How do I use the System Key functionality of Service Pack 3?

A. A. Service Pack 3 introduced a new feature in NT with the ability of increasing security on the SAM database. This is performed by introducing a new key in one of 3 modes

  1. A secure key generated by the system which is used to encrypt the SAM which is stored on the local hard disk
  2. A secure key generated by the system which is stored on a floppy disk which has to be placed in the computer at bootup
  3. A password given by the user is used to encrypt the SAM and has to be entered on bootup

To generate the system key you use the syskey.exe, however be warned, once you activate the encryption you cannot turn it off without performing a system recovery using an ERD produced before syskey was enabled. To enable encryption perform the following

  1. Make sure Service Pack 3 is installed
  2. Log on to the system as a member of the Administrators group (only administrators can run syskey.exe)
  3. Create a new ERD (rdisk /s) and store somewhere safe and label the disk "Pre System Key ERD"
  4. Run the System Key generation utility (Start - Run - syskey.exe)
  5. A dialog box will be displayed with encryption disabled. Select Encryption enabled and click OK
  6. Click OK to the warning dialog box
  7. Select which of the 3 encryption modes you require, if password enter a password and then enter again for verification. If you choose stored on floppy disk you will be prompted to insert a disk and then click OK.
  8. Click OK and a success message will be displayed, click OK
  9. You now need to reboot the machine
  10. Once rebooted you should create a new ERD (rdisk /s)

Once rebooted if you choose a password once the GUI phase of NT starts a dialog box will be displayed and you should enter the password you gave and click OK, after that you may log on as normal. If you choose floppy disk you will be prompted to insert the disk and then click OK

Although you cannot remove the system key, you can change the mode by running syskey.exe and click Update. You will be asked to either enter the existing password or insert the system key floppy if changing from one of these modes.

For more information see Q143475 at

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.