Didier Stevens

Monday 26 June 2006

Restoring Safeboot

Filed under: Malware — Didier Stevens @ 19:44

I spend some time this weekend researching how to recover your deleted Safeboot key (in case you don’t have a backup). This How-to is for Windows XP, it shows how to recover the Safeboot key (possibly deleted by a virus like the newest Bagle, see my previous post), not how to remove the malware.

Case 1

If Windows hasn’t been rebooted since the infection and you haven’t made changes to your system configuration since the last boot, follow this procedure:

  1. Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
  2. Select “Last Known Good Configuration (your most recent settings that worked)”.
  3. You can now reboot a second time and select Safe Mode.

Case 2

If Windows has been rebooted since the infection, follow this procedure:

  1. Start System Restore: (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
  2. Select a restore point that predates the infection (i.e. the Safeboot key removal), this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
  3. Confirm the restore operation
  4. Windows will perform a System Restore and reboot
  5. Click OK
  6. You can now reboot a second time and select Safe Mode

Case 3

If you’ve made changes to your system configuration that you want to keep, follow this procedure:

  1. Follow the steps of case 2
  2. Start regedit once you’ve booted in Safe Mode
  3. Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
  4. Export the key (right-click export)
  5. Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
  6. Select “Undo my last restoration”
  7. Confirm the restore operation
  8. Windows will perform a System Restore and reboot
  9. Click OK
  10. Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
  11. Confirm the merge
  12. You can now reboot again and select Safe Mode.

Possibly related posts: (automatically generated)

17 Comments »

  1. Good work. Your solution to case 3 is exactly what I was looking for. I’ve been keeping my eye on this blog since you commented on mine awhile back. Timely solution to a realworld problem, Is it alright if I throw up a link to this blog on mine?

    Comment by Ryan — Thursday 6 July 2006 @ 17:35

  2. It’s good to read that my research was useful. I’d appreciate a link to my blog, thanks!

    Comment by Didier Stevens — Thursday 6 July 2006 @ 19:56

  3. I hit this problem working on a heavily-infected PC from Bart PE, and decided to follow a “Case 4″ strategy when Google found your page. What I’ll try is…

    From Bart PE CDR boot, copy each C:\SVI\..\RP*\snapshot to a (say) C:\REGBACK\RP*

    Then the idea would be to bind one of these hives (is it SYSTEM? I haven’t looked yet) to HKLM, find the stuff I want, save it as a .REG, edit the .REG to go to CurentControlSet etc. and then merge it back in.

    What I haven’t decided yet, is whether to do that via Bart PE CDR boot using RunScanner to treat the inactive HD registry as “live”, or do it from the only HD boot that works (normal Windows).

    The latter’s easier, but the former is cleaner in the context of suspected malware as allows Safe Cmd Only boot before daring to do a full (and most likely malware’d) Windows boot.

    What I like about Case 4 vs. Case 3 is that I avoid the possible collateral damage of System Restoring all the rest of the monitored files and thier integrations (especially the malware one is trying to kill off).

    After all, why would Safeboot be destroyed? Either by malware, in which case you’d be restoring an infected state, or due to general chaos and corruption, in which case who know what damaged mess you’d be restoring…

    Comment by Chris Quirke — Tuesday 11 July 2006 @ 2:28

  4. This is all great - and most of the AV websites list the bagle as “low” risk… It has totaled this pc.
    Yes it runs, but ONLY in normal mode (safe boot crashes) and it has also hosed system restore….
    No matter which AV/scanner/rootkit scan we do, it always comes back clean, but then reboot, and the hldrrr.exe and m_hook are back.
    We have been able to use alternating user accounts to get back in, deleteing the files in the other account, so at reboot, we have enough time to kill the hldrrr process before it totally hangs.
    However it also prevents msconfig running - although I think this is more a deleted key, or file as it is not activly doing this.

    SO any advice on what to do about system restore AND safeboot not working?
    It seeems to be a catch 22 at this point.

    I also wonder if it is possible to install windows on a new drive, clean the current drive, and then reboot with the old windows?

    Thanks for any help
    SEPP!

    Comment by sepp — Tuesday 2 January 2007 @ 17:05

  5. Acutally - I forgot to add, that not only has the system prevented safeboot, it has also prevented a clean install of xp from CD?
    We tried to get to system restore by booting with the install CD, but it never gets past loading windows….

    Regards,
    SEPP

    Comment by sepp — Tuesday 2 January 2007 @ 17:10

  6. I’ve been playing with an idea, but have not yet had the time to test it: do a Windows XP install on the same hardware but with a new disk, then export the Safeboot key and import it in the cripled OS.

    Have you tried booting from a life CD like UBCD4Win and use a command line scanner AV that doesn’t require installation?

    Comment by Didier Stevens — Tuesday 2 January 2007 @ 18:08

  7. That is a good idea!
    I hope that the hard drive does not need to be the same as well?
    I will also try booting with a bootable windows cd - I have used BartPE in the past, but I will also look at the UBCD4Win

    Thanks - will let you know…

    Comment by Sepp — Thursday 4 January 2007 @ 17:33

  8. I don’t have a backup of my registy and I don’t understand this Bart PE stuff. Could somebody be kind enough to post the and exported .reg for the entires in safeboot? After all settings for safeboot won’t vary that much from one machine to another.

    Comment by Mirco — Sunday 18 February 2007 @ 16:07

  9. @Mirco

    Read me new post: http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

    Comment by Didier Stevens — Monday 19 February 2007 @ 13:59

  10. Recovering from Bagle, which blows out Safemode, among other things.
    This really isn’t that hard to recover from. Here’s how I did it:
    First, I discovered I had a problem because AVG wouldn’t work, wouldn’t uninstall and wouldn’t reinstall from a fresh install file. After a reboot (and a failed system restore and a safemode BSOD), I discovered my wireless stopped working and Wireless Zero config wouldn’t start because of unstarted dependecy services (it turned our to be NDIS I/O). A Google search told me that it was probably Bagle and led me to get Blacklight. Blacklight found all the nasties and I chose to rename them. Reboot and voila, Bagle disabled! However, I still had three problems - 1) System restore failed every time 2) Still no wireless and 3) Could not boot into safemode.
    Solution
    Loaded System hive from C:\WINDOWS\system32\config. Exported HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot to a reg file. Opened regfile in notepad and did a replace for the name I chose when loading to “SYSTEM”. (for instance, when I loaded the hive, I called it “repair”. I then did a find and replace from “repair” to “SYSTEM” [note case sensitive!]). Imported regfile. Safemode fixed.
    Uninstalled and reinstalled Wireless NIC. This reloaded the NDIS protocol (which I had tried to reinstall alone, but no dice). Reset TCP/IP settings (I don’t use DHCP), reestablished connection with WAP (I don’t broadcast, so I had to do this by hand). Wireless fixed.
    Disabled System restore. This deleted all the restore points, many of which were hosed anyway. This bugger had been around for a few days before I noticed it. Re-enabled System restore and manually created a restore point immediately. System restore fixed.

    Comment by dimaug — Monday 19 February 2007 @ 22:44

  11. Hi there,

    found this helpful page only after removing the fX#@$ing Bagle as per AV vendors instructions.

    As for many of you it took me 2-3 days after infection to realize I have been infected;
    happened like it did for Didier Stevens.
    I agree that AV vendors are rating this virus erroneously: this is a burdensome one to removal!

    Have to higlight that google searches did not hit right most of times; especially regarding the
    disbaling of NDIS driver and the messing up of Safe Mode (originally searched for specific BSOD related info).
    After some “big time” (strange as I ONLY use web services in English language for obvious reasons);
    I used Gmer and HijackThis which made the situation pretty clear.

    One point that prevents a successful restore of the SafeBoot key is that removal procedures DO NOT
    mention about Safe Mode issues and they DO recommend to wipe out System Restore existent data.
    This dismisses cases 2 and 3.

    My thanks to Didier for providing a fresh&clean SP2 SafeBoot .reg file for that all the SYSTEM hives
    I could load did not provide a fix (system blind reboots after 5 minutes of disk activity).

    Bests to all,

    /Mario

    Comment by Mario Biassoni - MCT — Tuesday 27 February 2007 @ 17:42

  12. ok just to fix the wireless you can use this registry values
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc]
    “UuidSequenceNumber”=dword:0cdae01e

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndisuio]
    “Start”=dword:00000003

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess]
    “Start”=dword:00000002

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
    “Start”=dword:00000002

    [HKEY_CURRENT_USER\SessionInformation]
    “ProgramCount”=dword:00000004

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio]
    “Start”=dword:00000003

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
    “Start”=dword:00000002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
    “Start”=dword:00000002

    Comment by Blue — Saturday 26 May 2007 @ 5:29

  13. Please don’t confuse safemode booting with safeboot. safeboot is a third party encryption system, which runs before the OS boots- that’s why they talk of using Barts PE and setting it up for safeboot. norton’s will only bugger the drive, as it won’t even be able to read it if it’s encrypted.

    BTW I’m stuck - I can’t find the Bart’s plugin on the Safeboot CDs. does anyone know where they are?

    Comment by Aus_e — Friday 6 July 2007 @ 5:10

  14. I know that Safeboot is a third party encryption system, but it is also the name of the registry key (Safeboot) that holds the Safe Mode data.

    Safe Mode is the name of the special boot process.
    Safeboot is the name of the registry key.

    Comment by Didier Stevens — Friday 6 July 2007 @ 13:30

  15. heck just go NOW and find a safeboot.reg key on the web, free download, and stash it in a new folder on the desktop.

    Click it and then safeboot will be there when you reboot right after.

    Comment by Jack — Sunday 30 March 2008 @ 21:29

  16. I know, I put that free safeboot.reg file on the web:
    http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

    Comment by Didier Stevens — Sunday 30 March 2008 @ 21:41

  17. [...] "Show hidden files and folders" from Windows Explorer. To restore safeboot, please visit: Restoring Safeboot Didier Stevens Bonne [...]

    Pingback by SPTD.sys - THE DAEMONS HOME — Saturday 16 August 2008 @ 0:23

RSS feed for comments on this post. TrackBack URI

Leave a comment

Blog at WordPress.com.