Syskey on USB drive

[DONE-IT]

Hi, i have used Syskey on Floppy for years on customer Laptops. In
january this year a customer wanted to use syskey (on XP) without a
floppy. I have used USBDLM for mounting the USB devices to the drive
letter A.
USBDLM: http://www.uwe-sieber.de/usbdlm_e.html
I configured, that a usb-drive with a specific name should always be
mounted to A, all others from G to J.
So you can make a backup to another usb-stick, change the name to force
the mount to A and use it in case of a broken or lost device.
My concern is:
if a usb-device is attached before a user is logged on to the machine
and this specific device was not plugged in bevore on this machine,
would it mount properly?
This problem occured a few days ago:
We used Pretec iDisk Diamond sticks. They are very small and handy. We
also used the type with 128MB, mainly for preventing to use the device
for other purposes as the logon process.
Now we had following issues:
The customer told me that he cannot log on to his laptop. The displayed
message tells "syskey not found on drive A. Please insert disk"
(Translation from german XP). I told him to use his backup-Stick (which
was created on the same machine a few weeks ago) and he was able to
logon. For investigation purposes i told him to plug in the "primary
stick". When he plugged it windows reacted like it was a
"new-and-never-bevore-plugged-in-device".
Messages with installing drivers and "device can now be used" appeared.
The next reboot, the "primary stick" worked again without problems...so far.
Any ideas what happened here?

 

[Uwe Sieber]

Hi, i have used Syskey on Floppy for years on customer Laptops. In
january this year a customer wanted to use syskey (on XP) without a
floppy. I have used USBDLM for mounting the USB devices to the drive
letter A.
USBDLM: http://www.uwe-sieber.de/usbdlm_e.html
I configured, that a usb-drive with a specific name should always be
mounted to A, all others from G to J.
So you can make a backup to another usb-stick, change the name to force
the mount to A and use it in case of a broken or lost device.
My concern is:
if a usb-device is attached before a user is logged on to the machine
and this specific device was not plugged in bevore on this machine,
would it mount properly?

Yes, if, USB drives are installed without any user interaction,
then this would work. If the USBDLM service isn't started at this
time, XP would assing the first available drive letter. When USBDLM
starts then (current version V4.1) the it would check all drive
letters and assing the drive letters as configured. But this may
happen some seconds after the logon screen appears.

This problem occured a few days ago:
We used Pretec iDisk Diamond sticks. They are very small and handy. We
also used the type with 128MB, mainly for preventing to use the device
for other purposes as the logon process.
Now we had following issues:
The customer told me that he cannot log on to his laptop. The displayed
message tells "syskey not found on drive A. Please insert disk"
(Translation from german XP). I told him to use his backup-Stick (which
was created on the same machine a few weeks ago) and he was able to
logon. For investigation purposes i told him to plug in the "primary
stick". When he plugged it windows reacted like it was a
"new-and-never-bevore-plugged-in-device".
Messages with installing drivers and "device can now be used" appeared.
The next reboot, the "primary stick" worked again without problems...so
far.
Any ideas what happened here?

Maybe this XP asks for confirmation when a new USB drive is attached
and you customer didn't mention this. This can happen if there
is a problem with the 'Cryptographic Services' ("Kryptgrafiedienste"
in German). XP cannot validate the driver's signature and asks the
user.
http://www.uwe-sieber.de/usbtrouble_e.html#xp_asks_for_drivers


Uwe

 

[DONE-IT]

Yes, if, USB drives are installed without any user interaction,
then this would work. If the USBDLM service isn't started at this
time, XP would assing the first available drive letter. When USBDLM
starts then (current version V4.1) the it would check all drive
letters and assing the drive letters as configured. But this may
happen some seconds after the logon screen appears.

OK, so it depends on the specific usb-device I use.
Every user has a backup-stick only for the syskey and additional a stick
for "normal" purpose. So there are at least two sticks, which were
plugged in and have drivers installed, in case of an "emergency".

Maybe this XP asks for confirmation when a new USB drive is attached
and you customer didn't mention this. This can happen if there
is a problem with the 'Cryptographic Services' ("Kryptgrafiedienste"
in German). XP cannot validate the driver's signature and asks the
user.
http://www.uwe-sieber.de/usbtrouble_e.html#xp_asks_for_drivers

The "primary stick" has been used every logon for weeks till this
happened. So this stick was not "new" to the XP.
We also tried a reboot before we used the backup stick.
After the user logged on with the backup stick, I also checked all
services and eventlog messages. There was nothing about not started
services in there. What I find interesting is the fact, that the
"primary" stick (the one which refused to work for the logon, but worked
for weeks before) got recogniced as a "new" device. After that it worked
again without problems.

The problem is, that when this problem occours, you have no chance to
check something. You get the message to insert the "syskey-disk" into
drive A before the logon screen appears. If the file cannot be found on
a: it will refuse to work. There is also no way to remotely connect via
the mmc to this machine because of the firewall in first place and the
decrypted SAM in second.

I will investigate further and try different constellations and usb-devices.
I don't want to end with bricked operating systems because of a
corrupted usb-device-driver.

Thanks a lot for your response Uwe!

Dominik