This guide covers how to actually fix the “This computer is configured to require a password in order to start up” error that has been popping up on many XP machines. This process only takes a few minutes for an expert user but could take some additional time for inexperienced users. Interestingly this process also works for many other purposes such as restoring the Windows registry after corruption when a drive has bad sectors.
From what we’ve seen this appears to be related to a virus that enables SAM (registry file) encryption. Because of this, using standard password changing tools such as NT PWD Reset wont fix this issue. What we need to do is to restore the registry files to their pre-infected state. Even many experienced users aren’t aware that Windows XP stores nearly daily registry backups hidden in a folder on the root of the drive called “System Volume Information”.
Obviously you can’t boot this computer from the hard drive because of the password, so you’ll either need to boot from a live CD or remove the hard drive and attach it to another PC. Once you have access to the Hard Drive go into the “System Volume Information” folder. If you get access denied errors you may need to take ownership of the folder first. You can google “Take ownership” for plenty of guides on that step.
Once inside you will see a list of folders, these contain registry backups and system restore data, sort by date to see what date ranges are available for recovery. Typically I choose a date about a week before the incident happened just to be safe.
Once you choose a date to restore from, enter that folder and it will look like this… we want to open the snapshot folderAlmost done, You will now see 4 files which are copies of the Windows registry from the date you selected. The 5 registry files we are interested in are highlighted but must be renamed before they can be restored to the Windows directory.
I created a custom batch file to do all of this work for me automatically which is at the bottom of this article but for simplicity you can rename the highlighted files by simply right clicking and renaming:
Rename “_REGISTRY_USER_.DEFAULT” to “default”
Rename “_REGISTRY_MACHINE_SECURITY” to “security”
Rename “_REGISTRY_MACHINE_SOFTWARE” to “software”
Rename “_REGISTRY_MACHINE_SYSTEM” to “system”
Rename “_REGISTRY_MACHINE_SAM” to “sam”
Now select those 5 files you just created (default, security, software, system, sam) and paste them into the “Windows\system32\config” folder and overwrite the existing files.
You have now restored your Windows registry to the date you selected. As long as the date you selected was prior to the infection Windows should boot normally. If you still see the password prompt and need to go back to a further date you can simply repeat this process and select an older date.
Here is a batch file to automate the process, simply run it from within the snapshot folder. It assumes the hard drive is plugged into a test bench and is the “d” drive, you can modify the drive letter for whatever drive yours is.
Echo copy registry batch file
echo place this batch file into the system volume information directory you want to use
copy _REGISTRY_USER_.DEFAULT default
copy _REGISTRY_MACHINE_SECURITY security
copy _REGISTRY_MACHINE_SOFTWARE software
copy _REGISTRY_MACHINE_SYSTEM system
copy _REGISTRY_MACHINE_SAM sam
ren d:\windows\system32\config\system system.old
ren d:\windows\system32\config\software software.old
ren d:\windows\system32\config\sam sam.old
ren d:\windows\system32\config\security security.old
ren d:\windows\system32\config\default default.old
copy default d:\windows\system32\config\default
copy security d:\windows\system32\config\security
copy software d:\windows\system32\config\software
copy system d:\windows\system32\config\system
copy sam d:\windows\system32\config\sam