NT Gatekeeper: Discovering Whether Syskey Is Enabled

Last month, one of our key Windows NT administrators suddenly left the company. Much of the configuration fine-tuning he'd performed on our NT servers was left undocumented. On some systems, he'd enabled Syskey encryption of the password hashes in the NT account database. How can I identify those systems?

The easiest way to find out whether an NT machine has Syskey enabled is to type


at the command prompt. This command brings up the Securing the Windows NT Account Database dialog box that Figure 1 shows, which indicates whether Syskey encryption is enabled.

Alternatively, you can check for the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-Set\Control\Lsa\Secureboot. If the Secureboot value (of type REG_DWORD) exists and is set to a value of 0x1, 0x2, or 0x3, Syskey is enabled on the system.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.