Have you been caught by the "I am  Windows Support" scam?

(The last one to call me told me that he was "Windows" - and nothing to do with Microsoft at all!)

A lot of us have had that call, often in a thick Indian accent, claiming that "We have detected something wrong with your computer"

Do you really believe that Microsoft (or "Windows") is going to spend the resources involved in monitoring countless millions of computers - and then to employ what must be a huge cohort of technicians to telephone people?  And to do that, despite the fact that snooping on other people's computers would be a serious breach of just about every privacy law ever written?

What happens:

The aim of these folk is to get access to your computer.  They will talk to you - and, maybe, show you a screen on your computer that shows loads of error messages.  (These error messages are there on every computer and are all perfectly normal).  Having convinced you that something is amiss, they will then get your permission to take control of your computer.  That is the moment that things just went pear-shaped.

The bogus engineer will then keep you busy while, probably, a second thief (that's what they are, really) has a good look around your system without you seeing.  You will have no idea what he has seen and taken.

Finally, something will go wrong with your conversation.  Generally at the point when the first thief demands payment.  (Whoopee! If you actually pay, he'll get your credit card details which, with luck, will match up with your password that his mate has already downloaded.)  He'll then hang up and you'll find that he has applied a "SysKey" Password.

When you next try to start the computer, you will see the following dialog box:

SysKey Dialog

Your computer hasn't even started up yet - so there is little that you can do immediately.  First thing (as always when you have bother like this is to turn the machine off!

If you keep fiddling around, trying this and that, there is a very good chance that you will make matters worse - and you may even do something that will prevent a professional from helping you

To repair

First, see if the computer will repair itself

As software is installed, the computer saves a whole lot of information about how it was working.  You can sometimes "wind back" the clock to this previous state.  That's called a "System Restore".

  1. Reboot the PC and repeatedly press F8 to reach the Advanced Startup Options menu.
  2. Choose Repair your Computer from the menu.
  3. Cancel the automatic repair attempt and instead instruct the system to perform a System Restore to a date prior to the incident occurring.

That's great if it works.  But in my experience, it seldom does.  You are probably going to need to gain access to the hard disk.  And, as the computer won't start, that's a problem.

You have two options

The first is easy.  At least in theory.  Take a screwdriver and open your computer.  Unplug the wires going to the hard disk and unscrew the unit.  Take it to a working machine and plug it in, using a caddy and a USB wire.

The second is less invasive.  Get hold of a suitable Operating System disk.  A Linux disk is the usual choice.  You should be able to make your computer boot from this CD/DVD.  DO NOT allow it to install itself onto your hard disk!  That way you'll lose everything!  Most Linux distributions will run happily, direct from the CD/DVD/Memory stick from which you booted the machine.

Now that you have access, you get on your Knobbly Knees and pray!  The offending password is stored in a chunk of information called the "Registry".  If you don't know what you are doing, you shouldn't be messing with the Registry - it controls pretty much everything the computer does.  Fortunately, the computer normally keeps a backup of this vital file.  This backup is part of the System Restore you tried earlier.  Let's hope it exists...

The shorthand, %SYSTEMROOT% means the place where the operating system is stored.  This is normally C:Windows

 Check to ensure that the folder %SYSTEMROOT%system32configRegBack exists.  If so, continue.  If not, stop and immediately contact a technician.

If no Restore Points exist, your scammer intentionally removed them to prevent this from occurring.  If this happens to you, follow these additional steps to resolve the problem:

  1. POWER OFF your PC immediately.
  2. Boot to external media of some sort (NOT your Windows installation) and navigate to the %SYSTEMROOT%system32config folder.
  3. Backup the registry hives in this folder to a temporary location. The files are:
    2. SYSTEM
    3. SAM
    5. DEFAULT
  4. Navigate to %SYSTEMROOT%system32configRegBack as mentioned earlier.
  5. Copy all registry hives from this folder (the same files as listed above) into the %SYSTEMROOT%system32config folder.
  6. Reboot the PC.

This solution only works if you have not already tried to reboot the PC subsequently.  If you have, it may still work, but that is entirely dependent upon whether or not Windows created a new RegBack copy following a successful boot.