Windows NT System Key Permits Strong Encryption of the SAM

This article was previously published under Q143475
This article has been archived. It is offered "as is" and will no longer be updated.
For a Microsoft Windows 2000, Windows XP, and Windows Server 2003 version of this article, see 310105.
The Windows NT Server 4.0 System Key (Syskey.exe) provides the capability to usestrong encryption techniques to increase protection of account passwordinformation stored in the registry by the Security Account Manager (SAM).Windows NT Server stores user account information, including a derivativeof the user account password, in a secure portion of the Registryprotected by access control and an obfuscation function. The accountinformation in the Registry is only accessible to members of theAdministrators group. Windows NT Server, like other operating systems,allows privileged users who are administrators access to all resources inthe system. For installations that want enhanced security, strongencryption of account password derivative information provides anadditional level of security to prevent Administrators from intentionallyor unintentionally accessing password derivatives using Registryprogramming interfaces.

Syskey.exe is included with Service Pack 3 (SP3) and later for Windows NT 4.0.

NOTE: If you want to change where the SYSKEY key is stored, use the SYSKEY tool do not modify the registry directly. If you modify the registry, SYSKEY will work correctly but give the impression that it is not.

IMPORTANT: For important information about a security issue with the Syskey tool, see the following article in the Microsoft Knowledge Base:
248183 Syskey Tool Reuses Keystream
The strong encryption capability with the Windows NT 4.0 System Key hotfixis an optional feature. Administrators may choose to implement strongencryption by defining a System Key for Windows NT. Strong encryptionprotects private account information by encrypting the password data usinga 128-bit cryptographically random key, known as a password encryption key.

Only the private password information is strongly encrypted in thedatabase, not the entire account database. Every system using the strongencryption option will have a unique password encryption key. The passwordencryption key is itself encrypted with a System Key. Strong passwordencryption may be used on both Windows NT Server and Workstation whereaccount information is stored. Using strong encryption of accountpasswords adds additional protection for the contents of the SAM portionof the registry and subsequent backup copies of the registry informationin the %systemroot%\repair directory created using the RDISK command andon system backup tapes.

The System Key is defined using the command Syskey.exe. Only members ofthe Administrators group can run the Syskey.exe command. The utility isused to initialize or change the System Key. The System Key is the "masterkey" used to protect the password encryption key and therefore protectionof the System Key is a critical system security operation.

There are three options for managing the System Key designed to meet theneeds of different Windows NT environments. The System Key options are thefollowing:
  • Use a machine-generated random key as the System Key and store the key on the local system using a complex obfuscation algorithm. This option provides strong encryption of password information in the registry and allows for unattended system restart.
  • Use a machine-generated random key and store the key on a floppy disk. The floppy disk with the System Key is required for the system to start and must be inserted when prompted after Windows NT begins the startup sequence, but before the system is available for users to logon. The System Key is not stored anywhere on the local system.
  • Use a password chosen by the Administrator to derive the System Key. Windows NT will prompt for the System Key password when the system is in the initial startup sequence, but before the system is available for users to logon. The System Key password is not stored anywhere on the system. An MD5 digest of the password is used as the master key to protect the password encryption key.
The System Key options using either a password or requiring a floppy diskintroduce a new prompt during the initialization of the Windows NToperating system. They offer the strongest protection option availablebecause master key material is not stored on the system and control of thekey can be restricted to a few individuals. On the other hand, knowledgeof the System Key password, or possession of the System Key disk isrequired to boot the system. (If the System Key is saved to a floppy disk,backup copies of the System Key disk are recommended.) Unattended systemrestart may require that System Key material be available to the systemwithout Administrator response. Storing the System Key on the local systemusing a complex obfuscation algorithm makes the key available only to coreoperating system security components. In the future, it will be possibleto configure the System Key to obtain the key material from tamper proofhardware components for maximum security.

WARNING: If the System Key password is forgotten or the System Key floppydisk is lost, it may not be possible to start the system. Protect andstore the System Key information safely with backup copies in the eventof emergency. The only way to recover the system if the System Key islost is using a repair disk to restore the registry to a state prior toenabling strong encryption. See the Repair Issues section below.

Strong encryption may be configured independently on the Primary and eachBackup Domain Controllers (DCs). Each domain controller will have a uniquepassword encryption key and a unique System Key. For example, the PrimaryDC may be configured to use a machine generated System Key stored on adisk, and Backup DCs may each use a different machine generated System Keystored on the local system. A machine generated System Key stored locallyon a Primary domain controller is not replicated.

Before enabling strong encryption for Primary domain controllers, you maywant to ensure a complete updated Backup domain controller is availableto use as a backup system until changes to the Primary domain are completeand verified. Before enabling strong encryption on any system, Microsoftrecommends making a fresh copy of the Emergency Repair Disk, including thesecurity information in the registry, using the command, RDISK /S. Pleasesee the following article in the Microsoft Knowledge Base prior to usingRDISK /S:
ARTICLE-ID: 122857
TITLE : RDISK /S and RDISK /S- Options in Windows NT

The SYSKEY command is used to select the System Key option and generatethe initial key value. The key value may be either a machine generated keyor a password derived key. The SYSKEY command first displays a dialogshowing whether strong encryption is enabled or disabled. After the strongencryption capability is enabled, it cannot be disabled. To enable strongauthentication of the account database, select the option "EncryptionEnabled", and click OK. A confirm dialog appears reminding theadministrator to make an updated emergency repair disk. A new dialogappears presenting options for the Account Database Key. Use the optionsavailable on Account Database Key dialog to select the System Key.

After selecting the System Key option, Windows NT must be restarted forthe System Key option to take effect. When the system restarts, theadministrator may be prompted to enter the System Key, depending on thekey option chosen. Windows NT detects the first use of the System Key andgenerates a new random password encryption key. The password encryptionkey is protected with the System Key, and then all account passwordinformation is strongly encrypted.

The SYSKEY command needs to be run on each system where strong encryptionof the account password information is required. SYSKEY supports a "-l"command option to generate the master key and store the key locally on thesystem. This option enables strong password encryption in the registry andallows the command to run without an interactive dialog. The SYSKEYcommand can be used at a later time to change the System Key options fromone method to another, or to change the System Key to a new key. Changingthe System Key requires knowledge of, or possession of, the current SystemKey. If the password derived System Key option is used, SYSKEY does notenforce a minimum password length, however long passwords (greater than 12characters) are recommended. The maximum System Key password length is 128characters.

SYSKEY should be applied to all domain controllers. If this is not done, the SAM on the backup domain controllers (BDCs) will not be as secure as that on the primary domain controller (PDC). Thus, the point of installing SYSKEY would be defeated.


Introduction of strong encryption of account password information changesthe SYSTEM and SAM portions of the registry in ways that affect the repairoptions available for recovery of a Windows NT system. Always use theRDISK command with the /S option to create a new Emergency Repair Diskincluding a backup copy of the SYSTEM and SAM portion of the registry inthe \Repair folder.

For complete recovery options, the following Emergency Repair Disks shouldbe available:
  • Prior to installing the System Key hotfix, create a fresh repair disk. This disk is a "pre-hotfix" repair disk that contains a copy of the system configuration and account information prior to installation of the hotfix. The "pre-hotfix" repair disk may be used to recover the registry and system files using the Windows NT distribution CDROM.
  • After installation of the System Key hotfix, but before enabling strong encryption using the SYSKEY command, create a repair disk. This repair disk is "hotfix - Before Encryption". This repair disk can be used to repair the Registry to the state before strong encryption is enabled, for example it may be used to recover a system if the Windows NT System Key is lost or forgotten.
  • After running SYSKEY to enable strong encryption, create a repair disk. This repair disk is "hotfix - After Encryption". This repair disk, and subsequent updates to this repair disk, can be used to recover the registry with strong encryption intact using the System Key in effect at the time the repair disk was last updated.
The System Key hotfix support for strong encryption affects the followingsystem components:
  • SYSTEM and SAM registry hives
  • Three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll
In general, the repair process needs to use matching versions of thesecomponents. Whatever repair option you choose, the repair process willcoordinate repair of the registry hives with the matching system files.

The following table lists the recovery options available.

Desired System        Repair disk to        Repaired SystemConfiguration         applyafter Repair--------------------------------------------------------------------------Windows NT 4.0,       Use the "Pre-hotfix"  Registry matches system beforeprior to hotfix       repair disk           hotfix installed; the threeinstallation                                system security component                                            files need to be repaired from                                            the Windows NT 4.0 compact                                            disc to match the pre-hotfix                                            registry format.Windows NT 4.0 with   Use the "hotfix -     Registry matches the systemhotfix installed,     Before Encryption"    before strong encryption.but strong            repair disk           System Key is not in effect;encryption is not                           strong encryption not enabled.enabled                                     System security files do not                                            need to be repaired from the                                            Windows NT 4.0 compact disc.Windows NT 4.0 with   Use the "hotfix -     Registry matches the systemhotfix installed,     After Encryption"     with strong encryptionand strong            repair disk           enabled; the System Key inencryption is                               effect is the System Key usedenabled                                     at the time the repair disk                                            was made.				

In the event that an Administrator needs to repair the system after theSystem Key hotfix is installed, both the SYSTEM and SAM portions of theregistry need to be repaired at the same time. The System Key option inthe SYSTEM portion of the registry must match the strong encryption keyused for the SAM portion of the registry. If one registry hive is repairedwithout the other, it may be possible for the system to try to use adifferent System Key option (password derived or machine generated) thatdoes not match the strong encryption key used for the account passwordinformation.

Installation of the System Key hotfix will update the checksums for thesystem security component (Winlogon.exe, Samsrv.dll, Samlib.dll) in theSystem.log file. The System.log file is saved on the Emergency RepairDisk. The System.log file is used during recovery to determine if thefiles need to be updated from the Windows NT Server 4.0 CD-ROM to matchthe pre-hotfix registry configuration. If the desired recovery systemconfiguration is Windows NT Server 4.0 with the System Key hotfix, youwill not be asked to repair these system security files.

After installing the System Key hotfix, and you have not enabled strongencryption, if you attempt to repair the system files using a repair diskcreated before installing the System Key hotfix (that is, using the "pre-hotfix" repair disk) you also MUST repair the SYSTEM and SAM registry. Ifyou do not repair the registry, the system files and registry format willnot match. You will get an error (error number C00000DF) when you attemptto log on. When the registry and system files are mismatched, the recoveryprocedure is to repair matching system and registry files. Either repairthe registry hives from the same "pre-hotfix" repair disk, or use the"hotfix - Before Encryption" repair disk, which has a registry format thatmatches the System Key hotfix system files.

Finally, if you have a situation where the system security files(Winlogon, Samsrv.dll, Samlib.dll) are corrupted, then you must recoverthe system using a "Pre-hotfix" repair disk and repair the corrupted filesfrom a Windows NT Server 4.0 CD-ROM. You must also repair the SYSTEM andSAM registry hives to match the system files from the "Pre-hotfix" repairdisk.

Current United States export regulations allow the use of 128-bit encryption keys to be used to protect authentication data, such as passwords. The encryption keys used for Syskey are specific to the protection of passwords stored in SAM and the Security portion of the registry. There are no application APIs available for using 128-bit Syskey encryption for general-purpose data protection.

Article ID: 143475 - Last Review: 12/04/2015 13:11:44 - Revision: 2.1

Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kbenv kbinfo kbnetwork KB143475