Comments on: Restoring Safeboot

By: SPTD.sys - THE DAEMONS HOME

SPTD.sys - THE DAEMONS HOME — Sat, 16 Aug 2008 00:23:50 +0000

[...] "Show hidden files and folders" from Windows Explorer. To restore safeboot, please visit: Restoring Safeboot Didier Stevens Bonne [...]

By: Didier Stevens

Didier Stevens — Sun, 30 Mar 2008 21:41:17 +0000

I know, I put that free safeboot.reg file on the web:
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

By: Jack

Jack — Sun, 30 Mar 2008 21:29:55 +0000

heck just go NOW and find a safeboot.reg key on the web, free download, and stash it in a new folder on the desktop.

Click it and then safeboot will be there when you reboot right after.

By: Didier Stevens

Didier Stevens — Fri, 06 Jul 2007 13:30:19 +0000

I know that Safeboot is a third party encryption system, but it is also the name of the registry key (Safeboot) that holds the Safe Mode data.

Safe Mode is the name of the special boot process.
Safeboot is the name of the registry key.

By: Aus_e

Aus_e — Fri, 06 Jul 2007 05:10:32 +0000

Please don’t confuse safemode booting with safeboot. safeboot is a third party encryption system, which runs before the OS boots- that’s why they talk of using Barts PE and setting it up for safeboot. norton’s will only bugger the drive, as it won’t even be able to read it if it’s encrypted.

BTW I’m stuck - I can’t find the Bart’s plugin on the Safeboot CDs. does anyone know where they are?

By: Blue

Blue — Sat, 26 May 2007 05:29:10 +0000

ok just to fix the wireless you can use this registry values
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc]
“UuidSequenceNumber”=dword:0cdae01e

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Ndisuio]
“Start”=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess]
“Start”=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv]
“Start”=dword:00000002

[HKEY_CURRENT_USER\SessionInformation]
“ProgramCount”=dword:00000004

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ndisuio]
“Start”=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
“Start”=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
“Start”=dword:00000002

By: Mario Biassoni - MCT

Mario Biassoni - MCT — Tue, 27 Feb 2007 17:42:12 +0000

Hi there,

found this helpful page only after removing the fX#@$ing Bagle as per AV vendors instructions.

As for many of you it took me 2-3 days after infection to realize I have been infected;
happened like it did for Didier Stevens.
I agree that AV vendors are rating this virus erroneously: this is a burdensome one to removal!

Have to higlight that google searches did not hit right most of times; especially regarding the
disbaling of NDIS driver and the messing up of Safe Mode (originally searched for specific BSOD related info).
After some “big time” (strange as I ONLY use web services in English language for obvious reasons);
I used Gmer and HijackThis which made the situation pretty clear.

One point that prevents a successful restore of the SafeBoot key is that removal procedures DO NOT
mention about Safe Mode issues and they DO recommend to wipe out System Restore existent data.
This dismisses cases 2 and 3.

My thanks to Didier for providing a fresh&clean SP2 SafeBoot .reg file for that all the SYSTEM hives
I could load did not provide a fix (system blind reboots after 5 minutes of disk activity).

Bests to all,

/Mario

By: dimaug

dimaug — Mon, 19 Feb 2007 22:44:50 +0000

Recovering from Bagle, which blows out Safemode, among other things.
This really isn’t that hard to recover from. Here’s how I did it:
First, I discovered I had a problem because AVG wouldn’t work, wouldn’t uninstall and wouldn’t reinstall from a fresh install file. After a reboot (and a failed system restore and a safemode BSOD), I discovered my wireless stopped working and Wireless Zero config wouldn’t start because of unstarted dependecy services (it turned our to be NDIS I/O). A Google search told me that it was probably Bagle and led me to get Blacklight. Blacklight found all the nasties and I chose to rename them. Reboot and voila, Bagle disabled! However, I still had three problems - 1) System restore failed every time 2) Still no wireless and 3) Could not boot into safemode.
Solution
Loaded System hive from C:\WINDOWS\system32\config. Exported HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot to a reg file. Opened regfile in notepad and did a replace for the name I chose when loading to “SYSTEM”. (for instance, when I loaded the hive, I called it “repair”. I then did a find and replace from “repair” to “SYSTEM” [note case sensitive!]). Imported regfile. Safemode fixed.
Uninstalled and reinstalled Wireless NIC. This reloaded the NDIS protocol (which I had tried to reinstall alone, but no dice). Reset TCP/IP settings (I don’t use DHCP), reestablished connection with WAP (I don’t broadcast, so I had to do this by hand). Wireless fixed.
Disabled System restore. This deleted all the restore points, many of which were hosed anyway. This bugger had been around for a few days before I noticed it. Re-enabled System restore and manually created a restore point immediately. System restore fixed.

By: Didier Stevens

Didier Stevens — Mon, 19 Feb 2007 13:59:32 +0000

@Mirco

Read me new post: http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

By: Mirco

Mirco — Sun, 18 Feb 2007 16:07:04 +0000

I don’t have a backup of my registy and I don’t understand this Bart PE stuff. Could somebody be kind enough to post the and exported .reg for the entires in safeboot? After all settings for safeboot won’t vary that much from one machine to another.