Didier Stevens

Monday 26 June 2006

Restoring Safeboot

Filed under: Malware — Didier Stevens @ 19:44

I spend some time this weekend researching how to recover your deleted Safeboot key (in case you don’t have a backup). This How-to is for Windows XP, it shows how to recover the Safeboot key (possibly deleted by a virus like the newest Bagle, see my previous post), not how to remove the malware.

Case 1

If Windows hasn’t been rebooted since the infection and you haven’t made changes to your system configuration since the last boot, follow this procedure:

  1. Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
  2. Select “Last Known Good Configuration (your most recent settings that worked)”.
  3. You can now reboot a second time and select Safe Mode.

Case 2

If Windows has been rebooted since the infection, follow this procedure:

  1. Start System Restore: (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
  2. Select a restore point that predates the infection (i.e. the Safeboot key removal), this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
  3. Confirm the restore operation
  4. Windows will perform a System Restore and reboot
  5. Click OK
  6. You can now reboot a second time and select Safe Mode

Case 3

If you’ve made changes to your system configuration that you want to keep, follow this procedure:

  1. Follow the steps of case 2
  2. Start regedit once you’ve booted in Safe Mode
  3. Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
  4. Export the key (right-click export)
  5. Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
  6. Select “Undo my last restoration”
  7. Confirm the restore operation
  8. Windows will perform a System Restore and reboot
  9. Click OK
  10. Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
  11. Confirm the merge
  12. You can now reboot again and select Safe Mode.

Blog at WordPress.com.