Didier Stevens

Wednesday 26 November 2008

Update: Restoring Safe Mode with a .REG file, and a Live CD

Filed under: Malware,Update — Didier Stevens @ 19:39

As more malware seems to delete the SafeBoot keys nowadays, and even prevents you from restoring these keys, I’m posting this “Enhanced Fix Safe Mode” procedure. In essence, it’s the same as my first procedure, but to avoid interference by the malware, we will boot from a Live CD and then fix the registry. Booting from a Live CD means that we boot a clean OS from the CD, and thus prevent the malware from running and interfering with our rescue operation. In a nutshell: boot from a Live CD, load the HKLM registry hive and merge the missing SafeBoot keys.

Notice that the configuration of the machine you’re fixing might be different from the one I’m describing. The system directory could be on another drive than C, you could need to fix ControlSet002 in stead of ControlSet001, …
So watch out, and update this procedure according to the configuration of the crippled machine.

And since you’re going to modify a critical system file, make a backup first (at least of the CONFIG directory).

Copy the respective reg file to your C:\ drive (for example SafeBoot-for-Windows-XP-SP2.reg for XP SP2).
Shutdown the PC and start from a Windows Live CD, like the Ultimate Boot CD For Windows.

Start RegEdit:

safeboot-0000

Select HKEY_LOCAL_MACHINE, and load the hive file C:\WINDOWS\system32\config\system (File / Load Hive…):

safeboot-0003

Name the loaded hive FixSafeboot:

safeboot-0004

Open the key HKLM\FixSafeboot\ControlSet### which is lacking the Safeboot key (there could be more than one ControlSet key you want to fix):

safeboot-0005

safeboot-0006

If the SafeBoot key is not missing (or the keys beneath it), you’re either looking in the wrong place or you’re not dealing with a corrupted SafeBoot key (in which case applying this procedure is useless).

If you’re not sure which ControlSet### to fix, take a peek at the value of Current in the Select key:

safeboot-0016

Here the value for Current is 1, so it’s ControlSet001 which will be used when the system boots, and that’s the one we want to fix.

Open C:\SafeBoot-for-Windows-XP-SP2.reg (the one you copied on the C:\ drive) with notepad:

safeboot-0007

safeboot-0008

Perform a search and replace: replace SYSTEM\CurrentControlSet with FixSafeboot\ControlSet### (### being the number of the ControlSet you want to fix, like 001). Save the modified reg file:

safeboot-0009

safeboot-0010

Import the reg file C:\SafeBoot-for-Windows-XP-SP2.reg with regedit (File / Import…):

safeboot-0011

safeboot-0012

Check that the SafeBoot key has been added:

safeboot-0013

Select the FixSafeboot key and unload it (File / Unload Hive…):

safeboot-0014

safeboot-0015

Shutdown the PC and start in Safe Mode (F8).

If you still can’t boot into Safe Mode, you’re either facing another problem than a Safe Mode disabling malware, or the malware operates early in the boot process and interferes with Safe Mode booting. If you suspect malware, try scanning with a Live CD with an anti-virus scanner, like the F-Secure Rescue CD.

7 Comments »

  1. How about restoring the registry from the boot cd?
    Or is the malware known to nuke restore points also..

    Comment by dxg — Wednesday 3 December 2008 @ 13:50

  2. You mean using Registry Restore Wizard from the UBCD4WIN Live CD?

    That’s an option. But I was asked to show how to merge my reg file using a Live CD.

    And yes, there is malware that deletes restore points.

    Comment by Didier Stevens — Wednesday 3 December 2008 @ 15:22

  3. [...] restoring machines after malware infection have removed the safeboot option By unixlabs Update: Restoring Safe Mode with a .REG file, and a Live CD « Didier Stevens [...]

    Pingback by restoring machines after malware infection have removed the safeboot option « shellprompt’s blog — Friday 12 December 2008 @ 9:11

  4. Hello Didier,

    Thank you for the many blogs you made about safeboot-problems with malwares.

    But, what if Safeboot is not infected but dumpes every time, like i have.

    It looks like it’s missing some .sys-files.
    I didn’t know which one. But did you know as
    an IT-specialist which files SAFEBOOT needs ?
    And a way to repair it ?

    Tnx.
    [Sorry for my poor english]

    Comment by Ed — Wednesday 23 September 2009 @ 20:59

  5. >It looks like it’s missing some .sys-files.
    Can you provide more details. What .sys files are missing? And why do you link it with the SafeBoot keys?

    Comment by Didier Stevens — Friday 25 September 2009 @ 11:40

  6. I stumbled upon your site just now and I must thank God for creating you. You are a Saint. Your willingness to help for free is a blessing for all of us, Thank you. Beside the safe mode error, my other problem is the system restore, which I turned off in order to delete the virus as instructed from a blog. After reboot, I can’t turn it back on. Any solution to this? Thanks in advance.

    Comment by Roger — Thursday 31 December 2009 @ 3:07

  7. [...] to restore the keys by deleting them as soon as they are restored. Untill now, I recommended to use a Live CD to restore the keys in such a case (this is a complex procedure). This way, the malware is not running while you restore [...]

    Pingback by The Undeletable SafeBoot Key « Didier Stevens — Friday 1 January 2010 @ 12:54


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 224 other followers

%d bloggers like this: