Didier Stevens

Monday 19 February 2007

Restoring Safe Mode with a .REG file

Filed under: Malware — Didier Stevens @ 13:57

I posted about a virus that disables Safe Mode by deleting the SafeBoot registry keys, and later I talked about tricks to restore the SafeBoot keys. Now I’m posting another way to restore the SafeBoot keys: merging a .reg file with the missing SafeBoot entries.

A comment by Mirco made me take a closer look at the SafeBoot registry key. I thought that they would contain settings and drivers that
are hardware dependent, but this turned out to be false. In fact, it just contains a list of references to devices, drivers and services that have to be started when booting into Safe Mode.

The registry keys to boot into Safe Mode are under the SafeBoot key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

safebootreg-1.PNG

You can boot into Safe Mode without or with networking, there is a subkey for each mode: Minimal (no networking) and Network (with networking).

Each device, driver or service that has to be started has a subkey under the Minimal or Network key.
In this screenshot, you see the Cryptographic Services service:

safebootreg-2.PNG

BTW, if you want to disable a device, driver or service in Safe Mode, just delete the corresponding subkey (make a backup first).
I tested this with key {4D36E965-E325-11CE-BFC1-08002BE10318} (resulted in a disabled CD-ROM drive) and PlugPlay (resulted in a disabled Plug and Play service).

I compared several SafeBoot registry keys for Windows XP SP2 on different hardware platforms, and they were all identical. However, there were some small differences when comparing different operatings systems (Windows XP SP1, SP2 and Windows 2003 SP1). Remember that Safe Mode was introduced with Windows 2000.
These are minor differences, just listing devices, drivers or services that are only present on one version of Windows. For example, I found Volume shadow copy on a Windows 2003 and not on Windows XP. And Windows 2003 also had less network services than Windows XP, this is probably a result of the default hardening of Windows 2003: more services and applications are disabled by default on Windows 2003 than on Windows XP.

I’m now publishing a registry export file (.reg) with the SafeBoot keys from a clean Windows XP SP2 install and a clean Windows 2000 SP4 Professional install. You can use it to repair your PC when the SafeBoot keys have been deleted and System Restore cannot help you. I would not be surprised if you can use this REG file with other versions of Windows as well.

Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg or SafeBoot-for-Windows-2000-SP4-Professional.reg file on the crippled PC and merge it into the registry by double-clicking it:

safebootmerge.PNG

Download:

SafeBoot.zip (https)

MD5: 5C1E3698877F79DD1C35F3107D4DC459

SHA256: 876D1C85E7556A334664C96F263781F5A9DBC9AB4DA26EDC6070AD947D09641D

287 Comments »

  1. I stumbled on your site yesterday, saw the post about a virus that disables Safe Mode by deleting the SafeBoot registry keys and did exactly what you did just now. I only tested on two PCs, but thought to myself, this should be good enough. Comparing your “version” using WinMerge with the one I had reassured me even further.

    Thanks so much for the confirmation, a great site and excellent utilities. I esp. like UserAssist. I wish it didn’t need .net 2.0 so it would find its place among all the truly portable apps on my USB key, but that would probably be pushing it.

    Keep up the great work!

    Comment by CypherBit — Monday 19 February 2007 @ 17:29

  2. This is great! I’m bookmarking this post for future reference. Thanks!

    Comment by Luke — Monday 19 February 2007 @ 19:06

  3. This was very helpful, thank you :)

    Comment by Mehmet N. — Wednesday 21 February 2007 @ 19:11

  4. that’s a great tool for the thumb drive : ) thank you.

    Comment by nabiy — Thursday 22 February 2007 @ 11:38

  5. I realy dneed to delete malware in my computer,now my computer infected with not-virus:Hoax.JS.Aqent.a

    Comment by delete Malware — Friday 23 March 2007 @ 9:08

  6. How did you detect this, doesn’t your AV clean it?

    Comment by Didier Stevens — Saturday 24 March 2007 @ 7:36

  7. I’d been looking for a fix for the safeboot problem and after reading here realize that another problem, my DVD drive not showing up, is also probably related. I look forward to applying this fix, many thanks for this!

    Comment by John Kellas — Monday 16 April 2007 @ 2:01

  8. Update: THe reg fix worked and I can now boot into safe mode. Unfortunately it did not fix the problem with finding the drive so it must relate to another cause. I took some creative Google searches for a couple of weeks on and off to find a fix for the safe boot problem, so just knowing about this site is invaluable.

    Comment by John Kellas — Monday 16 April 2007 @ 16:26

  9. absolutely great! Thanks for your donation!!!

    Comment by kerf — Sunday 22 April 2007 @ 15:20

  10. many thanks for this wounderful achievement to the rest.

    i personaaly hounor in high regards.

    Comment by MUBASS — Thursday 31 May 2007 @ 13:44

  11. I appreciate the time you spent researching this issue and the elegant fix. Well done.!

    Comment by M. Sebzda — Wednesday 6 June 2007 @ 0:34

  12. Thanks for that. I’m sure it’ll be useful. Didn’t work for me, unfortunately. I still can’t boot into safe mode. The system just reboots, after the drivers have started loading and then gives me the “last configuration that worked” option. I am not sure exactly when the safe mode stopped working but suspect that it may of been when I uninstalled Norton Antivirus, as I also had an issue then with Corel Draw not opening. Or it may have been after a Trojan hijacked my start page. I seem to have eliminated this now, although it took all day, but I would still like to be able to get back into safe-mode. Apart form your fix, I’ve tried System Recovery bootcfg /rebuild /fastdetect, and a program called AVZ – as well as searching for hours through the web but,so far, all to no avail.

    Any further suggestions would be much appreciated.

    Comment by R Armstrong — Sunday 15 July 2007 @ 21:20

  13. Thanks a million,
    Been struggeling with Bagle now for weeks in normal mode and decided to clear the system restore. Then I find this fix which seems to make it possibe to really wipe out Bagle.
    Thanks again.

    Comment by Emiel Koeman — Tuesday 14 August 2007 @ 12:59

  14. Thanks for this (and previous related) post.
    I experienced the same attack and was strugling since several weeks in order to restore safe mode function.

    I first compared my current Safeboot registry file with another PC and realized that only had 3-4 entries – the remaining were just deleted by the virus in order to prevent you from booting in SM.

    I didn’t try your .reg file though, but just took one from another PC running the same OS & SP & similar config. All worked just fine. Which confirms your saying that this .reg entry is not specially related to a given PC & config, but just to an OS with related SPs.

    It’s also a good idea, I think, to often backup the registry (just export the whole .reg file) and then restore the needed section. In this particular case, that would have been the best solution.

    Thanks.

    Comment by John Smith — Monday 3 September 2007 @ 11:59

  15. Excellent !!! You are the best ! Just What I Needed , SUUUUUUUUUUUUUUUUUUUUUUUUUUPERB Thanks!

    Comment by Will — Wednesday 26 September 2007 @ 4:40

  16. Thanks a lot !
    I will test this eveninig… but it seem’s that is the solution of my safe mode problems (crash). I had been infected with Bagle too.

    Comment by luigix — Wednesday 26 September 2007 @ 9:39

  17. I tried your SafeBoot.reg file to fix my Safe Mode problem, but sorry to say, it didn’t help. I’ve been putting up with this problem for a long, long time. Sure wish I could find a fix for it. After a friend directed me to your page, I really had my hopes up. Glad to hear it has worked for some people.

    Comment by Jim Mowrey — Tuesday 2 October 2007 @ 2:02

  18. Concerning my last entry, do you have any other ideas?

    Comment by Jim Mowrey — Tuesday 2 October 2007 @ 2:04

  19. Was your Safeboot registry data deleted? Which OS are you using?

    Comment by Didier Stevens — Tuesday 2 October 2007 @ 10:52

  20. No, as far as I could tell, nothing had been deleted. The SafeBoot entry was still there. Don’t know if anything under that key had been deleted though. I’m using XP SP2.

    Comment by Jim Mowrey — Tuesday 2 October 2007 @ 14:46

  21. I got a blue screen with INACCESSIBLE_BOOT_DEVICE STOP 0x0000007B when trying to boot into safemode (win2k), turns out this exact “safeboot” keys were missing in my registry, fixed it using a different PC, export/import, and now I can boot into safe mode.

    Comment by stormy — Monday 22 October 2007 @ 16:55

  22. I also had the 0×0000007B error, although I could not read exactly what it referred to, the reboot was so fast—and in my boot options “disable automatic reboot” was only applicable to normal mode. Well, I am very pleased to say that your SafeBoot.reg program solved the problem for me! My hat off to you for your excellent work. [My system is recovering from worms/trojans that infected more than 300 files and stopped updates from working, as well as crashing the machine every time I tried to download a file, or in most cases, execute one. Still trying to get updates to work again.]
    Best regards, Gernot

    Comment by Gernot Hassenpflug — Thursday 1 November 2007 @ 4:39

  23. Thank you ! Thank you ! You save me from format my PC !! I got the virus W32.Beagle.DZ (hidr.exe) and I was able to remove it but it leave the windows registry damaged. Like wireless and Safeboot don´t work anymore. One more time, thank you.

    Comment by SuperCelso — Wednesday 21 November 2007 @ 21:46

  24. Wow! Works great! I can’t thank you enough! I hope I’ll never need to use it again on my own pc.

    Comment by E. Falconer — Thursday 22 November 2007 @ 6:37

  25. It worked! It Worked! YES! Now I can get my friend’s computer off my desk and get back to playing Elder Scrolls!

    Comment by Patrick — Wednesday 28 November 2007 @ 4:38

  26. We were a Bagle victim and you made a difference here too! Fixed. Thanks a lot for providing this, Didier. Merci beaucoup!

    Comment by DBZ — Wednesday 28 November 2007 @ 16:57

  27. Worked for me. I’ve been trying to fix this for more than six months. Did everything short of a clean install. Thanks, sure appreciate it.

    Comment by BWO — Thursday 29 November 2007 @ 4:27

  28. Anyone have the same reg file for Windows 2000 SP4?
    Thanks

    Comment by Tony S — Thursday 6 December 2007 @ 3:16

  29. For which version of Windows 2000 SP4 do you need the safe mode entries, Professional or Server?

    Comment by Didier Stevens — Thursday 6 December 2007 @ 8:54

  30. Professional. (5.00.2195)
    Thanks.

    Comment by Tony S — Friday 7 December 2007 @ 23:12

  31. I added the SafeBoot reg keys for Windows 2000 SP4 Professional to the zip file.

    Comment by Didier Stevens — Sunday 9 December 2007 @ 10:56

  32. Thanks, Didier I was able to boot into SafeMode now using your reg-key for windows 2000sp4. I could already run in normal mode , but I was wondering why I never could run into safemode to find things out about my PC. But thanks to your reg-key I can now work in Safemode too. Under the old key there weren’t any sevices mentioned at all and I don’t know why, but finnaly -thanks to you- everything turned out to be fine.

    Comment by Joop — Sunday 16 December 2007 @ 19:35

  33. thank u very much for the information..
    just got stuck at fixing 1 comp.. this 1 is too helpful…
    thanx again

    Comment by piyush chandra — Friday 21 December 2007 @ 16:46

  34. hi piyush,

    i am still suffering from the problem i am not able to boot the system on safemode with promt it is getting restart… plz help me

    Comment by abdul — Saturday 5 January 2008 @ 8:26

  35. I believe you wanted to post this on the Piyush Labs site?

    Comment by Didier Stevens — Saturday 5 January 2008 @ 19:46

  36. [...] abgesicherten Modus kannst du reparieren, indem du die reg Datei aus diesem Link nutzt: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/bei WD weiss ich es nicht genau, aber versuch es mit deinstallation und erneuter [...]

    Pingback by Windows defender wird nicht mehr angezeigt (in der Taskleiste) - Virus Hilfe — Tuesday 8 January 2008 @ 0:50

  37. I’ve cleaned all viruses I had.
    Tried to use the utility you provided in order to boot in safe mode (I’ve lost it due to a virus), but when I press F8, i’m getting regular boot
    What could be wrong
    In addition I’m not able to install Windows XP security updates. PC works fine , but security updates…..
    Any idea what to do?

    Comment by YP — Tuesday 8 January 2008 @ 19:33

  38. Thanks a bunch for the info. It worked great!

    Comment by KJ — Wednesday 9 January 2008 @ 1:05

  39. @YP
    If you mail me your exported Safeboot reg keys, I’ll have a look at them.

    Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:31

  40. Thank you very much for your very useful information.
    The net is becoming step by step time by time always more “degradated”: it’s always more difficult to find someone who uses his brains to solve problems.

    If I can add something to your post,I would advice people when they install an OS, to install another clean copy on a separate partition and forget it, so that they can use it when they need, as spare parts.
    Thank you again

    Comment by Ermanno — Saturday 9 February 2008 @ 16:24

  41. Stumbling on your page was a godsend. My w2k machine has been able to boot into Normal Mode but NOT Safe Mode for quite some time and I suspected a virus. I kept getting the Inaccessible Boot Device bluescreen and figured the mbr was infected but was reluctant to fiddle with this. I did a final google about the problem and found this site. I downloaded and installed your fix and can now finally boot into Safe Mode which will enable me to remove viruses and malware.

    Thanks 1000 times.

    Doug

    Comment by Doug — Tuesday 26 February 2008 @ 19:39

  42. Just to add another thank you to the list, I can now clean the bagle :)
    Will check more of the site, merci,
    Fab

    Comment by Fab — Thursday 6 March 2008 @ 18:35

  43. I don’t know if this is the right place to post but there seem to be a lot of satisfied commenters. My computer won’t boot in Safe Mode, but it also won’t boot in normal mode (even “last known good configuration”). More specifically, I can reach the login page, but the system logs out immediately after logging in. Possibly the reg keys would fix the problem, but I can’t figure out how to merge them without starting the OS. Any ideas?

    Comment by Chris — Wednesday 12 March 2008 @ 22:09

  44. I doubt that your problem is caused by a deleted Safeboot key. But if you want to try: boot from a Windows Live CD like UBCD4WIN, load the registry hive of the local machine, edit the reg file to point to the loaded hive and then merge it.

    Comment by Didier Stevens — Monday 17 March 2008 @ 22:34

  45. Dear didier,

    I would like to enable direct cable connection. Even I enabled com port, remote access and telephony, I can not enable direct cable connection. Can you help?
    I can give more detailed info, if you are interested.

    fatih

    Comment by fatih — Sunday 23 March 2008 @ 16:30

  46. I think you must enable networking.

    Comment by Didier Stevens — Monday 31 March 2008 @ 18:27

  47. Thank you for the safe boot fix for xp, it worked.

    Comment by Len — Tuesday 15 April 2008 @ 14:11

  48. Many kudos for you, Didier.
    I have spent “gazillion” hours searching for a solution to the “STOP:………” error message I get when trying to boot in Safe Mode, alas, without success.
    Your fix worked!
    Amen

    Comment by Wojtek Sangowicz — Sunday 4 May 2008 @ 23:22

  49. did not work, not way to make it work

    Comment by julie — Monday 5 May 2008 @ 8:28

  50. Did you check if the Safeboot registry entries were created (and if they were missing in the first place)?

    Comment by Didier Stevens — Monday 5 May 2008 @ 10:31

  51. Thanks i was affraid of reinstalling xp sp2 after being infected with bagle,srosa and mdelk.exe.
    your reg file made it possible to boot in safe mode again, and run antvirus and i got rid af it all….
    THANK YOU!

    Comment by geert — Saturday 17 May 2008 @ 22:04

  52. Thank you very much, Didier!!

    I have been infected by a Beagle variant, my safe boot entries were disappeared. I have tested your .reg file in my PC that has SP3 installed, anddddd IT WORKS!!!!!

    Comment by Ramón — Monday 26 May 2008 @ 0:21

  53. would your reg key fix also work on xp pro 64

    Comment by alan — Tuesday 3 June 2008 @ 16:37

  54. I don’t know. The format is probably the same, check it by exporting the SafeMode keys and compare them with my reg file.
    And for the entries: I don’t know if XP 64 has services & drivers that XP 32 hasn’t

    Comment by Didier Stevens — Tuesday 3 June 2008 @ 17:08

  55. Thank you, thank you, thank you. This works perfectly on xp 64 bit pro version too.

    My situation was this. I got infected with hldrrr.exe and srosa rootkits which removed many things including booting to safe mode. hldrrr.exe and srosa were removed with prevx csi and then my virus scanners were re installed, but i still didn’t have the use of safe mode even though the system was now clean because of the removal of registry entries to which i had no backups. Ran this reg key, tried booting in safe mode. Worked first time. you have saved me from a complete re-install.

    Comment by James — Saturday 21 June 2008 @ 13:15

  56. Thank you, thank you, and… thank you. I am very glad that I found your information I have been working in PC’s for years (thank you Microsoft for making your systems so unstable that they have kept me employed all these years!!!) an I can honestly say I have never encountered a PC that would not go into Safe mode. Your explanations make total sense, and your information has helped me to bring a computer back to life. I really appreciate your efforts. Do you take Paypal?? Roger(10-4)

    Comment by Roger(10-4) — Thursday 26 June 2008 @ 14:33

  57. @Roger(10-4)

    No problem. My stuff is free, no need for Paypal.

    And if you absolutely want to donate something, make a donation to your favorite charity in my name.

    Comment by Didier Stevens — Thursday 26 June 2008 @ 14:42

  58. it contains files for win2k & winxp, what about win2k3?

    Comment by Remo Harsono — Saturday 28 June 2008 @ 20:29

  59. Do you need to restore Safe Mode on a Windows 2003 server? If you have a backup, recover the system registry hive, load it in regedit and recover the safeboot keys. Let me know if you don’t have a backup.

    Comment by Didier Stevens — Monday 30 June 2008 @ 15:28

  60. Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks. Past saturday I was browsing on the internet. Within Emule, the server sugested to go to a website. I do not remember if I was browsing with IE or Firefox. My screen went black and my system rebooted. Then I got an error when trying to start AVG “this is not a valid win32 application”. I have received the Bagle/beagle worm. I have tried to start in Safe Mode, but my system reboots, I see … agpxxx.sys . When I chose to startup without rebooting, I receive an error in BSOD 0x0000007b 0xf7c46528. Telling me my boot partion or drive is “broken”. After 4 days trying to repair my system (I slept very bad) I see your posting. AND IT MADE MY SYSTEM BOOT IN SAFE MODE !!!!! Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, now I can continue to repair my computer !!!

    Comment by ushi jansen — Wednesday 9 July 2008 @ 17:36

  61. I am missing the hard disk reg key so it will not boot in safe mode only normal mode. When I add you reg keys it does not take. If I manually make key it is there but within a sec it say key is not accessable. Seems the trojan removes the key as fast as it can be added. Any suggestions?

    Comment by guy — Thursday 10 July 2008 @ 3:35

  62. Never mind found a wininternals pe boot disk with reg editor on it. Booted on the cd and added the key for the Diskdrive and it booted into safemode fine. Thanks for pointing in the right direction.

    Comment by guy — Thursday 10 July 2008 @ 4:15

  63. You could also have done it with BartPE or Universal Boot CD For Windows: boot from a the CD, load the registry hive of the local machine, and add the missing keys.
    If you want to merge the reg file, you’ll have to edit it to point to the loaded hive and then merge it.

    Comment by Didier Stevens — Thursday 10 July 2008 @ 8:28

  64. Wow thank you loads! Really helped alot since I had Mal/Emogen-E which blocked a number of antivirus programs, hijackthis and safemode! I was actually trying to repair my registry line by line until I found your site!

    Comment by James — Friday 11 July 2008 @ 3:03

  65. [...] Safeboot registry : saya gunakan supaya bisa masuk ke safe mode. Karena setiap kali ke safe mode pasti akan stuck waktu import driver (ini bagian dari strategi trojan/virus/spyware/malware dan keluarganya :p ). [...]

    Pingback by Me-remove spyware akibat Video ActiveX Object error « R420r’s Weblog — Wednesday 16 July 2008 @ 5:09

  66. Very smart solution. Thanks!!

    Comment by Jose — Sunday 20 July 2008 @ 21:32

  67. Nice. I’ve added this to my ‘toolbox’ should I ever need it. The file says it’s for XPSP2 but what about SP3?

    Comment by Xander — Tuesday 29 July 2008 @ 17:24

  68. It will work too for SP3, only 2 services were added in SP3: vds and Volume Shadow Copy. Anyways, I included a reg file for SP3.

    Comment by Didier Stevens — Wednesday 30 July 2008 @ 19:01

  69. Bless you! It put an end to hours of trying this and that. It worked for my XP PRO SP3.

    Thanks so much for taking the time to get your solution on to those of us frustrated with no Safe Mode.

    “grateful”

    Comment by Grateful — Monday 11 August 2008 @ 14:33

  70. Not sure what I’m doing wrong. I click your file but I don’t get any option to merge it. Nothing happens. I still can’t boot into safe mode. Am I suppose to place the file somewhere in particular before double-clicking it? Thank you!

    Comment by jonahpro — Monday 18 August 2008 @ 19:33

  71. Folowup to the earlier post – I’m running XP Pro SP2. DOes that matter that it’s not XP Home?

    Comment by jonahpro — Monday 18 August 2008 @ 19:34

  72. @jonahpro

    Your machine is probably infected and the malware is preventing regedit.exe from running. Can you run regedit (start / run / regedit)?
    If not, make a copy of the regedit.exe program and give it another name, and try running it.

    Comment by Didier Stevens — Monday 18 August 2008 @ 20:04

  73. Very odd – I can’t even find regedit.exe! Wouldn’t it be just one exe file I’m looking for? There are some strange virus events happening these days. Hate to take more of your time – but any ideas? Thank you!

    Comment by jonahpro — Monday 18 August 2008 @ 20:49

  74. The malware could have deleted it or is actively hiding it (rootkit).

    Try to make a copy of notepad.exe and call it regedit.exe. If this fails, the malware is actively hiding it or deleting it.

    In this case, you’re best to boot from a live CD and clean it. Try the F-secure rescue CD: http://www.linuxnewsblog.com/2008/06/f-secure-rescue-cd-300-released.html

    It’s best to download and burn this CD on a clean machine.

    Comment by Didier Stevens — Monday 18 August 2008 @ 20:57

  75. My bad. Found two instances of it. In C:\WINDOWS and in C:\WINDOWS\ServicePAckFiles\i386

    Changed them to regedit.old Then tried to run your file again. Same result. ??

    Comment by jonahpro — Monday 18 August 2008 @ 20:59

  76. No, don’t rename these files to .old, regedit.exe is a legitimate Windows program, you need it.
    Can you execute it? If so, import the reg file: file / import.

    Comment by Didier Stevens — Monday 18 August 2008 @ 21:02

  77. OK, when I run your file it keeps recreating a new regedit.exe, as it is suppose to do. But my safe boot still hangs at Mup.sys as it did before.

    Comment by jonahpro — Monday 18 August 2008 @ 21:08

  78. It looks like your Safeboot keys were never deleted, but that you have a problem with a driver. My reg file is not meant to solve this.

    Comment by Didier Stevens — Tuesday 19 August 2008 @ 7:59

  79. Didier – thank you for the time you spent on this. You’re doing a good service to everyone. Much appreciated.

    Comment by jonahpro — Tuesday 19 August 2008 @ 13:22

  80. Thanks for those .reg files, i spent some hours trying to fix mi Notebook because it did not boot into safe mode (normal boot was working), the .reg files you posted fixed safe boot on my PC. Thanks again.

    Ariel
    -Mexico

    Comment by Ariel — Wednesday 24 September 2008 @ 4:31

  81. thyis is powerful stuff people.
    birlliant but yet so simple

    thanks a mil

    Comment by KIo — Wednesday 1 October 2008 @ 9:03

  82. Thank you for the very helpful post. For the benefit of the less advanced pc users like me can you elaborate on how to “…load the registry hive of the local machine, edit the reg file to point to the loaded hive and then merge it”. I tried this using the remote registry editor in UBCD4W and registry files from a clean pc, but I couldn’t find CurrentControlSet in the registry files it loaded.

    Thanks

    Comment by Slyce — Thursday 9 October 2008 @ 14:51

  83. I’ve an upcoming blogpost about this.

    Comment by Didier Stevens — Thursday 9 October 2008 @ 20:30

  84. Thanks, worked as advertised and allowed me to get into safe mode and remove a particularly nasty trojan on a friends computer. Good job.

    Comment by Joe — Thursday 23 October 2008 @ 4:55

  85. Hello Didier Stevens, this really helped me immensely, I have been struggling for a week and I decided to format but just before that I was lucky to find this site it booted in safe mode thank you so much

    Comment by MANJUNATH — Sunday 26 October 2008 @ 14:47

  86. Ohh ..The god…Thank you very very much My PC infected w32.sality.AE it’s super diffucal to remove ; I’m fighting with it …

    Comment by supersus — Tuesday 4 November 2008 @ 10:13

  87. Thanks a lot for this explanation. It helped.

    Comment by Alex — Thursday 6 November 2008 @ 15:31

  88. I am anxiuosly awaiting the blog post you promised ‘Thursday 9 October 2008 @ 20:30′ concerning the details of how to merge a registry file.

    Comment by Slyce — Wednesday 12 November 2008 @ 12:21

  89. @Slyce: it’s on my todo list. Probably December.

    Comment by Didier Stevens — Thursday 13 November 2008 @ 18:20

  90. i’ve been searching the way to resolve the problem about entering safe mode b-coz im verrrry often encountr ths prblm. and now i’ll try yours.. thx a looot :-)

    Comment by dewa — Saturday 22 November 2008 @ 8:49

  91. I added your bit to WIN2000 reg and it worked.
    I was so pleased after 3 days , Didier you had the right fix.
    Excellent work. Thanks so much for your clever piece of work,
    Guy

    Comment by Guy — Monday 24 November 2008 @ 10:56

  92. Here is a procedure with a Live CD: http://blog.didierstevens.com/2008/11/26/update-restoring-safe-mode-with-a-reg-file-and-a-live-cd/

    Comment by Didier Stevens — Wednesday 26 November 2008 @ 19:47

  93. Thank you so much for your right fix…. I’m really appreciate it

    Comment by QSen — Sunday 30 November 2008 @ 17:14

  94. tested on winxp_sp2 worked perfect , love you , thanks so much .

    Comment by Qwity — Sunday 14 December 2008 @ 7:34

  95. Thanks a lot for this fix…..Are the safemode w/networking keys similar across different hardware? if not How does one go about making a file like the one You have for safemode w/o networking.

    Comment by yellowpudding — Tuesday 16 December 2008 @ 14:57

  96. The safeboot keys for Safe Mode without networking are a subset of the keys with networking. I made these reg files by exporting from a clean install of a virtual machine.

    Comment by Didier Stevens — Tuesday 16 December 2008 @ 18:45

  97. I’ve just downloaded SafeBoot.zip and the MD5 hash does not match the one you have published immediately after the download link.

    I see from comment #68 that you updated the original file and the file I’ve downloaded has “Last-Modified: Tue, 29 Jul 2008 22:14:09 GMT”, which matches your comment. Did you update the hashes then, or not?

    Comment by James_A — Thursday 18 December 2008 @ 20:36

  98. I checked: the hashes you saw were for the previous version, published in December 2007. I’ve updated the hashes for the last version, published in July 2008.

    Comment by Didier Stevens — Sunday 21 December 2008 @ 15:07

  99. It works for me too… Thank you very much!!!!

    Comment by Yves — Tuesday 23 December 2008 @ 16:26

  100. I got hit yesterday 23/12 by the 0xf9.exe which came out of nowhere, my ZoneAlarm warned me progam aaaaaa was trying to connect to the internet so I was able to stop the worst. In the time it took me to notice it, it had disabled the Task Mgr and removed Safeboot from registry. I found a site that told me how to restore the Task Mgr and then found your site which gave me back the Safeboot reg file. Long note, but sincere thanks for taking the trouble to help others. Merry Xmas.

    Comment by Norman — Wednesday 24 December 2008 @ 11:27

  101. Thanks a lot for the fix for safe mode. It works beautifully.

    Comment by Dave G — Saturday 10 January 2009 @ 18:09

  102. Thank you, I have same problem but now it’s fix.

    Comment by yands — Friday 16 January 2009 @ 14:04

  103. I merged safeboot.zip because I couldn’t boot in safe mode and now I can’t boot at all! My computer is now totally stuffed. Thanks.

    Comment by Daphne — Thursday 22 January 2009 @ 0:16

  104. This should never happen. The SafeBoot keys are not used for a normal boot. Used a Live Windows CD to inspect and recover your machine.

    Comment by Didier Stevens — Thursday 22 January 2009 @ 7:39

  105. Didier,

    You seem to be a very kowledgeable person in relation to safeboot in reading the blog.
    This weekend my laptop which has safeboot on it crashed and would “NOT” even boot up into safemode on the machine. I kept getting a termination erro and the machine just shutdown again.

    The machine has 2 partitions on it and the data i need to recover in on the “D” drive (partition 2).

    To get the machine started I tried to use the windows recovery option but to no avail. I ended up having to re-install windows on to the machine. This obviously formatted the “C” drive.

    The machine can see there is another partition there for “D” but when i click it it says do i want to format it now. I dont want to take this option as I want to save as much data if possible from this drive.

    Can you suggest anything for me in getting this data back ?

    Thanks in advance for your support.

    Regards
    Ivor Duggan

    Comment by Didier Stevens — Monday 26 January 2009 @ 12:51

  106. Didier, you’re an absolute star! Bagle.fc/@MM was doing my head in. Great work. Thanks.

    Comment by Gerry Mulvenna — Friday 30 January 2009 @ 18:42

  107. I have been very upset and fustrated to restore safe mode. I found out that a program that I purchased was deleting empty registry keys called Registry Easy. This culprit deleted this key hence was unable to boot safe mode. Thank you very much for isolating this registry key for safe mode. I will back up the entire safe mode key just in case. By the way, I had to reinstall windows xp to find out what program was causing this problem. Thanks again.

    Comment by Edgar Roman — Monday 23 February 2009 @ 17:17

  108. Do you have the one that can repair a 32bit windows vista home premium? I don’t know what the problem is but my safe mode won’t boot anymore. Please help!

    Comment by Earlouie — Wednesday 4 March 2009 @ 14:34

  109. Do you get an error message when you’re booting in safe mode?

    Have you checked if your safe mode keys have been deleted? If they are still present, my reg file won’t help you.

    Comment by Didier Stevens — Thursday 5 March 2009 @ 11:33

  110. Thank You very much for the REG file. I was looking for help several days. Finding this file was like heaven.

    Comment by Erik — Tuesday 10 March 2009 @ 8:04

  111. I have a problem. I have a virus that disabled safemode and I tried to re-enable it through msconfig (checked the safemode box under system.ini). Now the commputer always gives me a BSOD whenever I try to boot. I am not even sure if the safemode key is in the registry anymore. Is there a way to bypass this attempt to boot into safemode? Last known good configuration doesn’t work. Any help would be appreciated.

    Comment by Dave — Saturday 21 March 2009 @ 20:00

  112. Muchas gracias, porfin pude iniciar a modo de prueba de fallos, solamente de esta manera he podido borrar un registro de windows.
    Thank a lot.

    Comment by Manuel — Friday 27 March 2009 @ 15:25

  113. @Dave

    What are the parameters reported by the BSOD?

    Comment by Didier Stevens — Saturday 28 March 2009 @ 20:33

  114. Ti ringrazio per questo valido aiuto, anch’io probabilmente per un virus non riuscivo più a far artire XP in modalità provvisoria, ho provato a dare un’occhiata alle chiavi di registro ed erano voute, ho quindi aggiunte le tue e per magia adesso è tutto OK.
    Prima di questo avevo piantato il computer utilizzando BootSafe, praticamente il PC partiva solo con la modalità provvisoria che si piantava con la schermata blu, ho quindi avviato con la console di riprisino del CD di XP e ripristinato il file Boot.ini.
    Ciao Alvise Italy

    Comment by Alvise — Sunday 29 March 2009 @ 21:16

  115. yeah graet job man………….. much helpfully ,thank’s .safemode work again :)

    Comment by mambang — Saturday 4 April 2009 @ 5:20

  116. Your information was really helpful in bringing my computer back to normal. I got infected by a virus today and although I deleted the files it dropped on my C drive, I still couldn’t boot in safe mode.

    Thank you!

    Comment by ismiy — Sunday 12 April 2009 @ 12:58

  117. I was hit by the conficker worm and used AVAST to remove it (spent a good part of my Good Friday weekend doing this).
    However, i still was not able to boot in safe mode. Your .reg file worked like a dream. Thank you!

    Comment by Mohan — Sunday 12 April 2009 @ 17:51

  118. Thanks so much for the .reg file. Our servers are able to boot into safe mode now.

    Comment by Andrew — Wednesday 15 April 2009 @ 21:11

  119. Thanks, you are amazing

    Comment by Mario — Monday 25 May 2009 @ 14:11

  120. Hi Didier,

    Good deed indeed on you part, keep helping people in turn god helps you. You have been a great help, saved a lot of time for me.

    Comment by Pankaj Dhir — Sunday 31 May 2009 @ 10:16

  121. Excellent work, very thorough, and to the point. Helped me solve the issue in very little time. Thanks very much.
    I did not download the file, but simply exported the “SAFEBOOT” entry from a working XP-SP3 system to a pen-drive, which I used on the ailing system (in which all the “Minimal” and “Network” entries had been removed) to restore it. That did it.

    Comment by ERPP — Monday 8 June 2009 @ 19:47

  122. Thanks a lot. I couldn’t get into safe mode, my computer was just restarting when it reached mup.sys file. I was trying to get safe mode fixer SFM from moonvalley, but all I got was a trial version that didn’t do anything. I tried your way and now safe mode and OS are working properly. THANK YOU!

    Comment by JeS — Monday 22 June 2009 @ 11:20

  123. Hi,
    This is so close to what i need to accomplish, i was wondering if you might be able to help me. I have a laptop and the web browsing functions don’t work unless i boot into safemode. I can ping but i can’t browse unless i’m in safemode. Is there a way to audit the keys that windows is normally loading and see where the internet browsing is being cutoff?
    Thank you for any help,
    Preston

    Comment by Preston — Monday 22 June 2009 @ 20:26

  124. Try procmon from Microsoft/sysinternals

    Comment by Didier Stevens — Saturday 27 June 2009 @ 22:04

  125. I had the nastiest virus that displayed antivirus 2009 ads, changed my background, prevented anti-malware from running and disabled safe-mode. everytime I removed the virus it would come back after I rebooted.

    thank god for this website, safeboot.zip worked perfectly! I renamed my anti-malware program (malwarebytes), got the latest updates, ran it, ran your registry repair, rebooted in safe mode, ran the virus scan again, and everything was good.

    thank you so much for this site! we need more people like you

    Scott

    Comment by scottG — Saturday 4 July 2009 @ 15:35

  126. Respected Stevens,
    everytime i add registry value give above by you and when i restart pc the value under SAFEBOOT becomes disappear. the MINIMAL and NETWORK key disappears on every reboot. NERO is not being installed on my pc. it asks that CAN’T COPY NERO.EXE. No any virus signature is found on my machine. TASKMGR,CMD,REGEDIT, HIDDEN FOLDER,FILES and many other prg.runs smooth. But this is the onlly problem is there, kindly help Sir. Pc is not booting in safemode becoze above two Keys becoms disappear. Can I request you sir to mail me on KAVI_BHAI@REDIFFMAIL.COM about the problem…?
    Eagerly waiting for your answer.

    Comment by kavi — Saturday 11 July 2009 @ 21:35

  127. Thanks, i also got problem with safe mode so it look obviously bagle virus deletes safe mode registry keys so it keep bugging me over one year so i am glad to found your website so it is now resolve these problem

    Comment by gersrno1 — Sunday 23 August 2009 @ 13:19

  128. Thank you, three times over! My sister’s computer got the “Advanced Virus Remover” trojan which prompted her to buy a bogus virus checker software package. She called me first and thankfully didn’t buy it, but the damage was done. It changed a bunch of reg entries, for example hijacking the desktop image to show a false virus warning. It also apparently wiped out the safemode reg entries. I wanted to do a “Security Tango” waltz (securitytango.com) to clean the entire machine but couldn’t. Again, thanks VERY much for this fix!

    Comment by Gee — Thursday 27 August 2009 @ 17:50

  129. Thank you for publishing this, did the trick. Customer had numerous viruses, everything was disabled, and safemode was too. Ran the reg fix, bingo! Thanks again.

    Comment by Paul — Tuesday 1 September 2009 @ 7:06

  130. May be i’m a bit late to response. But your export of safeboot registry was very helpful. Thanks a lot for the details. Keep up the good work.

    Comment by Rabster — Thursday 10 September 2009 @ 20:08

  131. Just wanted to say thanks…your efforts worked great !

    Comment by david — Friday 11 September 2009 @ 23:15

  132. Worked better than a pay for version from another site. Worth 10 times more than you are changing.. Bad time for me now, your price was perfect. Thanks soooooooo much!

    Comment by Terry Smith — Sunday 13 September 2009 @ 7:48

  133. [...] final step was to use a registry replacement file from here: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/ and restore my ability to enter Safe Mode.  Then I re-installed my virus scanner…this time I [...]

    Pingback by Jenerally Speaking » Blog Archive » Burninated — Saturday 19 September 2009 @ 3:30

  134. Thank you so much. Had finally cleaned out a nasty Vundo infection but had left over problems, such as inability to boot into Safe Mode. Found this with Google, determined the SafeBoot keys were missing from the registry, and merged your XPSP2 reg file. It did the trick!!! Thanks again

    Comment by Sheila — Saturday 19 September 2009 @ 12:43

  135. [...] Restore Safe Mode [...]

    Pingback by All that is wrong with the world… — Thursday 8 October 2009 @ 20:37

  136. thx ever so much!
    The recent bezopi.E virus deleted the keys so I couldn’t go 2 safe mode. I am now trying to get my keyboard workin as thy have either disabled or deleted this function. any help woud be brill!

    Comment by jen — Wednesday 14 October 2009 @ 19:33

  137. Try this: disconnect your keyboard, open the device manager, uninstall the keyboard, reconnect it.

    Comment by Didier Stevens — Wednesday 14 October 2009 @ 19:58

  138. Hi,Thanx,it worked fine,saved my Desktop.Microsoft is helpless on this.People like U r great

    Comment by gpnema — Sunday 25 October 2009 @ 15:07

  139. Thanks for the post, very useful info, one of my users installed a bad worm that prevent me from booting to safe and also disabled sys restore, I wasnt looking at the whole pic and totally overlooked the registry.

    Thank again!

    Marco.

    Comment by Marco — Sunday 25 October 2009 @ 22:17

  140. I tried the Safeboot.zip, it does not work. It seems the Trojans are getting better written.

    Comment by Aalaf Alot — Monday 26 October 2009 @ 4:01

  141. You are my hero. I used this and was able to get into safe mode again. Ran the scan and got rid of the virus. Thank you SO much.

    Comment by Lisa — Friday 30 October 2009 @ 19:12

  142. [...] with Malware The nasty bagle worm can inhibit safemode by deleting the reg keys in XP. This link will provide reg files for XP SP 1-3 to restore the safeboot option. Norman 2009 seems to be a [...]

    Pingback by Frequently Asked Questions and Useful Information - PPRuNe Forums — Saturday 31 October 2009 @ 15:22

  143. Worked for me, thanks!

    Comment by Delroy — Friday 6 November 2009 @ 18:08

  144. tq so much for ur hard work….that reg file really does it job!tq so much

    Comment by amir from malaysia — Friday 13 November 2009 @ 14:46

  145. [...] Restore Safe Mode [...]

    Pingback by Guide to detecting and removing malware « All that is wrong with the world… — Tuesday 17 November 2009 @ 9:15

  146. I searched Google for days looking for solutions and came across a lot of useless balderdash written by illiterates in newsgroups along the way. Finally I came across this clearly-writeen solution and it’s the only thing that worked to let me boot into safe mode.

    Thank you very much.

    Danny Crossley.

    Comment by Danny Crossley — Thursday 19 November 2009 @ 7:47

  147. Simple and effective. I used this information to export the Safe Boot key for XP SP3 and it worked perfectly.

    Comment by Doug — Tuesday 24 November 2009 @ 18:05

  148. The Restore Safe Mode for the registry “Worked Like A Champ!”. Been trying for weeks to correct and happened upon you site after a Google search for windows XP SafeBoot Registry. Many Thanks.

    Comment by Tony from Texas USA — Thursday 3 December 2009 @ 4:32

  149. After about 2 hours of frustration that I might have needed to do a repair install on my system, I happened across your post. I got infected by a nasty virus that wiped out my safe mode. I ran Malwarebytes to clean the infection and Dr. Web to clean up any trace elements. As well as a full scan with Kaspersy. I give this post an A++ as after my pc was clean I still needed to fix my safe mode. So this ones for you buddy, (Raises beer stein High in the air and gives thanks)

    Much thanks again,
    Jeff

    Comment by Jeff — Tuesday 8 December 2009 @ 22:23

  150. I happened on this just a little bit ago. I’m having the same issue of booting into safe mode. Great idea, should help a lot of people unfortunately it didn’t work in my case. I had already checked the registry and everything appeared ok, but I was hoping and praying that maybe I missed something and this would work. Looks like it’s back to the drawign table.

    Comment by Jonathan — Wednesday 9 December 2009 @ 15:29

  151. Thank you so much! Spent hours trying to fix this problem.

    Comment by Derrick — Monday 14 December 2009 @ 3:44

  152. Thanks, Security Tool was my recent PC wrecking issue. After repairing everything else this was the finishing touch.
    Thanks Very Much! Very Very Kind and helpful!

    Comment by DC — Monday 14 December 2009 @ 5:16

  153. You really did a great public service making this utility available! I have spent hours researching why I could not boot into safe mode… even Microsoft didn’t have a good solution but this solved the problem.

    Now I can recover user files in a profile that kept giving “access denied” in Windows XP Home Edition. The only way to gain access to them is to boot into safe mode and claim ownership. You saved the day because now I can boot into safe mode and get these files back! Great work and bless you!!!!

    Comment by MTF — Wednesday 16 December 2009 @ 0:10

  154. Well….I seem to be in the same boat. I’ve been trying to remove a browser search redirect virus with various removal tools, and I’m unable to boot into safe mode (get the blue screen). I tried this method with no success. It’s almost as if even after I run the “restore safe mode”, the virus rewrites the registry entries. Any thoughts?
    thanks

    Comment by Mike Voss — Wednesday 16 December 2009 @ 21:05

  155. Thank you very much. After much searching I came across this after thinking it may be a registry issue. Came across a lot of suggestions to update the drivers. This worked for me, the registry string was completely removed from the computer and after your fix it worked great!

    Comment by MR — Thursday 17 December 2009 @ 16:55

  156. You are the super-crime fighting hero of the scourge hackers! Why is it that an obviously talented person like yourself is not represented by all the moronic, redundant, palaver of all the hijackthis/MS help sites??? I just don’t understand it. You are the KING bro. Hats off to you for your talent and ability to promote a point and working solution with minimal BS. Your solution worked perfectly for me, I wish you well, and hope that someone up the IT chain sees all these posts to give you your due. You are truly the man.

    Comment by LazGunX — Friday 18 December 2009 @ 0:59

  157. @Mike Voss
    Try with a live CD: http://blog.didierstevens.com/2008/11/26/update-restoring-safe-mode-with-a-reg-file-and-a-live-cd/

    Comment by Didier Stevens — Saturday 19 December 2009 @ 10:32

  158. You’re amazing, this is exactly what I was looking for but I couldn’t find it anywhere else. Unfortunately it doesn’t seem to be working. I downloaded it, unzipped it and I double click on the SP2 file. A window asks me if I want to add it to the registry and I click the yes button. Another window pops up saying it was successfully added. I open up RegEdit, but the SAFEBOOT folder is still missing and safe mode still doesn’t work. Am I missing something here? My computer still isn’t clean, is it possible the malware is deleting it as soon as I add it into the registry? I don’t have a cd and my AVG and MBAM aren’t detecting anything, I’m running out of ideas at this point…

    Comment by Eric — Tuesday 22 December 2009 @ 5:10

  159. @Eric: You mean you don’t have a CD-ROM reader in the PC, otherwise you can try this: http://blog.didierstevens.com/2008/11/26/update-restoring-safe-mode-with-a-reg-file-and-a-live-cd/
    And I’m also working on program to create the Safeboot key and to prevent it from getting deleted by malware.

    Comment by Didier Stevens — Wednesday 23 December 2009 @ 12:45

  160. I do have a CD-ROM drive on my computer, but it doesn’t always work. Even if it did, I don’t have any kind of boot disk for windows and I’ve never made a back up for my OS or anything like that. The computer didn’t come with a CD.

    By the way, did you send me an email about sending me a .exe file? I got an email from somebody claiming to be you but I wanted to verify before I opened it, I don’t want to make my infection any worse than it already is.

    Comment by Eric — Wednesday 23 December 2009 @ 16:46

  161. @Eric Yes, I’ve worked on a solution that involves an exe for when the .reg file is not enough, because the malware actively monitors the registry and deletes new Safeboot keys. If you want to try this, reply to my e-mail, and I’ll send you a link to the program on my website, this way you know it’s from me.

    Comment by Didier Stevens — Wednesday 23 December 2009 @ 16:58

  162. Hi Didier,

    I have been searching for a solution to restore safe mode following a virus attack which crippled my desktop computer. All the advice I read seemed unfounded and even Microsoft offered no solution. But when I read your explanation about the missing registry keys I could immediately see from my laptop that you had identified the problem. Your explanation was clear and concise and your download worked perfectly. Rebooted and accessed safe mode for the first time in a long while so many many thanks to you. Now running malware and virus scans in safe mode as I type. I concur with those that say you are a real internet hero!! All the best for Christmas and new Year. Bill

    Comment by Bill — Sunday 27 December 2009 @ 23:07

  163. Thanks a lot. This helped me to get into Safe mode. Thanks again.

    Comment by max — Wednesday 30 December 2009 @ 4:39

  164. Didn’t actually use the file but the information was very useful. I would like to add some more information for those are still having issues or come across this in the future. If you look in the registry there are anywhere from one to several control sets as well as the current control set. I was using a program called RunScanner from http://www.paraglidernc.com/plugins/plugins.htm . Although this was designed for BartPE it will also run on XP. I was able to extract the files indicated above but from a controlset00X instead of the current control set using regedit on a good machine. Then with the affected drive in a usb tray connected to the good machine I used RunScanner and regedit to mount the registry from the affected drive. Then import the .reg file. By editing and doing a replace I created .reg files for each of the control sets as needed. Just do a replace on Set00X with Set00Y and rename the file. While the drive is connected you can also scan it with one of several tools such as MalwareBytes and HiJack this. WARNING!!! Any tool that looks at the registry and compares it to the drive will report missing files. DO NOT DELETE THESE ENTRIES. Wait until the drive is back in the original machine to run these tools again and then address these issues. Use the tools to eliminate known infected entries.

    Comment by reghack — Wednesday 30 December 2009 @ 23:05

  165. Thanks also – struggled mightily to figure out how to get into safe mode after spending a day getting rid of a host of viruses. Should have looked here first. Thanks again.

    Comment by Dave — Thursday 31 December 2009 @ 0:08

  166. I stumbled upon your site just now and I must thank God for creating you. You are a Saint. Your willingness to help for free is a blessing for all of us, Thank you. Beside the safe mode error, my other problem is the system restore, which I turned off in order to delete the virus as instructed from a blog. After reboot, I can’t turn it back on. Any solution to this? Thanks in advance.

    Comment by Roger — Thursday 31 December 2009 @ 3:16

  167. Worked like a charm. This was great information. what a shame that Microsoft’s own website couldn’t give this type of information. I was searching for a solution to this. My actual error was coming up as STOP ERROR 0000007b when trying to access safe mode. This fixed it perfectly.

    The only thing that the MS site said was that it was a harddrive problem or a virus. They didn’t offer any real answers like you did.

    Thanks again

    Comment by Google Junky — Thursday 31 December 2009 @ 18:33

  168. [...] The Undeletable SafeBoot Key Filed under: Malware, My Software — Didier Stevens @ 12:53 I present you a new program to create the SafeBoot registry key with special permissions protecting it from deletion. After using this new program, you’ll be able to restore the SafeBoot registry keys with my .REG files. [...]

    Pingback by The Undeletable SafeBoot Key « Didier Stevens — Friday 1 January 2010 @ 12:53

  169. @@Roger No idea, do you get an error message? Have you looked in the Windows Event logs for an error message?

    Comment by Didier Stevens — Friday 1 January 2010 @ 13:17

  170. Thanks so much this realy helped me keep up the good work +100

    Comment by Bradley — Sunday 3 January 2010 @ 10:55

  171. I truly appreciate what you are helping user community with issues. I have lost my XP home edition cd and am stuck with the same issue of unable to boot in safe mode with page_ fault_in_nonpage_area while loading the drivers… Any suggestions sir? Thanks for your time and suggestions.

    Comment by VJP — Sunday 3 January 2010 @ 16:08

  172. Just one additional information where it stops selecting boot in safemode: 0×00000050, (0xEC6B738D, 0×00000000, 0x86ECE08C, 0×00000000).

    Comment by VJP — Sunday 3 January 2010 @ 16:24

  173. @VJP This is a driver problem, not a SafeBoot keys issue.

    You’ll have to find a PC support forum to help you troubleshoot this.

    Comment by Didier Stevens — Sunday 3 January 2010 @ 17:40

  174. Thanks man, worked a treat and saved me a lot of hassle !

    Comment by Trevor — Tuesday 5 January 2010 @ 5:22

  175. YES! thanks yous

    Comment by MAn — Thursday 7 January 2010 @ 18:25

  176. Can give me safeboot registry for Windows 2003 Server, my HP Proliant ML370 cannot boot using safe mode. Once i press Safe Mode the system load some file then restart…

    Comment by Peter — Friday 8 January 2010 @ 10:01

  177. @Peter From what you write I have the impression you don’t have a 0x0000007B STOP error. Can you confirm?
    My fix will only help with a 0x0000007B STOP error.
    http://didierstevens.files.wordpress.com/2006/06/stop0x0000007b.GIF

    Comment by Didier Stevens — Friday 8 January 2010 @ 11:44

  178. Hi Didier…

    On evening Dec 23 suddenly hang and came out with blue screen. I can’t remember the stop error but it’s related to dump memory.

    Then i start-up using last good configuration. After windows load, during apply security got error Cryptsvc cannot started. After i scan using Symantec AV, found my PDC Server attack by Trojan.Panddos. Since this 2 week i was pain to handle it. My 2nd last options is to scan it using all AV or spyware utilities under safe mode. To bad my server cannot run safe mode. This week is my last options..if cannot i need to format my windows 2003…fushhh..that trojan very bad and execute any folder inside system32, besides than that Cryptsvc Service totally cannot started and unable me to install the windows update.

    Really need you help as im the only one incharge IT system here….

    Comment by Peter — Friday 8 January 2010 @ 13:34

  179. I’m talking about the STOP message you get when you boot into Safe Mode. Do you get one?
    You can also try this program: http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/
    If the SafeBoot registry key for Safe Mode hasnet been deleted, this program will tell you.

    Comment by Didier Stevens — Friday 8 January 2010 @ 13:46

  180. Hi Didier…

    Sorry to not get u point…yep it’s stop 0x0000007B…please advise

    Comment by Peter — Friday 8 January 2010 @ 14:06

  181. If you’ve access to another Windows 2003 server, export the SafeBoot registry keys from it and import them in the infected server. If you still get the same STOP error after booting into SafeMode, the malware is actively deleting the SafeBoot keys. In that case, run the program I pointed you to first, then import the Windows 2003 SafeBoot registry keys.

    If you don’t have access to a Windows 2003 server, I can try to install one in a VM over the weekend. Which Windows Server 2003 edition do you use, and which SP?

    Comment by Didier Stevens — Friday 8 January 2010 @ 14:16

  182. I hv only one win 2003 server here….can u provided for me? Our company runing Windows Server 2003 R2, Service Pack 2 Standard Edition

    Comment by Peter — Friday 8 January 2010 @ 14:24

  183. Didier…

    I have see under Safeboot registry and there are no Minimal forlder, Only networks…

    Comment by Peter — Friday 8 January 2010 @ 14:25

  184. >I have see under Safeboot registry and there are no Minimal forlder, Only networks…
    Then you should be able to boot in Safe Mode with networking!

    Comment by Didier Stevens — Friday 8 January 2010 @ 14:29

  185. No..i hv tried both plug and unplug the Network cable….but both not load windows..sys restart

    Comment by Peter — Friday 8 January 2010 @ 14:42

  186. @Peter: I don’t have an ISO for Windows Server 2003 R2 and I can’t download one from TechNet for the moment. Won’t be able to install it this weekend.

    Comment by Didier Stevens — Saturday 9 January 2010 @ 13:16

  187. THANK YOU!

    Comment by Jadot — Saturday 9 January 2010 @ 20:49

  188. Hi Didier…

    Thanks for that file. Now can run safe mode.

    I still got problem with my Cryptsvc. if anyone can help.

    I already rename my Catroot2, re-register .dll and troubleshooting from Microsoft…but my Cryptsvc cannot started…the error when i click start the service..

    Could not start the Cryptsvc service on local computer.
    Error 127: The specified procedure could nit be found

    Comment by Peter — Tuesday 12 January 2010 @ 2:22

  189. Great post. This helped me a while back when you click “safe mode” it just pops back to the advanced options menu. Today I have the same symptoms except it happens when I choose “start windows normally”. It just jumps right back to the menu. I can get into safe mode however. So it would be nice to have a reg file to restore “regular” windows keys. I’m going to see if I can figure out what individual keys to restore but for now I’m going to try this: http://support.microsoft.com/kb/307545/ “How to recover from a corrupted registry that prevents Windows XP from starting”.

    Comment by Tom — Wednesday 13 January 2010 @ 15:51

  190. Hi Didier, and thanks for your magnificent work,
    I upgraded vista to sp2 on a new laptop, got a couple of trojan and hopefully disinfected them(with many tools), but I discovered safe mode didn’t work.
    -I applied safeboot.reg but got error : “impossible to import safeboot.reg …Some keys are used by the system or other processes”.
    -Then I tried your app UndeletableSafebootKey, got report : Safeboot exists.Does it check their integrity too? -But I still can’t boot in Safe Mode. It loads drivers, stops , shows a black screen with cursor in the middle,and reboots.
    Could it still be a virus effect or more likely it’s a windows problem?

    Comment by Max — Wednesday 13 January 2010 @ 20:54

  191. @Max It’s more likely to be a driver issue. If I remember correctly, the last driver displayed in the list of drivers when booting in Safe Mode, is the last driver that started without issues. So the driver causing the problem is not displayed. You have to compare the list on screen with the list in the registry and try to identify the buggy driver.

    Comment by Didier Stevens — Wednesday 13 January 2010 @ 22:07

  192. Hello… Can anyone help me-

    Here is my problem:

    My safemode will not work due to a nasty virus that has infected my pc. I have tried to download what was suggested to everyone having this problem but when I go to open the zip, the virus will not allow me to do so, infact.. the virus will not allow me to access ANYTHING on my pc other than the web and my pictures, music, etc. Is there anything I can do to fix this? I could use all of the help I can get, it would be greatly appreciated :-) Thanks.

    Comment by Brandy — Thursday 21 January 2010 @ 23:18

  193. You can try to scan your machine with a live cd:
    http://blog.didierstevens.com/2008/08/21/removing-malware-with-a-live-cd/

    Or try to fix the SafeBoot keys with a Life CD (not easy):
    http://blog.didierstevens.com/2008/11/26/update-restoring-safe-mode-with-a-reg-file-and-a-live-cd/

    Comment by Didier Stevens — Friday 22 January 2010 @ 9:28

  194. Thank you :-) If I do not have a live cd do you know where I can purchase one?

    or do you think would it be much more simple to reformat instead?

    Comment by Brandy — Friday 22 January 2010 @ 10:17

  195. The F-secure Rescue CD is free.

    A reformat is the best thing you can do. But be sure to recover EVERYTHING you need before you reinstall (documents, e-mails, license-keys, …).
    One trick to have a backup when reinstalling, is to use another harddisk. Replace the infected harddisk with another one, and install on the new disk. If something goes wrong, or you missed some critical data, you still have the old haddisk. Just be cerefull not to infect your new install with files from the old harddisk.

    And once you reinstalled your machine (OS + your applications), I recommend you make an image of the new harddisk as a backup.

    Comment by Didier Stevens — Friday 22 January 2010 @ 14:54

  196. You have been quite helpful, thank you so much! I will give this a shot. :-)

    Comment by Brandy — Saturday 23 January 2010 @ 11:49

  197. thank you. this has been quite helpful, and with these directions i was able to restore the safe mode. :)

    Comment by kiki — Wednesday 27 January 2010 @ 6:47

  198. hey…
    i cant fix my registry…
    because my operating system isn’t on that…
    please give the vista safeboot fix…
    VISTA BUSINESS…

    Comment by Bagas — Sunday 31 January 2010 @ 21:18

  199. Hi Didier,

    Thanks for helping folks out. I got hit with the Internet Security 2010 virus that took my computer completely down. Through the help of bleepingcomputer.com and Dan from thinkinginpixels.com I have just got it out of the ICU today. I downloaded your zip and double clicked to replace but it did not seem to fix the problem of not getting into Safe Mode.

    I have a blue screen that says there are errors and has the following stop code:

    STOP: 0X0000007E (0xC0000005, 0×80537009, 0xF7A46508, Oxf7A46204)

    Please help!

    Comment by The Grog — Monday 1 February 2010 @ 0:51

  200. @The Grog: Run the following program and tell me exactly what output you get: http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/

    Comment by Didier Stevens — Monday 1 February 2010 @ 9:21

  201. @Bagas: Run the following program and tell me exactly what output you get: http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/

    Comment by Didier Stevens — Monday 1 February 2010 @ 9:21

  202. That’s great mate. It really helped me and fixed my BSOD in safe mode.

    Comment by drfatalis — Monday 1 February 2010 @ 15:51

  203. Hi Didier,

    Thanks for the quick response. I downloaded in Firefox and double-clicked on the one ending in .exe A black box came up in like 1 second that said
    SYSTEM\CurrentControlSet\Control\Safeboot exists

    I guess I have tu use a recovery disk?

    Comment by The Grog — Tuesday 2 February 2010 @ 4:41

  204. @The Grog: yes, this means your Safe Boot problems are not caused by deleted SafeBoot registry keys, but by something else. Like a bad driver.

    Comment by Didier Stevens — Tuesday 2 February 2010 @ 10:00

  205. [...] Didier Stevens has spent a lot of time on this and has developed a registry patch file. There are patches for Xp sp2 and sp3 as well as 2003 server and Windows 2000 SP4 in his download zip. [...]

    Pingback by Windows XP Stop 0×0000007B Error Booting into Safe Mode | Computer Tips - Tech Info and Internet Security, Windows, Linux, Mac and other Tech Info from Avery J. Parker — Monday 8 February 2010 @ 4:20

  206. This .reg really worked! When I couldn’t boot into Safe Mode, the first thoughts in my mind were the days it would take to rebuild my XP install. At first I thought it had something to do with SPTD.SYS, because the Safe Mode crashed and rebooted just after SPTD.SYS, but I decided to look into the SafeBoot registry key as advised by Stevens. And, just like he said, the SafeBoot key was missing. But, I can’t use System Restore (that function has not worked for me every time I need it to), however, so the .reg file was perfect! Thank you, Didier.

    Comment by Swift — Saturday 6 March 2010 @ 21:53

  207. While I was desperately looking for a way for repairing my windows xp, I stumbled here into your website. I am not really a computer expert, so I tried doing the above instruction hoping that it will fix my problem. I have the same problem as the others: windows can boot, can not run IE, any .exe file like antivirus because it is looking for a program to run the file. When I try to run in safe mode so as to run the antivirus, the safe mode option can not be seen on the option. So I tried your instruction, but it didn’t work. Kindly check if I did something wrong along the way.

    Here’s what I have done :
    1. Downloaded the safeboot.zip
    2. Copied it into the crippled laptop.
    3. Then double clicked on the safeboot – windows xp sp2
    Then the system says that it has completed.

    4. Restarted the crippled laptop, hit F8, i have been to the window where you have to choose normal or safe mode. but to my dismay i can not find the safe mode option.

    Where i have gone wrong ?

    Thank you for your reply. As long as I can, I don’t want reinstall my system. Thank you in advance for the help.

    Comment by Duo — Thursday 11 March 2010 @ 9:41

  208. @Duo It could be that the malware is actively monitoring the registry and deleting the Safeboot key as soon as you create it. I’ve another program to help with this, look for The Undeletable Safeboot key on my blog.

    Comment by Didier Stevens — Friday 12 March 2010 @ 8:07

  209. Hi. I downloaded the undeletable safeboot key. Copied it to the crippled PC. Hola ! The application can not be run. The system looks for the program to run the application. Too bad. What should I do next ?
    Thanks.

    Comment by Duo — Saturday 13 March 2010 @ 4:39

  210. @Duo Your machine must be infected with malware that disables all types of programs to run. I recommend you go to a malware cleaning forum and get help there. I’ve a blogpost that explains how to use the F-Secure Rescue CD to clean your machine, but I believe you’re better consult malware cleaning experts on a forum.

    Comment by Didier Stevens — Sunday 14 March 2010 @ 21:21

  211. I guess i don’t have much option now but to reinstall the system. After the reinstallation, what good antivirus/antimalware can you recommend ? I don’t want to rely much on Mcafee now since I was infected with a virus while Mcafee is installed on my system.

    Comment by Duo — Monday 15 March 2010 @ 19:52

  212. @Duo Reinstalling is the best thing you can do. If you’re not familiar doing a clean install, I recommend you buy an identical drive to the one in your machine. Swap it out and do the install on the new drive. If your install fails, or you’re missing important files, license keys, software, account credentials, … ; you can always go back to the original drive.
    And once you’ve installed your machines according to your requirements, make a clone of the new disk to the old disk. This way, you’ve a backup, ready to use when your machines gets infected.

    Comment by Didier Stevens — Tuesday 16 March 2010 @ 7:37

  213. thanks. The easiest way to recover safe mode after virus affection.
    thanks again.

    Comment by chai — Sunday 28 March 2010 @ 3:01

  214. Mooi hoor “eenvoud is kenmerk van het ware” :-)
    Zeer vlot leesbare blog!
    Btw,
    Is er iets te doen aan de eigenaardige blind spot in communicatie op veel plaatsen waarbij het verschil tussen online/offline handelingen niet goed zichtbaat is?

    Comment by hans — Friday 2 April 2010 @ 0:02

  215. Thank you very much didier stevens,

    i realize that conficker is very harsh, because it delete all the minimal key under the safeboot registry.

    After i apply the registry, the key is appear again.

    Good Work and great contribute.

    Comment by Resi — Wednesday 14 April 2010 @ 10:28

  216. [...] .reg file containing the necessary entries, but make sure you set a Restore point before doing so. This link has a .zip file at the bottom of the page which contains .reg files for XP SP2, XP SP3, Server 2003 [...]

    Pingback by Services detects my laptop as being in safe mode.... — Tuesday 20 April 2010 @ 18:30

  217. DUO:
    dont worry about no safe mode.

    Download combofix on the web from bleepingcomputer or Didier’s blogpost here and run it, after turning off sys restore, then download and update/run Spybot.
    See where you get and write me back here and will help you further.

    Comment by John — Thursday 20 May 2010 @ 21:52

  218. works fine with me….
    thank you very much

    Comment by Justin — Friday 4 June 2010 @ 4:53

  219. Your solution is great. After couple of days of searching, I found and resolved my problem with windows safe (didn’t boot anymore). Before I used a cd rescue antivirus and found over 4000 malwares. Thank you very much and keep doing this. Thank you, again.

    Comment by dan — Saturday 26 June 2010 @ 11:02

  220. THank you.
    Will try it.

    Comment by Agus — Wednesday 30 June 2010 @ 16:31

  221. I’m running XP with SP3. Will this SP2 fix work or should I keep looking? Also, I’ve got a 2nd hd with the same XP setup. Could I just copy the registry keys from one to the other? If so, how?

    Comment by Mike — Thursday 1 July 2010 @ 6:28

  222. @Mike Yes it will work, but you can also export/import the SafeBoot keys with the registry edtior from your other box.

    Comment by Didier Stevens — Friday 2 July 2010 @ 10:12

  223. [...] SafeBoot.reg al nostro registro, ma non sempre è un operazione che riesce, in caso provare anche qui. Inoltre scaricare Combofix.exe però salvate su disco con un ALTRO nome, ad esempio abc.exe e non [...]

    Pingback by Marco's Informatik Blog » Blog Archive » Hello Beagle! — Thursday 22 July 2010 @ 8:53

  224. Thanks for these registry entries. I didn’t have another XP machine around anymore to get these entries from, but yours for XP SP3 worked fine.

    Comment by John — Saturday 24 July 2010 @ 11:08

  225. This works also on Windows 7.

    I have a virus that removed my safemode keys. I couldn’t use the msconfig method. I tried repeatedly tapping the f8 key, nothing.

    Thankfully, I found your site, however, it only displayed info for Windows 2000 and XP. Decided to try anyway.

    And SUCCESS………it works.

    I downloaded the safeboot.zip file onto a CD. Once the CD contents displayed on my desktop, I clicked on the XP files.

    Turned off PC, restarted and tapped the F8 and got my SAFEMODE screen.

    Thank you for such an easy fix.

    Comment by Widdle — Monday 13 September 2010 @ 1:42

  226. Thanks. Your reg keys match my reg keys exactly.
    So, I already had what I downloaded, but
    THANKS because if I need it, its very very good to have a backup.

    I use HiRen’s Boot CD and run my security tools off a USB Drive.

    Brilliant work.

    Comment by ArthurTR — Thursday 16 September 2010 @ 8:33

  227. This did the trick for me on an HP Pavilion a1547c w/ Windows XP SP3 Media Center. Thanks for saving me a ton of time with this!

    Comment by Phostenix — Thursday 21 October 2010 @ 3:12

  228. VERY WELL DONE – THANK YOU.

    Comment by JACB — Saturday 23 October 2010 @ 20:56

  229. Could`t start my windows XP sp 3 in safe Mode. When I pressed F8 The windows for boot with
    CD or Hdd appeared. Ether i boot or pressed esc key and the windows start normaly.
    I loaded safeboot zip. Tryed it again did`t work or dit it?. By luck I pressed The ESC key and
    the F8 key at the “same” time and the Safe mode windows appeared.
    Mybee this helps Somebody. Thanks You

    Comment by huze — Thursday 18 November 2010 @ 12:04

  230. This worked for me! Fantastic! Thank you so much!

    Comment by BillyBarty — Thursday 2 December 2010 @ 22:33

  231. Is there another way into the registry.

    I got a virus, believe it is Antivirus 2008. Locked me out of administrator at first. Couldn’t get into registry or install programs. Then tried all three safe mode options via F8 and computer starts opening files then reboots itself in all three safe modes. Don’t have the recovery disk and would hate to lose all my proprietary applications from over the years, some which don’t exist anymore but still love. Computer was purchased from Dell so I could order software for a fee. Please help!!

    Comment by Brian — Friday 17 December 2010 @ 20:21

  232. latest update

    XP boots but then can’t do anything because keyboard and mouse stops working at login. works when you are selecting safe mode or in bios. btw it is XP Media Center 2005

    Comment by Brian — Friday 17 December 2010 @ 20:23

  233. @Brian You are not experiencing the symptoms for which my reg file is a remedy. It will not help you.
    I advice you post your problem in this forum: http://www.bleepingcomputer.com/forums/forum22.html
    Moderators trained to help you with infected machines will help you there.

    Comment by Didier Stevens — Friday 17 December 2010 @ 20:43

  234. Sorry, did I miss something? My XP won’t boot to safe mode. It keeps rebooting itself nonstop. How can I load your reg file, Didier? Thanks.

    Comment by Kim Hak — Tuesday 28 December 2010 @ 2:27

  235. @Kilm Hak It looks like safe mode is not the real problem with your PC, and that my reg file will not help you. What happens when you press F8 to enter safe mode?

    Comment by Didier Stevens — Tuesday 28 December 2010 @ 11:23

  236. When I press F8, it gives me all the options as normal: SafeMode, SafeMode with Networking, SafeMode with Command Prompt, Last Working Mode, and Windows Start Normally — but no matter what I select it never takes me to where I want, it will reboot itself. The same thing happens if I don’t select any options, it will time out and reboot istelf. So all I have is the loop.

    So I realize: the SafeMode Key must have been deleted as you said by the monster, that’s why it never took me to any of the SafeMode’s. Thank you!

    Comment by Kim Hak — Friday 31 December 2010 @ 2:04

  237. @Kim Hak Do you get this BSOD after you hit F8 and select Safe Mode?
    https://didierstevens.files.wordpress.com/2006/06/stop0x0000007b.GIF

    Comment by Didier Stevens — Saturday 1 January 2011 @ 13:40

  238. Thanks again, Didier. Yes, I got the BSOD but with
    different message. The blue screen shows up real fast and the syst
    starts rebooting right away.

    Comment by Kim Hak — Monday 3 January 2011 @ 17:23

  239. @Kim Hak Then my reg fix will not help you. I recommend you post about your problem on a help forum like wwww.bleepingcomputer.com

    Comment by Didier Stevens — Tuesday 4 January 2011 @ 17:17

  240. you are a genius, i had trouble with my windows server 2003 and using the reg file fixed my problem. many thanks

    Comment by Timour Rashed — Sunday 9 January 2011 @ 23:51

  241. Amazing! worked like a charm. you saved me from dumping my os and re-installing. thank you.

    Comment by Josh feltman — Thursday 24 February 2011 @ 21:28

  242. [...] User to fix or backup all his/her files. Upon having the same problem, I stumbled upon this site Restoring Safemode with Registry Key which provides a great explanation how Safemode boot works. I intend to create a program where [...]

    Pingback by Fix corrupted Safemode Boot Registry « PC Repair Tools — Monday 14 March 2011 @ 8:58

  243. Thank you for this great file. I have been working on my grandsons’ Dell Desktop PC, and it would not boot into Safe Mode for months, and I’ve tried anti virus , and malware etc to fix it, with no luck. Normal boot into XP SP3 was fine but no Safe Mode. Now that I just added your file to the registry the Computer boots into Safe Mode with no problem. This is amazing because Ive Googled the problem searching for a solution for several weeks and I think I read ever solution there was and none of them worked. You registry fix worked like a charm and my grandson will be happy. Im going to make sure he knows not to click on things he’s not familar with, I believe the PC had a nasty virus that wiped the Safe Mode registry keys. Thanks to your efforts its fixed now and I can take the PC back to him. Thank you again… I bookmarked this site and shall recommend it to friends.

    Comment by Nick Farentino — Saturday 26 March 2011 @ 3:30

  244. I cannot boot to safemode from f8 in win7. I downloaded your zip file and downloaded winxp one for registry, but the message say “you can only import binary”

    Comment by roya — Saturday 26 March 2011 @ 22:17

  245. @Roja Do you get a BSOD after you select F8?

    Comment by Didier Stevens — Sunday 27 March 2011 @ 18:10

  246. No I don’t get BSOD. I get a message to press F1 and then it takes me to BIOS, and cannot get out of BIOS and I have to force the laptop to shut down. I have a Lenovo t61 with windows 7

    Comment by roya — Sunday 27 March 2011 @ 23:41

  247. @roya Then my reg fix won’t help you, it is designed to fix a particular BSOD (missing SafeBoot keys). I recommend you post your problem on a forum like http://www.bleepingcomputer.com

    Comment by Didier Stevens — Monday 28 March 2011 @ 7:22

  248. you’re a life saver. it was the most confounding problem not being able to boot in safe mode. Normal boot was fine. used your zip and extracted to registry. worked wornderfully. ran malawarebytes in safe mode and identified a trojan and everything’s great now. thanks again.

    Comment by pva — Thursday 19 May 2011 @ 15:51

  249. Greetings: I just experienced a catastrophic computer virus on my laptop – the Sality virus. It did disable my boot in safe mode ability. Thank you for your script. I applied the XP2 script and all is well. I was lucky. My computer experience kept file damage to a minimum. My computer is back to its normal self. Lost a day though. Really bad attacck! Mike

    Comment by Mike P — Wednesday 25 May 2011 @ 16:59

  250. Sounds like a good fix, But i don’t have a problem getting in safemode, It just won’t restart back to normal windows. It freezes when i choose to restart. I have to push the power button to shut it down then back on again to get back to normal windows. Any fix on this?

    Comment by Puzzled — Monday 30 May 2011 @ 22:49

  251. Well done Dider – this is as much an example of the good stuff the Internet brings, even as malware is an example of the bad. Thanks for sharing your experience in expertise in this area with the rest of the world. I always try to “pay it forward”, by sharing what I’ve done (which is why I’ve got to check out your blog post on integrating DVR and alarm system :) Good luck!

    Comment by Tim — Friday 24 June 2011 @ 17:00

  252. Your awesome! It worked. Thank you.

    Comment by Tratar — Monday 8 August 2011 @ 10:22

  253. i am working on a windows 2003 server small business edition i have to repair the registry which is infected by unknown virus (kuscus) what should i do to get rid of plz if you can help me i shall be very thank full to you dear

    Comment by JAHANGIR — Saturday 13 August 2011 @ 21:41

  254. @jahangir Go to the forum of http://bleepingcomputer.com, create an account and post your problem.

    Comment by Didier Stevens — Sunday 14 August 2011 @ 6:27

  255. thanks @ i went their but very congested anyways thanks a lot bye

    Comment by JAHANGIR — Sunday 14 August 2011 @ 9:15

  256. the best many many thanks men!!!!!!!!!!!

    Comment by Anonymous — Friday 4 November 2011 @ 23:21

  257. Hello – I downloaded the ZIpa nd extracted the Safeboot XP-SP3 Registration Entires but alas I am still unable to boot into Safe Mode.

    Upon further
    inspection, subkeys for SAFEBOOT are missing from HKEY_LOCAL_MACHINE
    \SYSTEM\CurrentControlSet\Control\SafeBoot registry. That is, not
    even Minimal nor Network keys are present! I am running Windows XP Pro version 2002 service pack 3

    1. What is the procedure to restore these keys, short of a reinstall?

    Many thanks in advance.

    Comment by brian — Wednesday 9 November 2011 @ 0:23

  258. @brian So you merged the .reg file but the keys are still missing? Then malware is probably running on your machine and monitoring the keys.
    You can use the following program I made to create the root key: http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/
    And then merge the .reg file again.

    Comment by Didier Stevens — Wednesday 9 November 2011 @ 20:01

  259. wow nice post it worked for me thank up so much…

    Comment by Naveen — Saturday 12 November 2011 @ 14:20

  260. thanx a lot man……very helpful solution!!!!

    Comment by Anonymous — Monday 5 December 2011 @ 5:45

  261. You, my friend, are a Godsend. I had been trying to fix this issue for hours and hours. Everytime I booted into Safemode I would get hung up at Mup.sys and the system would restart. After reading countless forum threads, I stumbled upon this and you saved the day. Thanks so much!

    Comment by Jared — Wednesday 21 March 2012 @ 7:41

  262. [...] las ramas del registro desde otro sistema operativo (básicamente son las mismas en todos). Didier Stevens ya publicó hace mucho una exportación de Windows 2000 y XP, pero en un SP3 en español existen ligeras [...]

    Pingback by Restaurando el Modo Seguro en Windows : problemillas.com — Sunday 1 April 2012 @ 8:24

  263. Thank you very much. It took me only 5 minutes to find your site, and the reg import worked perfectly.

    Comment by stripe — Friday 13 April 2012 @ 0:38

  264. Absolutely Brilliant!! Thank you very much! The registry is such a minefield, I would never have found it on my own and even if I had, wouldn’t have had the confidence to do much changes to it!!

    Comment by Merse — Tuesday 12 June 2012 @ 19:44

  265. BIG thanks works perfectly! AWSOME

    Comment by BT — Wednesday 22 August 2012 @ 10:19

  266. thanks for your support . it realy helped me in starting my computer in safe mode.

    prof yunus gangat

    Comment by yunus gangar — Saturday 8 September 2012 @ 3:47

  267. Download the latest versions of software, firmware , games. http://www.exhiberexpo.ru/Pics/2012/ Always fresh mobile games, applications, themes for mobile phones.

    Comment by nuanysfunty — Tuesday 25 September 2012 @ 15:26

  268. this worked many thx

    Comment by Anonymous — Thursday 4 October 2012 @ 9:10

  269. thank you

    Comment by nyk — Thursday 4 October 2012 @ 9:11

  270. Great article.

    Comment by Selena Gomez Hot — Saturday 6 October 2012 @ 22:13

  271. Thank you very much for the article, it is very interesting.
    I have a doubt. I restarted my computer in Safe mode, and my computer makes a loop starting and ending. How I can remove the failsafe mode from the regedit? please I’m looking for but can not find the way to do it, could you answer in the forum or in my email: franjev1985@hotmail.com. thanks;)

    Comment by Fran — Tuesday 6 November 2012 @ 9:29

  272. @Fran What BSOD error code do you get? Is it the STOP 0x0000007B error?

    Comment by Didier Stevens — Tuesday 6 November 2012 @ 15:55

  273. My sitution is that how do i apply this to my computer b/c ive been infected with the FBI VIRUS MONEYPAC and evertime i try to download this file the virus pops up before i can do anything please help asap

    Comment by Jack — Sunday 11 November 2012 @ 3:27

  274. @Jack Goto to Bleeping computer Forum’s: http://www.bleepingcomputer.com/forums/forum103.html
    Read the instructions, create an account and get help.

    Comment by Didier Stevens — Monday 12 November 2012 @ 21:47

  275. Many thanks for the information. I was infected by the Metropolitan Police virus. I managed to clear the infection by booting from the Kaspersky Recover Disk and then scanning with MalwareBytes and Microsoft Security Essentials but was unable to enter safe mode until I had restored the values and subkeys under safeBoot.

    Comment by Jonathan — Saturday 1 December 2012 @ 16:47

  276. I like u man! u solve a big problem of mine,,,!

    Comment by Masood — Sunday 30 December 2012 @ 20:36

  277. Thanks. It worked great after removing CSIS Virus on WinXP SP3.

    Comment by Anonymous — Friday 4 January 2013 @ 4:29

  278. Thank you very much for the information and SafeBoot.zip file. The SP3 version worked as advertised for me.

    Comment by Anonymous — Thursday 17 January 2013 @ 23:48

  279. Thank You so much. I spent all day searching for a way to repair safe mode. I tried many things. When I chatted with Microsoft they wanted $99. I tried the XP install disk, I tried to repair the registry, but with this tool….it Worked. I bookmarked this page, rebooted into Safe Mode and did some stuff and came back to say Thanks.

    Comment by Anonymous — Sunday 17 February 2013 @ 4:11

  280. Thank you so much

    Comment by Anonymous — Friday 26 April 2013 @ 18:06

  281. Six years after you posted this, it’s still helping people like me. Bless you!!! I can finally boot in safe mode again. I used the SP3 version and it did the trick. Thank you, thank you.

    Comment by Anonymous — Thursday 30 May 2013 @ 17:33

  282. it’s still helping people thanks for this blog

    Comment by Anonymous — Wednesday 24 July 2013 @ 13:14

  283. I’ll add my thanks. A very recent infection from a fake Walmart “your shipment has failed” email infected a friends laptop. It wiped out the safe mode registry, causing a BSOD on safe boot. This fixed it right up.

    Comment by Anonymous — Monday 30 December 2013 @ 0:38

  284. Thank you very much, Didier.
    Since safe mode was not working in my PC, I felt something was wrong. But normal mode would work without a hitch anywhere. Still, I was very uncomfortable fearing a crash as safe mode not working could not be explained. You saved me.
    RAMA D

    Comment by RAMA D — Monday 27 January 2014 @ 14:04

  285. Minor point – Safe Mode was first seen in Windows 95, not 2000. Also, NT4 had a “VGA Mode”, which was similar to the Safe Mode we all know and love today.
    http://technet.microsoft.com/en-gb/magazine/2007.07.windowsconfidential.aspx

    Comment by Adam Thompson — Wednesday 12 February 2014 @ 1:24


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 199 other followers

%d bloggers like this: