Comments on: The Undeletable SafeBoot Key

By: Didier Stevens

Didier Stevens — Thu, 20 Jan 2011 20:59:41 +0000

@Ross If you restored your deleted SafeBoot keys with my .reg file, then why not delete them again yourself (with regedit), then run my program to create an undeletable SafeBoot key, and then restore them with my .reg file?
This way, they’ll be protected.

By: Ross

Ross — Thu, 20 Jan 2011 20:50:35 +0000

Hi there, I think i will wait for your update! There’s so many boxes in there and I dont really have a clue what I’m doing Thankfully the REG changes have held, so it looks like I am rid of whatever did it in the first place. Fingers crossed …. thanks very much for this, my safeboot has been broken for a long time and I didnt know why, though I knew there had been virus activity.

By: Didier Stevens

Didier Stevens — Thu, 20 Jan 2011 09:03:51 +0000

@Ross I plan to update my tool to change the permissions of the existing key too. But meanwhile, you can use regedit, find the SafeBoot key, right-click permissions, select advanced and change the permissions for system and administrators.

By: Ross

Ross — Thu, 20 Jan 2011 00:24:00 +0000

Hi there – can you provide a link or some further information on how to change the permissions manually? I indeed had my keys deleted by a virus, I dont know how long its been like that. Thankfuly your other program (the .REG zip file) has restored them, but I would also like the added protection of knowing they cannot be changed again – if possible please Many thanks

By: John

John — Fri, 08 Oct 2010 18:03:45 +0000

Had a problem where SafeBoot registry keys were modified by malware…. I found and deleted the bad keys and I could see the original or “normal” SafeBoot keys in the backups of the ControlSet section, but I still could not log in in Safe Mode, if I tried to search for the SafeBoot key using the Regedit Find option none would be found…. Ended up merging one of the REG files you provided and solved the issue and Safe Mode is working again. Until now I cannot understand why I would see/find the regkeys by “hand” amd the Find option could not….

John.

By: Didier Stevens

Didier Stevens — Mon, 27 Sep 2010 19:14:28 +0000

@tkocsir Take a look at the source code, it’s rather simple. All the .reg files I’ve are in the ZIP file.

By: tkocsir

tkocsir — Mon, 27 Sep 2010 14:36:22 +0000

Hi!
I found this blog in these days and I think it is very helpful! But I need more info about what your program exactly does, because I want to do the same in an AutoIT script (with setacl.exe).

And another question: do you have .reg files for restoring safeboot for Vista and Windows 7?

Thank you for your work
Thomas

By: Didier Stevens

Didier Stevens — Fri, 03 Sep 2010 09:48:33 +0000

@Peter Just like it is shown in the screenshot: I add an ACE to deny Administrator and System accounts the right to delete the key.

By: Peter

Peter — Thu, 02 Sep 2010 06:16:41 +0000

Can you please show more detail on what has been included in your special permissions for the administrator and system?

I had a problem booting in Safemode after being infected with Antivirus 2010, and managed to sort it by deleting the existing Safeboot .REG (I tried to delete the whole folder and got an error saying not possible, and though the reg file was deleted it was immediately repopulated) and then ran the appropriate .REG exe provided on this site (many thanks for this!). After successfully booting in Safemode to run Malwarebytes (which detected and deleted certain REG files and .EXEs) I was asked to restart my computer… however after rebooting into normal Windows the problem remained, and when I went to restart back into Safemode the malware was obviously back up to its old tricks because I could no longer boot in Safemode!

I have just begun to repeat the process for a second time, but wondered if you could advise what permission levels to set to avoid this problem being repeated.

Hope that makes sense,

Many thanks for your help.

By: İnatçı virüslerden kurtulun! | Çaylak Bilişimci

İnatçı virüslerden kurtulun! | Çaylak Bilişimci — Mon, 24 May 2010 19:08:33 +0000

[...] UndeletableSafeBootKey Güvenli modun farklı bir [...]