Microsoft Phone Scam

I worked with a gentleman today who got a phone call from someone posing as a Microsoft rep today. This was interesting because it was something I had not seen in a LONG time. The gentleman figured out he was getting scammed and tried to get the scammer off the phone, but did not get them out of his PC. It was a Windows XP PC, and the scammer set the Windows XP startup password; not a user account. It looked like the following:

syskey

I had to research how to get around this, so I thought I would post it in case any other searchers needed help with it. You may get lucky & crack the password, but I did not have that luxury, as I was on the customer’s dime. Here are the steps I did, and some links to reference items.

1) Boot the PC into a standalone environment that has access to the command line. You won’t be able to boot into Windows XP Recovery Console, because it needs the administrator password & this startup password (and if you guessed the password, well then you don’t need to be at this step, right?)

2) Once at the cmd prompt, you need to remove the “corrupt” registry files and restore a backup set. This can be done with the following steps:

  • Navigate to C:\Windows\System32\config (you must be in this directory for the following cmds to work properly)
  • Backup the following files to another location in case this does not work – software, system, sam, default, security – using the following cmds:
    • md backup
    • copy software .\backup
    • copy system .\backup
    • copy sam .\backup
    • copy default .\backup
    • copy security .\backup
  • Delete these same files now
    • del software
    • del system
    • del sam
    • del default
    • del security
  • Copy working files from repair directory
    • copy c:\windows\repair\software
    • copy c:\windows\repair\system
    • copy c:\windows\repair\sam
    • copy c:\windows\repair\default
    • copy c:\windows\repair\security
  • Reboot your computer.  It may look odd, but don’t worry this will correct that.
  • Reference the following link, but start from Part 2:  https://support.microsoft.com/en-us/kb/307545 (Skip Part 4, I’m not really sure why Microsoft included that)

This should get you back up and working at least to a point without the startup password.  It worked for me and my customer was back in business.

Advertisements

One thought on “Microsoft Phone Scam”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s