I posted about a virus that disables Safe Mode by deleting the SafeBoot registry keys, and later I talked about tricks to restore the SafeBoot keys. Now I’m posting another way to restore the SafeBoot keys: merging a .reg file with the missing SafeBoot entries.
A comment by Mirco made me take a closer look at the SafeBoot registry key. I thought that they would contain settings and drivers that
are hardware dependent, but this turned out to be false. In fact, it just contains a list of references to devices, drivers and services that have to be started when booting into Safe Mode.
The registry keys to boot into Safe Mode are under the SafeBoot key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
You can boot into Safe Mode without or with networking, there is a subkey for each mode: Minimal (no networking) and Network (with networking).
Each device, driver or service that has to be started has a subkey under the Minimal or Network key.
In this screenshot, you see the Cryptographic Services service:
BTW, if you want to disable a device, driver or service in Safe Mode, just delete the corresponding subkey (make a backup first).
I tested this with key {4D36E965-E325-11CE-BFC1-08002BE10318} (resulted in a disabled CD-ROM drive) and PlugPlay (resulted in a disabled Plug and Play service).
I compared several SafeBoot registry keys for Windows XP SP2 on different hardware platforms, and they were all identical. However, there were some small differences when comparing different operatings systems (Windows XP SP1, SP2 and Windows 2003 SP1). Remember that Safe Mode was introduced with Windows 2000.
These are minor differences, just listing devices, drivers or services that are only present on one version of Windows. For example, I found Volume shadow copy on a Windows 2003 and not on Windows XP. And Windows 2003 also had less network services than Windows XP, this is probably a result of the default hardening of Windows 2003: more services and applications are disabled by default on Windows 2003 than on Windows XP.
I’m now publishing a registry export file (.reg) with the SafeBoot keys from a clean Windows XP SP2 install and a clean Windows 2000 SP4 Professional install. You can use it to repair your PC when the SafeBoot keys have been deleted and System Restore cannot help you. I would not be surprised if you can use this REG file with other versions of Windows as well.
Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg or SafeBoot-for-Windows-2000-SP4-Professional.reg file on the crippled PC and merge it into the registry by double-clicking it:
Download:
MD5: A67F27A273E2C691F44D9FECD5361F52
SHA256: 87159845E6E35195F7B0B2FFD3D906D57FBF50ABDA1B66CEB11F5B16E2B36CBA
I stumbled on your site yesterday, saw the post about a virus that disables Safe Mode by deleting the SafeBoot registry keys and did exactly what you did just now. I only tested on two PCs, but thought to myself, this should be good enough. Comparing your “version” using WinMerge with the one I had reassured me even further.
Thanks so much for the confirmation, a great site and excellent utilities. I esp. like UserAssist. I wish it didn’t need .net 2.0 so it would find its place among all the truly portable apps on my USB key, but that would probably be pushing it.
Keep up the great work!
Comment by CypherBit — Monday 19 February 2007 @ 17:29
This is great! I’m bookmarking this post for future reference. Thanks!
Comment by Luke — Monday 19 February 2007 @ 19:06
This was very helpful, thank you
Comment by Mehmet N. — Wednesday 21 February 2007 @ 19:11
that’s a great tool for the thumb drive : ) thank you.
Comment by nabiy — Thursday 22 February 2007 @ 11:38
I realy dneed to delete malware in my computer,now my computer infected with not-virus:Hoax.JS.Aqent.a
Comment by delete Malware — Friday 23 March 2007 @ 9:08
How did you detect this, doesn’t your AV clean it?
Comment by Didier Stevens — Saturday 24 March 2007 @ 7:36
I’d been looking for a fix for the safeboot problem and after reading here realize that another problem, my DVD drive not showing up, is also probably related. I look forward to applying this fix, many thanks for this!
Comment by John Kellas — Monday 16 April 2007 @ 2:01
Update: THe reg fix worked and I can now boot into safe mode. Unfortunately it did not fix the problem with finding the drive so it must relate to another cause. I took some creative Google searches for a couple of weeks on and off to find a fix for the safe boot problem, so just knowing about this site is invaluable.
Comment by John Kellas — Monday 16 April 2007 @ 16:26
absolutely great! Thanks for your donation!!!
Comment by kerf — Sunday 22 April 2007 @ 15:20
many thanks for this wounderful achievement to the rest.
i personaaly hounor in high regards.
Comment by MUBASS — Thursday 31 May 2007 @ 13:44
I appreciate the time you spent researching this issue and the elegant fix. Well done.!
Comment by M. Sebzda — Wednesday 6 June 2007 @ 0:34
Thanks for that. I’m sure it’ll be useful. Didn’t work for me, unfortunately. I still can’t boot into safe mode. The system just reboots, after the drivers have started loading and then gives me the “last configuration that worked” option. I am not sure exactly when the safe mode stopped working but suspect that it may of been when I uninstalled Norton Antivirus, as I also had an issue then with Corel Draw not opening. Or it may have been after a Trojan hijacked my start page. I seem to have eliminated this now, although it took all day, but I would still like to be able to get back into safe-mode. Apart form your fix, I’ve tried System Recovery bootcfg /rebuild /fastdetect, and a program called AVZ - as well as searching for hours through the web but,so far, all to no avail.
Any further suggestions would be much appreciated.
Comment by R Armstrong — Sunday 15 July 2007 @ 21:20
Thanks a million,
Been struggeling with Bagle now for weeks in normal mode and decided to clear the system restore. Then I find this fix which seems to make it possibe to really wipe out Bagle.
Thanks again.
Comment by Emiel Koeman — Tuesday 14 August 2007 @ 12:59
Thanks for this (and previous related) post.
I experienced the same attack and was strugling since several weeks in order to restore safe mode function.
I first compared my current Safeboot registry file with another PC and realized that only had 3-4 entries - the remaining were just deleted by the virus in order to prevent you from booting in SM.
I didn’t try your .reg file though, but just took one from another PC running the same OS & SP & similar config. All worked just fine. Which confirms your saying that this .reg entry is not specially related to a given PC & config, but just to an OS with related SPs.
It’s also a good idea, I think, to often backup the registry (just export the whole .reg file) and then restore the needed section. In this particular case, that would have been the best solution.
Thanks.
Comment by John Smith — Monday 3 September 2007 @ 11:59
Excellent !!! You are the best ! Just What I Needed , SUUUUUUUUUUUUUUUUUUUUUUUUUUPERB Thanks!
Comment by Will — Wednesday 26 September 2007 @ 4:40
Thanks a lot !
I will test this eveninig… but it seem’s that is the solution of my safe mode problems (crash). I had been infected with Bagle too.
Comment by luigix — Wednesday 26 September 2007 @ 9:39
I tried your SafeBoot.reg file to fix my Safe Mode problem, but sorry to say, it didn’t help. I’ve been putting up with this problem for a long, long time. Sure wish I could find a fix for it. After a friend directed me to your page, I really had my hopes up. Glad to hear it has worked for some people.
Comment by Jim Mowrey — Tuesday 2 October 2007 @ 2:02
Concerning my last entry, do you have any other ideas?
Comment by Jim Mowrey — Tuesday 2 October 2007 @ 2:04
Was your Safeboot registry data deleted? Which OS are you using?
Comment by Didier Stevens — Tuesday 2 October 2007 @ 10:52
No, as far as I could tell, nothing had been deleted. The SafeBoot entry was still there. Don’t know if anything under that key had been deleted though. I’m using XP SP2.
Comment by Jim Mowrey — Tuesday 2 October 2007 @ 14:46
I got a blue screen with INACCESSIBLE_BOOT_DEVICE STOP 0×0000007B when trying to boot into safemode (win2k), turns out this exact “safeboot” keys were missing in my registry, fixed it using a different PC, export/import, and now I can boot into safe mode.
Comment by stormy — Monday 22 October 2007 @ 16:55
I also had the 0×0000007B error, although I could not read exactly what it referred to, the reboot was so fast—and in my boot options “disable automatic reboot” was only applicable to normal mode. Well, I am very pleased to say that your SafeBoot.reg program solved the problem for me! My hat off to you for your excellent work. [My system is recovering from worms/trojans that infected more than 300 files and stopped updates from working, as well as crashing the machine every time I tried to download a file, or in most cases, execute one. Still trying to get updates to work again.]
Best regards, Gernot
Comment by Gernot Hassenpflug — Thursday 1 November 2007 @ 4:39
Thank you ! Thank you ! You save me from format my PC !! I got the virus W32.Beagle.DZ (hidr.exe) and I was able to remove it but it leave the windows registry damaged. Like wireless and Safeboot don´t work anymore. One more time, thank you.
Comment by SuperCelso — Wednesday 21 November 2007 @ 21:46
Wow! Works great! I can’t thank you enough! I hope I’ll never need to use it again on my own pc.
Comment by E. Falconer — Thursday 22 November 2007 @ 6:37
It worked! It Worked! YES! Now I can get my friend’s computer off my desk and get back to playing Elder Scrolls!
Comment by Patrick — Wednesday 28 November 2007 @ 4:38
We were a Bagle victim and you made a difference here too! Fixed. Thanks a lot for providing this, Didier. Merci beaucoup!
Comment by DBZ — Wednesday 28 November 2007 @ 16:57
Worked for me. I’ve been trying to fix this for more than six months. Did everything short of a clean install. Thanks, sure appreciate it.
Comment by BWO — Thursday 29 November 2007 @ 4:27
Anyone have the same reg file for Windows 2000 SP4?
Thanks
Comment by Tony S — Thursday 6 December 2007 @ 3:16
For which version of Windows 2000 SP4 do you need the safe mode entries, Professional or Server?
Comment by Didier Stevens — Thursday 6 December 2007 @ 8:54
Professional. (5.00.2195)
Thanks.
Comment by Tony S — Friday 7 December 2007 @ 23:12
I added the SafeBoot reg keys for Windows 2000 SP4 Professional to the zip file.
Comment by Didier Stevens — Sunday 9 December 2007 @ 10:56
Thanks, Didier I was able to boot into SafeMode now using your reg-key for windows 2000sp4. I could already run in normal mode , but I was wondering why I never could run into safemode to find things out about my PC. But thanks to your reg-key I can now work in Safemode too. Under the old key there weren’t any sevices mentioned at all and I don’t know why, but finnaly -thanks to you- everything turned out to be fine.
Comment by Joop — Sunday 16 December 2007 @ 19:35
thank u very much for the information..
just got stuck at fixing 1 comp.. this 1 is too helpful…
thanx again
Comment by piyush chandra — Friday 21 December 2007 @ 16:46
hi piyush,
i am still suffering from the problem i am not able to boot the system on safemode with promt it is getting restart… plz help me
Comment by abdul — Saturday 5 January 2008 @ 8:26
I believe you wanted to post this on the Piyush Labs site?
Comment by Didier Stevens — Saturday 5 January 2008 @ 19:46
[...] abgesicherten Modus kannst du reparieren, indem du die reg Datei aus diesem Link nutzt: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/bei WD weiss ich es nicht genau, aber versuch es mit deinstallation und erneuter [...]
Pingback by Windows defender wird nicht mehr angezeigt (in der Taskleiste) - Virus Hilfe — Tuesday 8 January 2008 @ 0:50
I’ve cleaned all viruses I had.
Tried to use the utility you provided in order to boot in safe mode (I’ve lost it due to a virus), but when I press F8, i’m getting regular boot
What could be wrong
In addition I’m not able to install Windows XP security updates. PC works fine , but security updates…..
Any idea what to do?
Comment by YP — Tuesday 8 January 2008 @ 19:33
Thanks a bunch for the info. It worked great!
Comment by KJ — Wednesday 9 January 2008 @ 1:05
@YP
If you mail me your exported Safeboot reg keys, I’ll have a look at them.
Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:31
Thank you very much for your very useful information.
The net is becoming step by step time by time always more “degradated”: it’s always more difficult to find someone who uses his brains to solve problems.
If I can add something to your post,I would advice people when they install an OS, to install another clean copy on a separate partition and forget it, so that they can use it when they need, as spare parts.
Thank you again
Comment by Ermanno — Saturday 9 February 2008 @ 16:24
Stumbling on your page was a godsend. My w2k machine has been able to boot into Normal Mode but NOT Safe Mode for quite some time and I suspected a virus. I kept getting the Inaccessible Boot Device bluescreen and figured the mbr was infected but was reluctant to fiddle with this. I did a final google about the problem and found this site. I downloaded and installed your fix and can now finally boot into Safe Mode which will enable me to remove viruses and malware.
Thanks 1000 times.
Doug
Comment by Doug — Tuesday 26 February 2008 @ 19:39
Just to add another thank you to the list, I can now clean the bagle
Will check more of the site, merci,
Fab
Comment by Fab — Thursday 6 March 2008 @ 18:35
I don’t know if this is the right place to post but there seem to be a lot of satisfied commenters. My computer won’t boot in Safe Mode, but it also won’t boot in normal mode (even “last known good configuration”). More specifically, I can reach the login page, but the system logs out immediately after logging in. Possibly the reg keys would fix the problem, but I can’t figure out how to merge them without starting the OS. Any ideas?
Comment by Chris — Wednesday 12 March 2008 @ 22:09
I doubt that your problem is caused by a deleted Safeboot key. But if you want to try: boot from a Windows Live CD like UBCD4WIN, load the registry hive of the local machine, edit the reg file to point to the loaded hive and then merge it.
Comment by Didier Stevens — Monday 17 March 2008 @ 22:34
Dear didier,
I would like to enable direct cable connection. Even I enabled com port, remote access and telephony, I can not enable direct cable connection. Can you help?
I can give more detailed info, if you are interested.
fatih
Comment by fatih — Sunday 23 March 2008 @ 16:30
I think you must enable networking.
Comment by Didier Stevens — Monday 31 March 2008 @ 18:27
Thank you for the safe boot fix for xp, it worked.
Comment by Len — Tuesday 15 April 2008 @ 14:11
Many kudos for you, Didier.
I have spent “gazillion” hours searching for a solution to the “STOP:………” error message I get when trying to boot in Safe Mode, alas, without success.
Your fix worked!
Amen
Comment by Wojtek Sangowicz — Sunday 4 May 2008 @ 23:22
did not work, not way to make it work
Comment by julie — Monday 5 May 2008 @ 8:28
Did you check if the Safeboot registry entries were created (and if they were missing in the first place)?
Comment by Didier Stevens — Monday 5 May 2008 @ 10:31
Thanks i was affraid of reinstalling xp sp2 after being infected with bagle,srosa and mdelk.exe.
your reg file made it possible to boot in safe mode again, and run antvirus and i got rid af it all….
THANK YOU!
Comment by geert — Saturday 17 May 2008 @ 22:04
Thank you very much, Didier!!
I have been infected by a Beagle variant, my safe boot entries were disappeared. I have tested your .reg file in my PC that has SP3 installed, anddddd IT WORKS!!!!!
Comment by Ramón — Monday 26 May 2008 @ 0:21
would your reg key fix also work on xp pro 64
Comment by alan — Tuesday 3 June 2008 @ 16:37
I don’t know. The format is probably the same, check it by exporting the SafeMode keys and compare them with my reg file.
And for the entries: I don’t know if XP 64 has services & drivers that XP 32 hasn’t
Comment by Didier Stevens — Tuesday 3 June 2008 @ 17:08
Thank you, thank you, thank you. This works perfectly on xp 64 bit pro version too.
My situation was this. I got infected with hldrrr.exe and srosa rootkits which removed many things including booting to safe mode. hldrrr.exe and srosa were removed with prevx csi and then my virus scanners were re installed, but i still didn’t have the use of safe mode even though the system was now clean because of the removal of registry entries to which i had no backups. Ran this reg key, tried booting in safe mode. Worked first time. you have saved me from a complete re-install.
Comment by James — Saturday 21 June 2008 @ 13:15
Thank you, thank you, and… thank you. I am very glad that I found your information I have been working in PC’s for years (thank you Microsoft for making your systems so unstable that they have kept me employed all these years!!!) an I can honestly say I have never encountered a PC that would not go into Safe mode. Your explanations make total sense, and your information has helped me to bring a computer back to life. I really appreciate your efforts. Do you take Paypal?? Roger(10-4)
Comment by Roger(10-4) — Thursday 26 June 2008 @ 14:33
@Roger(10-4)
No problem. My stuff is free, no need for Paypal.
And if you absolutely want to donate something, make a donation to your favorite charity in my name.
Comment by Didier Stevens — Thursday 26 June 2008 @ 14:42
it contains files for win2k & winxp, what about win2k3?
Comment by Remo Harsono — Saturday 28 June 2008 @ 20:29
Do you need to restore Safe Mode on a Windows 2003 server? If you have a backup, recover the system registry hive, load it in regedit and recover the safeboot keys. Let me know if you don’t have a backup.
Comment by Didier Stevens — Monday 30 June 2008 @ 15:28
Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks. Past saturday I was browsing on the internet. Within Emule, the server sugested to go to a website. I do not remember if I was browsing with IE or Firefox. My screen went black and my system rebooted. Then I got an error when trying to start AVG “this is not a valid win32 application”. I have received the Bagle/beagle worm. I have tried to start in Safe Mode, but my system reboots, I see … agpxxx.sys . When I chose to startup without rebooting, I receive an error in BSOD 0×0000007b 0xf7c46528. Telling me my boot partion or drive is “broken”. After 4 days trying to repair my system (I slept very bad) I see your posting. AND IT MADE MY SYSTEM BOOT IN SAFE MODE !!!!! Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, now I can continue to repair my computer !!!
Comment by ushi jansen — Wednesday 9 July 2008 @ 17:36
I am missing the hard disk reg key so it will not boot in safe mode only normal mode. When I add you reg keys it does not take. If I manually make key it is there but within a sec it say key is not accessable. Seems the trojan removes the key as fast as it can be added. Any suggestions?
Comment by guy — Thursday 10 July 2008 @ 3:35
Never mind found a wininternals pe boot disk with reg editor on it. Booted on the cd and added the key for the Diskdrive and it booted into safemode fine. Thanks for pointing in the right direction.
Comment by guy — Thursday 10 July 2008 @ 4:15
You could also have done it with BartPE or Universal Boot CD For Windows: boot from a the CD, load the registry hive of the local machine, and add the missing keys.
If you want to merge the reg file, you’ll have to edit it to point to the loaded hive and then merge it.
Comment by Didier Stevens — Thursday 10 July 2008 @ 8:28
Wow thank you loads! Really helped alot since I had Mal/Emogen-E which blocked a number of antivirus programs, hijackthis and safemode! I was actually trying to repair my registry line by line until I found your site!
Comment by James — Friday 11 July 2008 @ 3:03
[...] Safeboot registry : saya gunakan supaya bisa masuk ke safe mode. Karena setiap kali ke safe mode pasti akan stuck waktu import driver (ini bagian dari strategi trojan/virus/spyware/malware dan keluarganya :p ). [...]
Pingback by Me-remove spyware akibat Video ActiveX Object error « R420r’s Weblog — Wednesday 16 July 2008 @ 5:09
Very smart solution. Thanks!!
Comment by Jose — Sunday 20 July 2008 @ 21:32
Nice. I’ve added this to my ‘toolbox’ should I ever need it. The file says it’s for XPSP2 but what about SP3?
Comment by Xander — Tuesday 29 July 2008 @ 17:24
It will work too for SP3, only 2 services were added in SP3: vds and Volume Shadow Copy. Anyways, I included a reg file for SP3.
Comment by Didier Stevens — Wednesday 30 July 2008 @ 19:01
Bless you! It put an end to hours of trying this and that. It worked for my XP PRO SP3.
Thanks so much for taking the time to get your solution on to those of us frustrated with no Safe Mode.
“grateful”
Comment by Grateful — Monday 11 August 2008 @ 14:33
Not sure what I’m doing wrong. I click your file but I don’t get any option to merge it. Nothing happens. I still can’t boot into safe mode. Am I suppose to place the file somewhere in particular before double-clicking it? Thank you!
Comment by jonahpro — Monday 18 August 2008 @ 19:33
Folowup to the earlier post - I’m running XP Pro SP2. DOes that matter that it’s not XP Home?
Comment by jonahpro — Monday 18 August 2008 @ 19:34
@jonahpro
Your machine is probably infected and the malware is preventing regedit.exe from running. Can you run regedit (start / run / regedit)?
If not, make a copy of the regedit.exe program and give it another name, and try running it.
Comment by Didier Stevens — Monday 18 August 2008 @ 20:04
Very odd - I can’t even find regedit.exe! Wouldn’t it be just one exe file I’m looking for? There are some strange virus events happening these days. Hate to take more of your time - but any ideas? Thank you!
Comment by jonahpro — Monday 18 August 2008 @ 20:49
The malware could have deleted it or is actively hiding it (rootkit).
Try to make a copy of notepad.exe and call it regedit.exe. If this fails, the malware is actively hiding it or deleting it.
In this case, you’re best to boot from a live CD and clean it. Try the F-secure rescue CD: http://www.linuxnewsblog.com/2008/06/f-secure-rescue-cd-300-released.html
It’s best to download and burn this CD on a clean machine.
Comment by Didier Stevens — Monday 18 August 2008 @ 20:57
My bad. Found two instances of it. In C:\WINDOWS and in C:\WINDOWS\ServicePAckFiles\i386
Changed them to regedit.old Then tried to run your file again. Same result. ??
Comment by jonahpro — Monday 18 August 2008 @ 20:59
No, don’t rename these files to .old, regedit.exe is a legitimate Windows program, you need it.
Can you execute it? If so, import the reg file: file / import.
Comment by Didier Stevens — Monday 18 August 2008 @ 21:02
OK, when I run your file it keeps recreating a new regedit.exe, as it is suppose to do. But my safe boot still hangs at Mup.sys as it did before.
Comment by jonahpro — Monday 18 August 2008 @ 21:08
It looks like your Safeboot keys were never deleted, but that you have a problem with a driver. My reg file is not meant to solve this.
Comment by Didier Stevens — Tuesday 19 August 2008 @ 7:59
Didier - thank you for the time you spent on this. You’re doing a good service to everyone. Much appreciated.
Comment by jonahpro — Tuesday 19 August 2008 @ 13:22
Thanks for those .reg files, i spent some hours trying to fix mi Notebook because it did not boot into safe mode (normal boot was working), the .reg files you posted fixed safe boot on my PC. Thanks again.
Ariel
-Mexico
Comment by Ariel — Wednesday 24 September 2008 @ 4:31
thyis is powerful stuff people.
birlliant but yet so simple
thanks a mil
Comment by KIo — Wednesday 1 October 2008 @ 9:03
Thank you for the very helpful post. For the benefit of the less advanced pc users like me can you elaborate on how to “…load the registry hive of the local machine, edit the reg file to point to the loaded hive and then merge it”. I tried this using the remote registry editor in UBCD4W and registry files from a clean pc, but I couldn’t find CurrentControlSet in the registry files it loaded.
Thanks
Comment by Slyce — Thursday 9 October 2008 @ 14:51
I’ve an upcoming blogpost about this.
Comment by Didier Stevens — Thursday 9 October 2008 @ 20:30
Thanks, worked as advertised and allowed me to get into safe mode and remove a particularly nasty trojan on a friends computer. Good job.
Comment by Joe — Thursday 23 October 2008 @ 4:55
Hello Didier Stevens, this really helped me immensely, I have been struggling for a week and I decided to format but just before that I was lucky to find this site it booted in safe mode thank you so much
Comment by MANJUNATH — Sunday 26 October 2008 @ 14:47
Ohh ..The god…Thank you very very much My PC infected w32.sality.AE it’s super diffucal to remove ; I’m fighting with it …
Comment by supersus — Tuesday 4 November 2008 @ 10:13
Thanks a lot for this explanation. It helped.
Comment by Alex — Thursday 6 November 2008 @ 15:31
I am anxiuosly awaiting the blog post you promised ‘Thursday 9 October 2008 @ 20:30′ concerning the details of how to merge a registry file.
Comment by Slyce — Wednesday 12 November 2008 @ 12:21
@Slyce: it’s on my todo list. Probably December.
Comment by Didier Stevens — Thursday 13 November 2008 @ 18:20
i’ve been searching the way to resolve the problem about entering safe mode b-coz im verrrry often encountr ths prblm. and now i’ll try yours.. thx a looot
Comment by dewa — Saturday 22 November 2008 @ 8:49
I added your bit to WIN2000 reg and it worked.
I was so pleased after 3 days , Didier you had the right fix.
Excellent work. Thanks so much for your clever piece of work,
Guy
Comment by Guy — Monday 24 November 2008 @ 10:56
Here is a procedure with a Live CD: http://blog.didierstevens.com/2008/11/26/update-restoring-safe-mode-with-a-reg-file-and-a-live-cd/
Comment by Didier Stevens — Wednesday 26 November 2008 @ 19:47
Thank you so much for your right fix…. I’m really appreciate it
Comment by QSen — Sunday 30 November 2008 @ 17:14
tested on winxp_sp2 worked perfect , love you , thanks so much .
Comment by Qwity — Sunday 14 December 2008 @ 7:34
Thanks a lot for this fix…..Are the safemode w/networking keys similar across different hardware? if not How does one go about making a file like the one You have for safemode w/o networking.
Comment by yellowpudding — Tuesday 16 December 2008 @ 14:57
The safeboot keys for Safe Mode without networking are a subset of the keys with networking. I made these reg files by exporting from a clean install of a virtual machine.
Comment by Didier Stevens — Tuesday 16 December 2008 @ 18:45
I’ve just downloaded SafeBoot.zip and the MD5 hash does not match the one you have published immediately after the download link.
I see from comment #68 that you updated the original file and the file I’ve downloaded has “Last-Modified: Tue, 29 Jul 2008 22:14:09 GMT”, which matches your comment. Did you update the hashes then, or not?
Comment by James_A — Thursday 18 December 2008 @ 20:36
I checked: the hashes you saw were for the previous version, published in December 2007. I’ve updated the hashes for the last version, published in July 2008.
Comment by Didier Stevens — Sunday 21 December 2008 @ 15:07
It works for me too… Thank you very much!!!!
Comment by Yves — Tuesday 23 December 2008 @ 16:26
I got hit yesterday 23/12 by the 0xf9.exe which came out of nowhere, my ZoneAlarm warned me progam aaaaaa was trying to connect to the internet so I was able to stop the worst. In the time it took me to notice it, it had disabled the Task Mgr and removed Safeboot from registry. I found a site that told me how to restore the Task Mgr and then found your site which gave me back the Safeboot reg file. Long note, but sincere thanks for taking the trouble to help others. Merry Xmas.
Comment by Norman — Wednesday 24 December 2008 @ 11:27