Determine whether Syskey has been applied to a system

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Syskey strongly encrypts the password hashes in the Windows NT SAM. Syskey will help to protect the passwords stored in ERDs and backup tapes. The system will not boot without the encryption key. For background: Encrypt hashes in SAM with 128-bit encryption using SYSKEY.

How can you determine whether Syskey has or has not been applied to enhance NT's security? You can set down at the console of each NT and issue the Syskey command. The Syskey command will tell you whether it is in place, and if it is, whether the startup key is stored locally on the hard drive; startup key must be entered at the console at boot; or the startup key is stored on a floppy disk which must be inserted in the floppy drive when the system prompts for the diskette. Not a realistic solution if you have hundreds of systems spread around the country.

How does NT know that Syskey has been applied to a system? The presence of the SecureBoot value means Syskey has been applied. Its value reveals the method Startup Key must be accessed:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: SecureBoot
Type: REG_DWORD
Value: 0x1 Startup Key stored on local hard drive
Value: 0x2 password Startup Key
Value: 0x3 Startup Key stored on floppy disk

See Also

Featured Links