Didier Stevens

Friday 1 January 2010

The Undeletable SafeBoot Key

Filed under: Malware,My Software — Didier Stevens @ 12:53

I present you a new program to create the SafeBoot registry key with special permissions protecting it from deletion. After using this new program, you’ll be able to restore the SafeBoot registry keys with my .REG files.

Many malware deletes the SafeBoot registry key to prevent you from booting into Safe Mode. I provide a registry fix to restore these keys.

But there exists malware that goes even further and actively monitors the registry to thwart every attempt to restore the keys by deleting them as soon as they are restored. Untill now, I recommended to use a Live CD to restore the keys in such a case (this is a complex procedure). This way, the malware is not running while you restore the SafeBoot keys.

Now I developed another solution: a program to create the SafeBoot registry key with permissions to deny Administrators and System accounts to delete the key. This way, the malware can’t delete the keys because it lacks the permissions to do so.

Here are the SafeBoot permissions on a default Windows XP install:

And here are the permissions of the SafeBoot key created with my new program:

I designed my program to create the SafeBoot key only when it is missing, and to set the special permissions while it is created:

My program will not set the special permissions when the key exists. If the SafeBoot keys exists and you can’t boot into Safe Mode, you’re dealing with another issue than a Safe Mode disabling malware (probably a buggy driver).

The program is a console program, but it will pause at the end so you can read its output, even when you launch it from Windows Explorer (i.e. double-click it). If you want to use it in a script and prevent the prompt from appearing, use option -n.

If the SafeBoot key exists, my program will tell this (SYSTEM\CurrentControlSet\Control\SafeBoot exists.) and it will leave the permissions unchanged. If your system is clean but you want to protect the SafeBoot keys, I recommend you change the permissions manually using RegEdit.

My program creates only registry key SYSTEM\CurrentControlSet\Control\SafeBoot, and not the subkeys. To restore the subkeys, you just need to use the appropriate .REG file.

Having read this, you might have thought that malware authors could bypass this protection by changing the permissions before deleting the keys. You’re right. I don’t deny Administrator and System accounts the permission to change the permissions, because I don’t expect there is malware in the wild that changes permissions of the SafeBoot key. I’ll deal with it when it eventually appears.

Download:

UndeletableSafebootKey_V0_0_0_1.zip (https)

MD5: 2FAC291AD547657E31B157B8581D4601

SHA256: 7A1E42A57BBF8E804491318671AE992947C82DCC9C2001E3033B45E4AEAB2DDE

18 Comments »

  1. […] kunnen opstarten, maar de Belgische beveiligingsonderzoeker Didier Stevens heeft een oplossing. Het programma dat hij ontwikkelde maakt een speciale registersleutel aan die niet is te verwijderen. Ook is het […]

    Pingback by Plaats hier software gerelateerd nieuws! - Page 16 — Saturday 2 January 2010 @ 14:53

  2. […] safe mode by repeatedly deleting the registry key HKLMSystemCurrentControlSetControlSafeboot. Didier Stevens provides a program to re-create ‘the undeletable safeboot key’ to defeat the designs of […]

    Pingback by How to boot into Windows Safe mode | Malware Help. Org — Sunday 3 January 2010 @ 7:38

  3. […] The Undeletable SafeBoot Key – didierstevens.com A solution to stopping malware from deleting your SafeBoot Key and preventing you from booting into Safe Mode. […]

    Pingback by Week 54 in Review – 2009 | Infosec Events — Monday 4 January 2010 @ 16:06

  4. very interessting, but olso very difficult

    Comment by Soender — Tuesday 5 January 2010 @ 20:58

  5. @Soender You mean changing the permissions manually?

    Comment by Didier Stevens — Tuesday 5 January 2010 @ 21:41

  6. […] Didier Stevens provides a program to re-create ‘the undeletable safeboot key’ to defeat the designs of such malware. […]

    Pingback by Windows Safe mode trouble-shooting when cleaning Malware | Malware Help. Org — Thursday 22 April 2010 @ 5:09

  7. […] UndeletableSafeBootKey […]

    Pingback by İnatçı virüslerden kurtulmanın 10 yolu! « Birbak.Org — Saturday 22 May 2010 @ 8:38

  8. […] Bu uygulamayı çalıştırın, temiz kayıt defteri anahtarını girin ve artık inatçı virüs sesini kessin. Download: UndeletableSafeBootKey […]

    Pingback by Sistemden Çıkmayan Zararlılara Karşı 10 Yöntem! « Mehlika'nın Dijital Günlüğü — Sunday 23 May 2010 @ 19:20

  9. […] UndeletableSafeBootKey Güvenli modun farklı bir […]

    Pingback by İnatçı virüslerden kurtulun! | Çaylak Bilişimci — Monday 24 May 2010 @ 19:08

  10. Can you please show more detail on what has been included in your special permissions for the administrator and system?

    I had a problem booting in Safemode after being infected with Antivirus 2010, and managed to sort it by deleting the existing Safeboot .REG (I tried to delete the whole folder and got an error saying not possible, and though the reg file was deleted it was immediately repopulated) and then ran the appropriate .REG exe provided on this site (many thanks for this!). After successfully booting in Safemode to run Malwarebytes (which detected and deleted certain REG files and .EXEs) I was asked to restart my computer… however after rebooting into normal Windows the problem remained, and when I went to restart back into Safemode the malware was obviously back up to its old tricks because I could no longer boot in Safemode!

    I have just begun to repeat the process for a second time, but wondered if you could advise what permission levels to set to avoid this problem being repeated.

    Hope that makes sense,

    Many thanks for your help.

    Comment by Peter — Thursday 2 September 2010 @ 6:16

  11. @Peter Just like it is shown in the screenshot: I add an ACE to deny Administrator and System accounts the right to delete the key.

    Comment by Didier Stevens — Friday 3 September 2010 @ 9:48

  12. Hi!
    I found this blog in these days and I think it is very helpful! But I need more info about what your program exactly does, because I want to do the same in an AutoIT script (with setacl.exe).

    And another question: do you have .reg files for restoring safeboot for Vista and Windows 7?

    Thank you for your work
    Thomas

    Comment by tkocsir — Monday 27 September 2010 @ 14:36

  13. @tkocsir Take a look at the source code, it’s rather simple. All the .reg files I’ve are in the ZIP file.

    Comment by Didier Stevens — Monday 27 September 2010 @ 19:14

  14. Had a problem where SafeBoot registry keys were modified by malware…. I found and deleted the bad keys and I could see the original or “normal” SafeBoot keys in the backups of the ControlSet section, but I still could not log in in Safe Mode, if I tried to search for the SafeBoot key using the Regedit Find option none would be found…. Ended up merging one of the REG files you provided and solved the issue and Safe Mode is working again. Until now I cannot understand why I would see/find the regkeys by “hand” amd the Find option could not….

    John.

    Comment by John — Friday 8 October 2010 @ 18:03

  15. Hi there – can you provide a link or some further information on how to change the permissions manually? I indeed had my keys deleted by a virus, I dont know how long its been like that. Thankfuly your other program (the .REG zip file) has restored them, but I would also like the added protection of knowing they cannot be changed again – if possible please 😀 Many thanks

    Comment by Ross — Thursday 20 January 2011 @ 0:24

  16. @Ross I plan to update my tool to change the permissions of the existing key too. But meanwhile, you can use regedit, find the SafeBoot key, right-click permissions, select advanced and change the permissions for system and administrators.

    Comment by Didier Stevens — Thursday 20 January 2011 @ 9:03

  17. Hi there, I think i will wait for your update! There’s so many boxes in there and I dont really have a clue what I’m doing 🙂 Thankfully the REG changes have held, so it looks like I am rid of whatever did it in the first place. Fingers crossed …. thanks very much for this, my safeboot has been broken for a long time and I didnt know why, though I knew there had been virus activity.

    Comment by Ross — Thursday 20 January 2011 @ 20:50

  18. @Ross If you restored your deleted SafeBoot keys with my .reg file, then why not delete them again yourself (with regedit), then run my program to create an undeletable SafeBoot key, and then restore them with my .reg file?
    This way, they’ll be protected.

    Comment by Didier Stevens — Thursday 20 January 2011 @ 20:59


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.