Results 1 to 2 of 2

Thread: Enabling the Startup Key

  1. #1
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002

    Enabling the Startup Key

    The Syskey wizard enables startup key protection. If enabled, the startup key protects the following sensitive information:

    * Master keys that are used to protect private keys.
    * Protection keys for user account passwords stored in Active Directory.
    * Protection keys for passwords stored in the registry in the local Security Accounts Manager (SAM) registry key.
    * Protection keys for LSA secrets.
    * The protection key for the administrator account password that is used for system recovery startup in safe mode.

    You must be a member of the local Administrators group to use the syskey command. Using this utility, an administrator can configure the system to do one of the following:

    1. Use a computer-generated random key as the startup key, and store it on the local system by using a complex obfuscation algorithm that scatters the startup key throughout the registry. This option enables computer restarts without the need to enter the startup key.
    2. Use a computer-generated random key, but store it on a floppy disk. The floppy disk must be inserted into a drive during system startup for the startup sequence to complete. This option is more secure than the first, but effectively rules out restarting the computer remotely.

    * If the startup key password is forgotten or the floppy disk that contains the startup key is lost, it might not be possible to start the system. If this occurs, the only way to recover the system is to use a repair disk to restore the registry to a state prior to when startup key protection was enabled. Any changes that were made after that time would be lost. Therefore it is important to store the startup key safely. If it is on a floppy disk, make backup copies and store them in different locations.

    3. Use a password chosen by the administrator to derive the startup key. The administrator is prompted for the password during the initial startup sequence.


    * After startup key protection is enabled, it cannot be disabled, but it can be configured to operate at different security levels.

    To enable startup key protection

    1. At the command line, type:


    2. Click Encryption Enabled, and then click OK.


    Click Update, if encryption was previously enabled.
    3. Select an option for the key.

    The default option is a system-generated password that is stored locally. If you use the password-derived startup key option, syskey does not enforce a minimum password length. However, passwords longer than 12 characters are recommended. The maximum length is 128 characters.
    4. Click OK to restart the computer.

    When the system restarts, you might be prompted to enter the startup key, depending on the key option you selected. The first use of the startup key is detected and a new random password encryption key is generated. The password encryption key is protected by using the startup key, and then all account password information is strongly encrypted.

    After the startup key has been enabled, the following process occurs at system startups:

    * The startup key is retrieved from the locally stored key, the password entry, or insertion of a floppy disk, depending on the option you selected.
    * The startup key is used to decrypt the master protection key.
    * The master protection key is used to derive the per-user account password encryption key, which is then used to decrypt the password information in Active Directory or the local SAM registry key.

    The syskey command can be used again later to change the startup key storage option or to change the password. Changing the startup key requires knowledge of, or possession of, the current startup key.

    To change the startup key option or password

    1. At the command line, type:


    2. In the first dialog box, click Update.
    3. In the next dialog box, select a key option or change the password, and then click OK.
    4. Restart the computer.

    Just some more security based tweaking if you want to keep out prowlers and others from your data.

  2. #2
    Friendly Neighborhood Super Moderator phishhead's Avatar
    Join Date
    Apr 2002
    San Diego, Ca.
    too dangerous for me I would forget my password.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts