The system key utility

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The system key utility

Password information for user accounts is stored in the Security Accounts Manager (SAM) database of the registry on workstations and member servers. On domain controllers, password information is stored in directory services. It is not unusual for password-cracking software to target the SAM database or directory services to access passwords for user accounts. The system key utility (Syskey) provides an extra line of defense against password-cracking software. It uses strong encryption techniques to secure account password information that is stored in the SAM database or in directory services. Cracking encrypted account passwords is more difficult and time consuming than cracking nonencrypted account passwords. For more information on encryption, see Encryption.

There are three system key options in the Startup Key dialog box that are designed to meet the needs of different environments, as described in the following table.

System key option Relative security level Description

System Generated Password, Store Startup Key Locally

Secure

Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. This option provides strong encryption of password information in the registry, and it enables the user to restart the computer without the need for an administrator to enter a password or insert a disk.

Administrator generated password, Password Startup

More secure

Uses a computer-generated random key as the system key and stores an encrypted version of the key on the local computer. The key is also protected by an administrator-chosen password. Users are prompted for the system key password when the computer is in the initial startup sequence. The system key password is not stored anywhere on the computer.

System Generated Password, Store Startup Key on Floppy Disk

Most secure

Uses a computer-generated random key and stores the key on a floppy disk. The floppy disk that contains the system key is required for the system to start, and it must be inserted at a prompt during the startup sequence. The system key is not stored anywhere on the computer.

For information on how to implement the system key utility on a computer, see Create or update a system key.

Use of the system key utility is optional. If the disk that contains the system key is lost, or if the password is forgotten, you cannot start the computer without restoring the registry to the state it was in before the system key was used. For information on restoring the registry, see Restore the registry.