Use Syskey on Windows 7 to encrypt the SAM to hardening system

To totally unlock this section you need to Log-in


Very few netbook computers support BitLocker, which means that they are vulnerable to utilities that allow you to boot from a USB device and reset the local administrator password. The way to ensure that this type of attack doesn’t work is to use SYSKEY to encrypt the SAM database.

Use Syskey on Windows 7 to encrypt the SAM to hardening system

Use Syskey on Windows 7 to encrypt the SAM to hardening system

Obviously this solution can be used even on laptops and desktop computers.


SYSKEY is a tool that has been around for some time on Windows client operating systems, but most administrators don’t bother using it because it makes recovering a computer difficult in the event that a user forgets their password. In some cases you want to do all that you can do to protect the data on a netbook computer. To do this, you should use SYSKEY to encrypt the SAM database and use EFS to encrypt any locally stored files and folders. To accomplish this, perform the following steps:

  • Log on to Windows 7 with an account that has local administrator access.
  • Type SYSKEY into the textbox on the start menu. Click OK at the UAC prompt.
  • Select the Encryption Enabled Option.
  • Select the Password Startup Option. Enter the Startup Password that must be entered each time.
  • Reboot the computer.
  • From now on the Startup Password must be entered to unlock the SAM database before local logon will be allowed.

    You can see these steps in the following video:

    [hana-flv-player video=" and Windows 7.flv" width="500" height="325" autoplay="false" loop="false" player="1" /]

    Check if SysKey is enabled

    The easiest way to find out whether an NT machine has Syskey enabled is to type...

 the command prompt (cmd.exe). This command brings up the Securing the Windows NT Account Database dialog box that Figure 1 shows, which indicates whether Syskey encryption is enabled.

    Alternatively, you can check for the registry value:


    If the Secureboot value (of type REG_DWORD) exists and is set to a value of 0x1, 0x2, or 0x3, Syskey is enabled on the system.