer locked them out, they could never log in and encrypt anything while sam was encrypted. If user was not scammed and syskey on purpose(forgot password), They would have to ignore new warnings for this.  It doesn't reset password just reverts hives to recent previous versions, so no risk at all for encryption unless advanced user tries to break and ignores all warning/usage notes.  :great:  Should work for scammer syskey locks safely almost all of the time, rarely will need to restore backup .OLD files, and proceed to actual password removal (Most likely with Passcape, RWP.EXE boot disk\ISO which very cleverly is corrupt when trying to run outside of their Win7PE provided WIM. :tongue:)

I will probably compile w/icon when I have time, until then I updated description post above and in codebox and attached 7z file... For hibernation, this can be deleted safely no? when system is in distress situation during repair? (hiberfile.sys?) Maybe remotely disable hibernation first (Registry? like powercfg options) Next update after I make sure this is safe enough I will most likely check if present, possibly rename/delete if present. If safe will fix soon.. Its so simple I almost feel stupid working on it and not making it look better but it does its job its 10 operations (5 renames and 5 copies - lol) so I don't want to go too crazy =) Will make me very happy if this helps someone

Pretty sure default options on Win10PESE provide letterswap and auto assign drive 0 as C:\

BTW:

Utils\PC Packed
1) .......\Syskey Recovery Tool.cmd
2) Syskey Recovery Tool.cmd
3) Goooo

I VERY much like the CMD add of PCPacked - Editing window on side of plugin screen in builder  :great: I only wish I could add an icon
« Last Edit: October 24, 2017, 06:41:46 PM by bob.omb »

Re: Syskey Recovery Tool v1.0 - Simple CMD tool
« Reply #4 on: October 24, 2017, 08:39:31 PM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
For hibernation, this can be deleted safely no?
I did in the past.  :wink:
I also FastStartup -> swapfile.sys should be deletable too.  :wink:
not tested for a long while now....

"be sure you do not have encrypted files on drives"
Only for situations where user never could log in after scammed.
I mean scammer encrypt files (My Documents)  :wink:
Probably 1 out of 100 ?

10 operations (5 renames and 5 copies - lol)
Yes simple and nice.  :great:

Still, Sometimes it requires time to create something for end user.
Junction plugin I made was initially 1 line (later 2 lines) junc to ramdrive folder.
To avoid end user mistakes, it became 168+ 68 line inside plugin batch file (later +97 lines on Macro Library)

Still, Idea stays same, 2 lines of junction.  :wink:

 :great:
:turtle:

Re: Syskey Recovery Tool - Simple CMD tool
« Reply #5 on: October 24, 2017, 08:41:15 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
Plugin attached to OP

Re: Syskey Recovery Tool - Simple CMD tool
« Reply #6 on: October 24, 2017, 08:58:33 PM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
I only wish I could add an icon

Click "Edit" button on plugin.

At top select "Description"

you can change "Logo" there.

**
Use 48x48 ico files to avoid big sized ico.

Utils\"PC Provide files" plugin (Plugin Creator Provide Files)
1)
Optional Exe Location --> select an .ico or .exe file
2)
At right of "Optional Exe Location" text you will see a green play button with a circle, click it.
3)
On your desktop you should notice a new 48 48 icon (Press F5 if you do not)

==>
Than on your plugin
"Edit" - "Description" "Logo" -- "Select an image to use as log" button......

 :thumbsup:





Tip:
Utils\"PC Provide files" plugin
At right of "Optional Exe Location" text there is "open folder" button to see other icons if required.

Tip:
Also check:
Downloads\UtilsY\PC Utilities (Plugin Create Utilities)
« Last Edit: October 24, 2017, 09:01:27 PM by Lancelot »

Re: Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« Reply #7 on: October 25, 2017, 08:03:28 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
I meant on the CMD file, its not possible unless I compile, and then people cant see what it does by looking in source... I'm trying to figure out how to add an icon to the shortcut that gets placed into start menu with plugin above.  It does create a shortcut, but it uses default CMD icon as shortcut icon.

That way instead of seeing default system CMD icon it looks like an application.  Always the small things that stop me. :lol:

I used above method to add icon to plugin interface, when I figure out shortcut issue ill update in OP - Re-running build to see if that creates icon on shortcut.  I'm pretty sure I need to add the .ico file into "Attached" on plugin and add something into the script if it is possible...
« Last Edit: October 25, 2017, 08:10:42 AM by bob.omb »

Re: Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« Reply #8 on: October 25, 2017, 08:53:48 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
Ho bob.omb

Attach icon inside plugin ( the one you want for shortcut )
and put new plugin to your topic.

I will try to add 1 line and 3 same ( shortcut lines) modification to your plugin when I have free time.

:turtle:


Re: Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« Reply #9 on: October 25, 2017, 09:22:39 AM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
Plugin updated in OP

2 icons included in plugin "Attachments"

A 48x48 icon <---- we made for plugin interface (which is already added but wasn't sure if this is the size we need to use for shortcut)

-also-

A Mutli-Size Icon (256x256 - 128x128 etc etc -Bigger file size-) <----(I would prefer this multisize as the .ico used for shortcut if possible)

Whichever of the two you don't use can be deleted from the attachments

--

It figures :sad: just found this..From microsoft for 1709 :grin: better for everyone though, its about time! lol 

Syskey.exe
Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article:
4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3

Plugin can still be usefull.  Better to have and not need, than need and not have.(Or remember commands  :tongue:)
« Last Edit: October 25, 2017, 08:35:35 PM by bob.omb »

Re: Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« Reply #10 on: October 26, 2017, 03:39:56 AM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
Hi bob.omb

+
rename your cmd file to Syskey_Recovery_Tool.cmd

+
download new
Utils\PC Packed plugin (v80 now)

1) ....\Syskey_Recovery_Tool.cmd
2) Syskey_Recovery_Tool.cmd
Goo

+
Add your Logo syskey_GzE_icon_0_048048.ico
+
Attach your icon (syskey_GzE_icon.ico) to plugin [Folder] as you did before.
+
inside plugin rename all (for now 4)
My_CMD_Icon.ico
-->
syskey_GzE_icon.ico
+
uncomment this line:
Code: [Select]
//ExtractFile,%ScriptFile%,Folder,syskey_GzE_icon.ico,%ProjectTemp%\TempExtractFolder\%ProgramFolder%\%ProgramFolder%
-->
Code: [Select]
ExtractFile,%ScriptFile%,Folder,syskey_GzE_icon.ico,%ProjectTemp%\TempExtractFolder\%ProgramFolder%\%ProgramFolder%
+
uncomment this line:
Code: [Select]
//FileCopy,%ProjectTemp%\TempExtractFolder\%ProgramFolder%\%ProgramFolder%\syskey_GzE_icon.ico,%Target_Sys%
-->
Code: [Select]
FileCopy,%ProjectTemp%\TempExtractFolder\%ProgramFolder%\%ProgramFolder%\syskey_GzE_icon.ico,%Target_Sys%
+
Replace these lines:
Code: [Select]
If,%pCheckBox1%,Equal,True,Add_Shortcut,Desktop
If,%pCheckBox2%,Equal,True,Add_Shortcut,StartMenu,%pTextBox1%
If,%pCheckBox3%,Equal,True,Add_Shortcut,QuickLaunch
If,%pCheckBox4%,Equal,True,Add_Shortcut,AutoRun
-->
Code: [Select]
If,%RunFromSys32_CheckBox%,Equal,False,Begin
If,%pCheckBox1%,Equal,True,Add_Shortcut,Desktop,,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
If,%pCheckBox2%,Equal,True,Add_Shortcut,StartMenu,%pTextBox1%,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
If,%pCheckBox3%,Equal,True,Add_Shortcut,QuickLaunch,,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
If,%pCheckBox4%,Equal,True,Add_Shortcut,AutoRun,,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
End
//-
If,%RunFromSys32_CheckBox%,Equal,True,Begin
If,%pCheckBox1%,Equal,True,Add_Shortcut,Desktop,,%PE_Programs%\%ProgramExe%,%ProgramTitle%,%PE_Programs%,,%PE_Programs%\syskey_GzE_icon.ico
If,%pCheckBox2%,Equal,True,Add_Shortcut,StartMenu,%pTextBox1%,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
If,%pCheckBox3%,Equal,True,Add_Shortcut,QuickLaunch,,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
If,%pCheckBox4%,Equal,True,Add_Shortcut,AutoRun,,%PE_Programs%\%ProgramFolder%\%ProgramExe%,%ProgramTitle%,%PE_Programs%\%ProgramFolder%,,%PE_Programs%\%ProgramFolder%\syskey_GzE_icon.ico
End




******
you need to improve your plugin skills.
 Plugins are batch files having similar syntax with cmd, so it would be easy for you.  :thumbsup:

:turtle:

Re: Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« Reply #11 on: October 26, 2017, 03:21:19 PM »

bob.omb

  • Chef
  • ***
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 159
Updated plugin attached to OP.  Thank you for showing me how shortcuts / placing files from within attachments / making compatible works with syntax... :great:


Re: Syskey Recovery Tool - Simple CMD tool - Plugin Attached
« Reply #12 on: October 30, 2017, 01:15:27 PM »

Lancelot

  • Gena Baker
  • Grand Chef
  • *****
  • Date Registered: Sep 2010
  • Posts: 7374
Hi bob.omb

I put a bulletin plugin to server to help end usres find your plugin easier.

Downloads\AppYGS\Security\Syskey Recovery Tool - Bob.Omb - Bulletin

:turtle:

 

Powered by EzPortal