So it happened: Windows starts up and asks for a password, and you don’t know what that is. Either forgot, or didn’t know the password. This is Syskey in action. What to do?
You can try brute forcing the password. Syskey gives unlimited tries. After the first hundred you’ll come to the conclusion that brute forcing is overrated. And there are no reliable tools that will help brute forcing Syskey password.
You can forcibly switch Syskey off. The best tool for it is the Offline NT Password & Registry Editor, commonly known as NTPasswd. The bootable Linux-based CD image is just over 3MB, contains many SCSI drivers as read-write NTFS driver, as has intuitive text manu-based UI. It allows disabling Syskey. But there will be side effects:
All locally stored encryption keys will become invalid;
You will not be able to connect to Terminal Services – it’s using encryption keys for session security;
IIS-based services (W3SVC, SMTP and depending Exchange services) will not start – parts of Metabase are encrypted, and the keys aren’t available;
Any service running not as LocalSystem will not start. You’ll need to reset the credentials cache. The easies way is to set the service to run as LocalSystem, and then change again to a service account;
Same applies to scheduled tasks;
All EFS-encrypted data, including that encrypted with the system key, will be permanently lost.
So the system will be severely damaged after it comes back up. Only do this to recover the latest data. If you need more – always back up System state offline. And do not forget test restoration before an incident happens.