I present you a new program to create the SafeBoot registry key with special permissions protecting it from deletion. After using this new program, you’ll be able to restore the SafeBoot registry keys with my .REG files.
Many malware deletes the SafeBoot registry key to prevent you from booting into Safe Mode. I provide a registry fix to restore these keys.
But there exists malware that goes even further and actively monitors the registry to thwart every attempt to restore the keys by deleting them as soon as they are restored. Untill now, I recommended to use a Live CD to restore the keys in such a case (this is a complex procedure). This way, the malware is not running while you restore the SafeBoot keys.
Now I developed another solution: a program to create the SafeBoot registry key with permissions to deny Administrators and System accounts to delete the key. This way, the malware can’t delete the keys because it lacks the permissions to do so.
Here are the SafeBoot permissions on a default Windows XP install:
And here are the permissions of the SafeBoot key created with my new program:
I designed my program to create the SafeBoot key only when it is missing, and to set the special permissions while it is created:
My program will not set the special permissions when the key exists. If the SafeBoot keys exists and you can’t boot into Safe Mode, you’re dealing with another issue than a Safe Mode disabling malware (probably a buggy driver).
The program is a console program, but it will pause at the end so you can read its output, even when you launch it from Windows Explorer (i.e. double-click it). If you want to use it in a script and prevent the prompt from appearing, use option -n.
If the SafeBoot key exists, my program will tell this (SYSTEM\CurrentControlSet\Control\SafeBoot exists.) and it will leave the permissions unchanged. If your system is clean but you want to protect the SafeBoot keys, I recommend you change the permissions manually using RegEdit.
My program creates only registry key SYSTEM\CurrentControlSet\Control\SafeBoot, and not the subkeys. To restore the subkeys, you just need to use the appropriate .REG file.
Having read this, you might have thought that malware authors could bypass this protection by changing the permissions before deleting the keys. You’re right. I don’t deny Administrator and System accounts the permission to change the permissions, because I don’t expect there is malware in the wild that changes permissions of the SafeBoot key. I’ll deal with it when it eventually appears.
Download:
UndeletableSafebootKey_V0_0_0_1.zip (https)
MD5: 2FAC291AD547657E31B157B8581D4601
SHA256: 7A1E42A57BBF8E804491318671AE992947C82DCC9C2001E3033B45E4AEAB2DDE
[...] kunnen opstarten, maar de Belgische beveiligingsonderzoeker Didier Stevens heeft een oplossing. Het programma dat hij ontwikkelde maakt een speciale registersleutel aan die niet is te verwijderen. Ook is het [...]
Pingback by Plaats hier software gerelateerd nieuws! - Page 16 — Saturday 2 January 2010 @ 14:53
[...] safe mode by repeatedly deleting the registry key HKLMSystemCurrentControlSetControlSafeboot. Didier Stevens provides a program to re-create ‘the undeletable safeboot key’ to defeat the designs of [...]
Pingback by How to boot into Windows Safe mode | Malware Help. Org — Sunday 3 January 2010 @ 7:38
[...] The Undeletable SafeBoot Key – didierstevens.com A solution to stopping malware from deleting your SafeBoot Key and preventing you from booting into Safe Mode. [...]
Pingback by Week 54 in Review – 2009 | Infosec Events — Monday 4 January 2010 @ 16:06
very interessting, but olso very difficult
Comment by Soender — Tuesday 5 January 2010 @ 20:58
@Soender You mean changing the permissions manually?
Comment by Didier Stevens — Tuesday 5 January 2010 @ 21:41