How to bypass Windows Startup Password
While over at Kimbley IT we focus on business IT support, I have held on to a handful of elderly clients from my days of being a single technician helping residential customers. Elderly clients are generally on the whole not demanding, and it helps me keep my hands in support while running the Kimbley IT business.
Recently, I had a call from one of these customers. They had fallen for a fake Talk Talk support call.
The criminal had conned them into gaining access to their computer "to fix their broadband". The criminal also got them to pay a significant amount of money to him. Luckily, the bank, in this case, was very supportive and replaced the stolen money back into their account.
Bypass Windows Startup Password.
During the attack, the criminal setup a password protection system built into Windows called SysKey. Which requires an additional password to be entered when login into Windows. Of course, the victims did not know this password and were unable to access their computer, after the attack had concluded.
Initially, it looked like the only way to get the computer working again would be to wipe the machine and reinstall Windows. Sadly, the customer was not sure all their data had been backed-up. So I decided to research another way to gain access to the machine.
Searching Google I found it difficult to find an exact solution to this problem. Lots of advice but none that would work. Until I stumbled upon a Bleeping Computer forums thread. Tucked deep in the thread was a bit of guidance on a manual registry restore that looked like it could work and was worth and attempt.
It worked! And I was able to remove Windows Startup Password and gain access the computer again, without needing to wipe and reinstall windows.
My solution was slightly different to Bleeping Computer's in that I used Ubuntu to gain access to the hard drive on the infected computer to replace the registry.
Here is what I did:
Downloaded Rufus. Ran Rufus to make a bootable version of Ubuntu on a USB stick.
On the infected computer booted to Ubuntu on the USB Stick and ran Ubuntu (without installing).
Navigated to \Windows\System32\Config\RegBack - and made a copy of the files within the folder.
Paste the copied files into \Windows\System32\Config - to restore the registry to an earlier state - overwriting any existing files.
Rebooted the infected computer and gained access to Windows again.