Syskey.exe is included with Service Pack 3 (SP3) and later for Windows NT 4.0.
NOTE: If you want to change where the SYSKEY key is stored, use the SYSKEY tool do not modify the registry directly. If you modify the registry, SYSKEY will work correctly but give the impression that it is not.
IMPORTANT: For important information about a security issue with the Syskey tool, see the following article in the Microsoft Knowledge Base:
Only the private password information is strongly encrypted in the database, not the entire account database. Every system using the strong encryption option will have a unique password encryption key. The password encryption key is itself encrypted with a System Key. Strong password encryption may be used on both Windows NT Server and Workstation where account information is stored. Using strong encryption of account passwords adds additional protection for the contents of the SAM portion of the registry and subsequent backup copies of the registry information in the %systemroot%\repair directory created using the RDISK command and on system backup tapes.
The System Key is defined using the command Syskey.exe. Only members of the Administrators group can run the Syskey.exe command. The utility is used to initialize or change the System Key. The System Key is the "master key" used to protect the password encryption key and therefore protection of the System Key is a critical system security operation.
There are three options for managing the System Key designed to meet the needs of different Windows NT environments. The System Key options are the following:
- Use a machine-generated random key as the System Key and store the key on the local system using a complex obfuscation algorithm. This option provides strong encryption of password information in the registry and allows for unattended system restart.
- Use a machine-generated random key and store the key on a floppy disk. The floppy disk with the System Key is required for the system to start and must be inserted when prompted after Windows NT begins the startup sequence, but before the system is available for users to logon. The System Key is not stored anywhere on the local system.
- Use a password chosen by the Administrator to derive the System Key. Windows NT will prompt for the System Key password when the system is in the initial startup sequence, but before the system is available for users to logon. The System Key password is not stored anywhere on the system. An MD5 digest of the password is used as the master key to protect the password encryption key.
WARNING: If the System Key password is forgotten or the System Key floppy disk is lost, it may not be possible to start the system. Protect and store the System Key information safely with backup copies in the event of emergency. The only way to recover the system if the System Key is lost is using a repair disk to restore the registry to a state prior to enabling strong encryption. See the Repair Issues section below.
Strong encryption may be configured independently on the Primary and each Backup Domain Controllers (DCs). Each domain controller will have a unique password encryption key and a unique System Key. For example, the Primary DC may be configured to use a machine generated System Key stored on a disk, and Backup DCs may each use a different machine generated System Key stored on the local system. A machine generated System Key stored locally on a Primary domain controller is not replicated.
Before enabling strong encryption for Primary domain controllers, you may want to ensure a complete updated Backup domain controller is available to use as a backup system until changes to the Primary domain are complete and verified. Before enabling strong encryption on any system, Microsoft recommends making a fresh copy of the Emergency Repair Disk, including the security information in the registry, using the command, RDISK /S. Please see the following article in the Microsoft Knowledge Base prior to using RDISK /S:
TITLE : RDISK /S and RDISK /S- Options in Windows NT
The SYSKEY command is used to select the System Key option and generate the initial key value. The key value may be either a machine generated key or a password derived key. The SYSKEY command first displays a dialog showing whether strong encryption is enabled or disabled. After the strong encryption capability is enabled, it cannot be disabled. To enable strong authentication of the account database, select the option "Encryption Enabled", and click OK. A confirm dialog appears reminding the administrator to make an updated emergency repair disk. A new dialog appears presenting options for the Account Database Key. Use the options available on Account Database Key dialog to select the System Key.
After selecting the System Key option, Windows NT must be restarted for the System Key option to take effect. When the system restarts, the administrator may be prompted to enter the System Key, depending on the key option chosen. Windows NT detects the first use of the System Key and generates a new random password encryption key. The password encryption key is protected with the System Key, and then all account password information is strongly encrypted.
The SYSKEY command needs to be run on each system where strong encryption of the account password information is required. SYSKEY supports a "-l" command option to generate the master key and store the key locally on the system. This option enables strong password encryption in the registry and allows the command to run without an interactive dialog. The SYSKEY command can be used at a later time to change the System Key options from one method to another, or to change the System Key to a new key. Changing the System Key requires knowledge of, or possession of, the current System Key. If the password derived System Key option is used, SYSKEY does not enforce a minimum password length, however long passwords (greater than 12 characters) are recommended. The maximum System Key password length is 128 characters.
SYSKEY should be applied to all domain controllers. If this is not done, the SAM on the backup domain controllers (BDCs) will not be as secure as that on the primary domain controller (PDC). Thus, the point of installing SYSKEY would be defeated.
REPAIR ISSUESIntroduction of strong encryption of account password information changes the SYSTEM and SAM portions of the registry in ways that affect the repair options available for recovery of a Windows NT system. Always use the RDISK command with the /S option to create a new Emergency Repair Disk including a backup copy of the SYSTEM and SAM portion of the registry in the \Repair folder.
For complete recovery options, the following Emergency Repair Disks should be available:
- Prior to installing the System Key hotfix, create a fresh repair disk. This disk is a "pre-hotfix" repair disk that contains a copy of the system configuration and account information prior to installation of the hotfix. The "pre-hotfix" repair disk may be used to recover the registry and system files using the Windows NT distribution CDROM.
- After installation of the System Key hotfix, but before enabling strong encryption using the SYSKEY command, create a repair disk. This repair disk is "hotfix - Before Encryption". This repair disk can be used to repair the Registry to the state before strong encryption is enabled, for example it may be used to recover a system if the Windows NT System Key is lost or forgotten.
- After running SYSKEY to enable strong encryption, create a repair disk. This repair disk is "hotfix - After Encryption". This repair disk, and subsequent updates to this repair disk, can be used to recover the registry with strong encryption intact using the System Key in effect at the time the repair disk was last updated.
- SYSTEM and SAM registry hives
- Three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll
The following table lists the recovery options available.
Desired System Repair disk to Repaired System
Windows NT 4.0, Use the "Pre-hotfix" Registry matches system before
prior to hotfix repair disk hotfix installed; the three
installation system security component
files need to be repaired from
the Windows NT 4.0 compact
disc to match the pre-hotfix
Windows NT 4.0 with Use the "hotfix - Registry matches the system
hotfix installed, Before Encryption" before strong encryption.
but strong repair disk System Key is not in effect;
encryption is not strong encryption not enabled.
enabled System security files do not
need to be repaired from the
Windows NT 4.0 compact disc.
Windows NT 4.0 with Use the "hotfix - Registry matches the system
hotfix installed, After Encryption" with strong encryption
and strong repair disk enabled; the System Key in
encryption is effect is the System Key used
enabled at the time the repair disk
In the event that an Administrator needs to repair the system after the System Key hotfix is installed, both the SYSTEM and SAM portions of the registry need to be repaired at the same time. The System Key option in the SYSTEM portion of the registry must match the strong encryption key used for the SAM portion of the registry. If one registry hive is repaired without the other, it may be possible for the system to try to use a different System Key option (password derived or machine generated) that does not match the strong encryption key used for the account password information.
Installation of the System Key hotfix will update the checksums for the system security component (Winlogon.exe, Samsrv.dll, Samlib.dll) in the System.log file. The System.log file is saved on the Emergency Repair Disk. The System.log file is used during recovery to determine if the files need to be updated from the Windows NT Server 4.0 CD-ROM to match the pre-hotfix registry configuration. If the desired recovery system configuration is Windows NT Server 4.0 with the System Key hotfix, you will not be asked to repair these system security files.
After installing the System Key hotfix, and you have not enabled strong encryption, if you attempt to repair the system files using a repair disk created before installing the System Key hotfix (that is, using the "pre- hotfix" repair disk) you also MUST repair the SYSTEM and SAM registry. If you do not repair the registry, the system files and registry format will not match. You will get an error (error number C00000DF) when you attempt to log on. When the registry and system files are mismatched, the recovery procedure is to repair matching system and registry files. Either repair the registry hives from the same "pre-hotfix" repair disk, or use the "hotfix - Before Encryption" repair disk, which has a registry format that matches the System Key hotfix system files.
Finally, if you have a situation where the system security files (Winlogon, Samsrv.dll, Samlib.dll) are corrupted, then you must recover the system using a "Pre-hotfix" repair disk and repair the corrupted files from a Windows NT Server 4.0 CD-ROM. You must also repair the SYSTEM and SAM registry hives to match the system files from the "Pre-hotfix" repair disk.
Current United States export regulations allow the use of 128-bit encryption keys to be used to protect authentication data, such as passwords. The encryption keys used for Syskey are specific to the protection of passwords stored in SAM and the Security portion of the registry. There are no application APIs available for using 128-bit Syskey encryption for general-purpose data protection.
Article ID: 143475 - Last Review: Oct 31, 2006 - Revision: 1