Didier Stevens

Monday 26 June 2006

Restoring Safeboot

Filed under: Malware — Didier Stevens @ 19:44

I spend some time this weekend researching how to recover your deleted Safeboot key (in case you don’t have a backup). This How-to is for Windows XP, it shows how to recover the Safeboot key (possibly deleted by a virus like the newest Bagle, see my previous post), not how to remove the malware.

Case 1

If Windows hasn’t been rebooted since the infection and you haven’t made changes to your system configuration since the last boot, follow this procedure:

  1. Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
  2. Select “Last Known Good Configuration (your most recent settings that worked)”.
  3. You can now reboot a second time and select Safe Mode.

Case 2

If Windows has been rebooted since the infection, follow this procedure:

  1. Start System Restore: (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
  2. Select a restore point that predates the infection (i.e. the Safeboot key removal), this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
  3. Confirm the restore operation
  4. Windows will perform a System Restore and reboot
  5. Click OK
  6. You can now reboot a second time and select Safe Mode

Case 3

If you’ve made changes to your system configuration that you want to keep, follow this procedure:

  1. Follow the steps of case 2
  2. Start regedit once you’ve booted in Safe Mode
  3. Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
  4. Export the key (right-click export)
  5. Start System Restore: Start / All Programs / Accessories / System Tools / System Restore
  6. Select “Undo my last restoration”
  7. Confirm the restore operation
  8. Windows will perform a System Restore and reboot
  9. Click OK
  10. Select the Safeboot registry file you exported and Merge it to the registry (double click the file)
  11. Confirm the merge
  12. You can now reboot again and select Safe Mode.


  1. Good work. Your solution to case 3 is exactly what I was looking for. I’ve been keeping my eye on this blog since you commented on mine awhile back. Timely solution to a realworld problem, Is it alright if I throw up a link to this blog on mine?

    Comment by Ryan — Thursday 6 July 2006 @ 17:35

  2. It’s good to read that my research was useful. I’d appreciate a link to my blog, thanks!

    Comment by Didier Stevens — Thursday 6 July 2006 @ 19:56

  3. I hit this problem working on a heavily-infected PC from Bart PE, and decided to follow a “Case 4” strategy when Google found your page. What I’ll try is…

    From Bart PE CDR boot, copy each C:\SVI\..\RP*\snapshot to a (say) C:\REGBACK\RP*

    Then the idea would be to bind one of these hives (is it SYSTEM? I haven’t looked yet) to HKLM, find the stuff I want, save it as a .REG, edit the .REG to go to CurentControlSet etc. and then merge it back in.

    What I haven’t decided yet, is whether to do that via Bart PE CDR boot using RunScanner to treat the inactive HD registry as “live”, or do it from the only HD boot that works (normal Windows).

    The latter’s easier, but the former is cleaner in the context of suspected malware as allows Safe Cmd Only boot before daring to do a full (and most likely malware’d) Windows boot.

    What I like about Case 4 vs. Case 3 is that I avoid the possible collateral damage of System Restoring all the rest of the monitored files and thier integrations (especially the malware one is trying to kill off).

    After all, why would Safeboot be destroyed? Either by malware, in which case you’d be restoring an infected state, or due to general chaos and corruption, in which case who know what damaged mess you’d be restoring…

    Comment by Chris Quirke — Tuesday 11 July 2006 @ 2:28

  4. This is all great – and most of the AV websites list the bagle as “low” risk… It has totaled this pc.
    Yes it runs, but ONLY in normal mode (safe boot crashes) and it has also hosed system restore….
    No matter which AV/scanner/rootkit scan we do, it always comes back clean, but then reboot, and the hldrrr.exe and m_hook are back.
    We have been able to use alternating user accounts to get back in, deleteing the files in the other account, so at reboot, we have enough time to kill the hldrrr process before it totally hangs.
    However it also prevents msconfig running – although I think this is more a deleted key, or file as it is not activly doing this.

    SO any advice on what to do about system restore AND safeboot not working?
    It seeems to be a catch 22 at this point.

    I also wonder if it is possible to install windows on a new drive, clean the current drive, and then reboot with the old windows?

    Thanks for any help

    Comment by sepp — Tuesday 2 January 2007 @ 17:05

  5. Acutally – I forgot to add, that not only has the system prevented safeboot, it has also prevented a clean install of xp from CD?
    We tried to get to system restore by booting with the install CD, but it never gets past loading windows….


    Comment by sepp — Tuesday 2 January 2007 @ 17:10

  6. I’ve been playing with an idea, but have not yet had the time to test it: do a Windows XP install on the same hardware but with a new disk, then export the Safeboot key and import it in the cripled OS.

    Have you tried booting from a life CD like UBCD4Win and use a command line scanner AV that doesn’t require installation?

    Comment by Didier Stevens — Tuesday 2 January 2007 @ 18:08

  7. That is a good idea!
    I hope that the hard drive does not need to be the same as well?
    I will also try booting with a bootable windows cd – I have used BartPE in the past, but I will also look at the UBCD4Win

    Thanks – will let you know…

    Comment by Sepp — Thursday 4 January 2007 @ 17:33

  8. I don’t have a backup of my registy and I don’t understand this Bart PE stuff. Could somebody be kind enough to post the and exported .reg for the entires in safeboot? After all settings for safeboot won’t vary that much from one machine to another.

    Comment by Mirco — Sunday 18 February 2007 @ 16:07

  9. @Mirco

    Read me new post: https://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

    Comment by Didier Stevens — Monday 19 February 2007 @ 13:59

  10. Recovering from Bagle, which blows out Safemode, among other things.
    This really isn’t that hard to recover from. Here’s how I did it:
    First, I discovered I had a problem because AVG wouldn’t work, wouldn’t uninstall and wouldn’t reinstall from a fresh install file. After a reboot (and a failed system restore and a safemode BSOD), I discovered my wireless stopped working and Wireless Zero config wouldn’t start because of unstarted dependecy services (it turned our to be NDIS I/O). A Google search told me that it was probably Bagle and led me to get Blacklight. Blacklight found all the nasties and I chose to rename them. Reboot and voila, Bagle disabled! However, I still had three problems – 1) System restore failed every time 2) Still no wireless and 3) Could not boot into safemode.
    Loaded System hive from C:\WINDOWS\system32\config. Exported HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot to a reg file. Opened regfile in notepad and did a replace for the name I chose when loading to “SYSTEM”. (for instance, when I loaded the hive, I called it “repair”. I then did a find and replace from “repair” to “SYSTEM” [note case sensitive!]). Imported regfile. Safemode fixed.
    Uninstalled and reinstalled Wireless NIC. This reloaded the NDIS protocol (which I had tried to reinstall alone, but no dice). Reset TCP/IP settings (I don’t use DHCP), reestablished connection with WAP (I don’t broadcast, so I had to do this by hand). Wireless fixed.
    Disabled System restore. This deleted all the restore points, many of which were hosed anyway. This bugger had been around for a few days before I noticed it. Re-enabled System restore and manually created a restore point immediately. System restore fixed.

    Comment by dimaug — Monday 19 February 2007 @ 22:44

  11. Hi there,

    found this helpful page only after removing the fX#@$ing Bagle as per AV vendors instructions.

    As for many of you it took me 2-3 days after infection to realize I have been infected;
    happened like it did for Didier Stevens.
    I agree that AV vendors are rating this virus erroneously: this is a burdensome one to removal!

    Have to higlight that google searches did not hit right most of times; especially regarding the
    disbaling of NDIS driver and the messing up of Safe Mode (originally searched for specific BSOD related info).
    After some “big time” (strange as I ONLY use web services in English language for obvious reasons);
    I used Gmer and HijackThis which made the situation pretty clear.

    One point that prevents a successful restore of the SafeBoot key is that removal procedures DO NOT
    mention about Safe Mode issues and they DO recommend to wipe out System Restore existent data.
    This dismisses cases 2 and 3.

    My thanks to Didier for providing a fresh&clean SP2 SafeBoot .reg file for that all the SYSTEM hives
    I could load did not provide a fix (system blind reboots after 5 minutes of disk activity).

    Bests to all,


    Comment by Mario Biassoni - MCT — Tuesday 27 February 2007 @ 17:42

  12. ok just to fix the wireless you can use this registry values
    Windows Registry Editor Version 5.00









    Comment by Blue — Saturday 26 May 2007 @ 5:29

  13. Please don’t confuse safemode booting with safeboot. safeboot is a third party encryption system, which runs before the OS boots- that’s why they talk of using Barts PE and setting it up for safeboot. norton’s will only bugger the drive, as it won’t even be able to read it if it’s encrypted.

    BTW I’m stuck – I can’t find the Bart’s plugin on the Safeboot CDs. does anyone know where they are?

    Comment by Aus_e — Friday 6 July 2007 @ 5:10

  14. I know that Safeboot is a third party encryption system, but it is also the name of the registry key (Safeboot) that holds the Safe Mode data.

    Safe Mode is the name of the special boot process.
    Safeboot is the name of the registry key.

    Comment by Didier Stevens — Friday 6 July 2007 @ 13:30

  15. heck just go NOW and find a safeboot.reg key on the web, free download, and stash it in a new folder on the desktop.

    Click it and then safeboot will be there when you reboot right after.

    Comment by Jack — Sunday 30 March 2008 @ 21:29

  16. I know, I put that free safeboot.reg file on the web:

    Comment by Didier Stevens — Sunday 30 March 2008 @ 21:41

  17. […] "Show hidden files and folders" from Windows Explorer. To restore safeboot, please visit: Restoring Safeboot Didier Stevens Bonne […]

    Pingback by SPTD.sys - THE DAEMONS HOME — Saturday 16 August 2008 @ 0:23

  18. At this point of infection, it may actually save time to just backup any local files to another PC via a SATA/IDE-to-USB cable (attach your infected hard drive to another PC’s USB port, with up-to-date safeguards of course), reinstall the PC with a factory CD/image (fine) or image that you’ve archived (better), then restore your data (after applying ALL updates of course). Doing this also gives you peace of mind that no remnants (loggers etc.) of the virus/malware exist.

    Comment by Andrew — Thursday 9 July 2009 @ 4:29

  19. Respected Dider,
    about registry given by you,I add into registry so many time,but when i reboot pc the sub key MINIMAL and NETWORK dissappears. Thus on the moment when I add registry key to pc’s regitry,it starts in SAFEMODE but after once again reboot it not starts.kindly help and if possible My humble request you to mail me on my ID given here. Thanking you

    Comment by kavi — Wednesday 22 July 2009 @ 8:36

  20. @kavi This is clear evidence that your machine is still infected. I recommend you go to a forum where people can help you clean your machine, or you can try the F-Secure rescue CD or a similar solution.

    Personally, I would just wipe the machine and reinstall.

    Comment by Didier Stevens — Wednesday 22 July 2009 @ 17:48

  21. Thanks for the help!

    Comment by PChulpzutphen.nl — Tuesday 28 July 2009 @ 22:10

  22. I happened across this site as I was troubleshooting another system, so I thought I’d add my 2-cents and 78 dollars worth in the hopes that it is helpful to anyone. Please read this in full BEFORE doing anything below, so there are no surprises:

    If you want to just hose the whole install and start over like Didier Stevens said above (when you have had enough and just want to start over, because what you had on disk is not worth the grief of trying to recover it from a damaged system which I’d hesitate to trust to fix itself anyway), there is an effective solution to start over from a clean slate without losing your hardware (I’ve seen people trash perfectly good hard-drives because of issues like these mentioned above, as well as the issues that led me to this site in the first place):

    Boot to a windows98 startup disk (if you have one, an authentic copy is available below) in your floppy drive (yes, even if you are using XP/Vista/Linux/FreeBSD/OSX/Super-Fun-Time with Sparkles OS, neither your OS nor file system has any relevance to it’s functionality), and once you have a command prompt, type “fdisk” at the prompt, follow the directions, and remove all partitions on the affected HDD (some malware/viruses will propagate itself to other drives to maintain an infected state in anticipation of this when system directories exist on other drives), as well as deleting the Master Boot Record. Keep in mind that win98 knows nothing of NTFS file structure, so it’s best that you let your XP disc create the new partition in NTFS during a fresh install, so after exiting fdisk back to a command prompt (without creating a new partition; let the install disc do that for you), do a hard reboot and install XP as you typically would. This way, you will have peace of mind knowing that there is nothing on that drive but it’s own hardware to begin with, and any malicious code has been stomped into oblivion. In a significant majority of cases, this is enough to remove all instances of infection and/or corrupted files. It also gives you a fresh install to acclimate itself to your current interests and installed programs, not what you had optimized the system for a few years ago. NO windows installation is bullet-proof, much less dent-proof without a 3rd-party recovery program such as Roxio’s “GoBack” program (abandonware by now, but still perfectly effective; it even creates, by it’s own “faux file system”, an environment that cripples many viruses where they are because the hardware addressing has changed. This is not to say that this is any substitute for an anti-virus, but I have purposely infected myself with all manner of viruses and worms for educational purposes, and had the privilege to roll back my drive in time to undo any written bytes on the hardware as I worked to undermine the not-so-devious-anymore malicious code).

    You can also use imaging software to make an image of your drive with a fresh and updated install, and simply revert back to it without having to wait-out the windows installer. System Restore does little to nothing to actually restore the system, it’s a useless windows bloatware feature that I have yet to find a use for other than something like resetting folder view settings, amassing large files on a drive that serve no purpose other than a space to write to constantly, or the like. Windows “System Restore” is little more than a placebo in place of something that functionally restores the drive byte-for-byte to a state it was previously, including “blank” bytes that are called “empty space” by windows. For me, “Windows System Restore” is about as effective as notepad.exe for a web-browser. If you have the space for it, keep it, but don’t rely on it to save a damaged system.

    ALWAYS destroy any and all partitions on any used hard drives you acquire and start fresh, so nothing can “customize” your OS installations before you do, or nest-in deeply enough to undermine your anti-virus install. Deleting partitions can be scary at first, but if there is nothing on the disk worth more than your sanity while trying to recover your machine, then the partition is still useless to you and safe to remove. You’ll feel better knowing you have a clean install anyway, and probably lose less hair and sleep over it in the long run.

    DO NOT use Internet Explorer as your primary browser as installed by default….look it up online once you have your system back together and you’ll see why. There is NOTHING that IE can do that Firefox cannot do or do better, and as a standalone browser, there is no open door to the deepest core of your OS, unlike IE. Way to go for internet security Microsoft!

    DO NOT use Outlook Express for anything. It’s just another loophole in your security like IE is. It is also the lamest of “lame-ducks” for E-mail browsing. Functionally-useless program, as if it was simply there JUST to have the security loophole. Rather than sending this information to Microsoft (who won’t listen to anyone, not even their own coders), I just tell people not to use it and why.

    DO NOT take E-mails directly to your computer. Web-based E-mail services such as Gmail put yet another barrier between you and a potential virus/trojan by not even allowing you to get it if it is a confirmed virus. To use OE for your E-mail is just absurdly unsafe and unnecessarily-risky, because services like Gmail will stop a suspicious file from even getting on your machine in the first place, which is sometimes all it needs to do without you opening/executing it at all.

    DO NOT open ANYTHING that does not come from a trusted source. The Nigerian prince who wants you to transfer money for them, but only needs every detaiol of your personal information is NOT a trusted source! You don’t really believe those spam E-mails, do you?

    DO NOT allow windows to “hide extensions for known file types”. This is a feature for functionally-retarded people using windows, so they don’t get confused by file extensions. It’s not that hard to know what a file extension is, or what it is for. Stop being willfully-ignorant and learn what they are, instead of letting windows tell you what to believe. This feature is nothing more than a way to get past your better judgement with filenames like “trojan.txt.exe” (that’s an executeable file folks, NOT an innocent text document, but hiding file extensions won’t tell you that. Grow a pair and manage files for yourself so you actually know what kind of file you are dealing with. Writers of trojans find this feature enabled as “a golden ticket”, because if you refuse to see them, they can put any file extension on they like without you knowing, because you choose not to know.

    ALWAYS use your AV to scan any file who’s author you don’t know personally and/or cannot verify it’s source as “reputable”.

    ALWAYS keep your AV and internet browser updated no less than weekly. An out-of-date antivirus is as good as none at all. You have no excuse, there are more free and reputable AV programs out there than you can count. You only pay for additional features, not basic protection. AVG, A-squared, AdAware, Spybot Search & Destroy, and many others have essential protection, and the basic versions are totally free with no compromise to their ability to protect your machine and your poersonal information.

    ALWAYS keep your OS updated no less than daily. Even if you are using Win98SE, a full update is still available, even if the update function doesn’t seem to work. If you are still using Win98SE, Google “win update fix win98” and you’ll find your solution to that problem.

    ALWAYS keep your wit updated no less than hourly. Take action as soon as your machine seems to act differently than it used to for so long. A sudden change in behavior when you have not made any changes yourself can be indicative of a problem, especially if your surfing/downloading habits are based in an educated manner. Don’t forget that in XP there is a “system event viewer” (right-click on “my computer” on the desktop and select “Manage”. Go to “Event Viewer” and you can see the log for nearly every event that has taken place regarding an application. You can look up error codes on the internet very easily top see what they mean.

    ALWAYS use a firewall of some sort, and an effective one. The firewall provided with XP is not guaranteed protection, as it allows many windows services to connect freely without question, and most of these services can be hijacked to use their firewall permissions. By default your firewall should block everything until you specifically allow it, with no exception whatsoever. Nothing in Windows or it’s sub-folders has any incorporated requirement to connect to the outside world but windows update. If in doubt, block it, especially if the attempt to access the network seems totally random, and not initiated by something you did manually. Kernel32.dll needs no access to the internet whatsoever…Windows Explorer does not need internet access for anything more than windows update. Preferably, you want a firewall that will halt a request until you approve it and/or can establish rules for it first. As an example, a (no longer supported?) but still effective firewall (for this example) is “Sygate Personal Firewall” v 5.6, found below. You don’t have to use it regularly, but this is an example of how a firewall SHOULD behave. You can still use it if you want as it will question EVERY connection to the network or internet until you set a rule (the way I like it), and you can make a rule temporary or permanent. Try it an you’ll see what I mean.

    REMOVE windows applications and shortcuts that you don’t need. Whether you say so or not, windows will ignore your preferences and install shortcuts to AOL/MSN/etc…as well as Outlook Express. You will have to go back to “Add/remove programs” and remove these “services” again manually, even if you chose not to install them.

    DISABLE services that are not relevant to what you use your machine for. If you don’t have a printer, you do not need “print spooler” as an active service. Use the shortcut mentioned above from “My computer” to access the “services and applications” manager, and disable services you know you can’t use, and force other services to only operate manually if you are unsure if you need them or not. This will also significantly improve system performance overall. Do some research online to find what services you do actually need. Remember what you disable, so that if you have a problem in the future, you can see if a service you had disabled is relevant to the application or task that you are trying to perform. This is about the ONLY functional purpose I have found to Windows System Restore, is restoring the active services list to default.

    ALWAYS change your monitor fluid on a regular basis…Dirty monitor fluid can result in “textile messaging”, “Multiple Sclerosis Networking”, “paging-file rebellion”, pre X-games RAM-thrashing, and “cache-prolapse”…..(yes, I just had to insert a joke in there to lighten the mood)

    If you are the type to hunt down suspicious files yourself, you can usually disable any functionality it has by changing the name of the file and giving it the txt extension, if windows will let you. Then you can help everyone out (if you are sure it’s infectious or can isiolate it’s source) by submitting it to people like AVG or Spybot, just make sure they know what you are sending them first.

    If you are having trouble getting into windows at all because of a persistent file that refuses to allow you to modify it or even copy it when you know what it is and that you don’t need it or want it, the 98 startup disk will load as your OS, before windows or anything else knows that you have even powered-up, so NO files should be in use anywhere on your machine except those created in the ramdrive. You should now be able to delete/rename/move files at will, just make sure you know what you are doing! renaming and moving is best done first, so you don’t accidentally delete an innocent but important file. Files that are persistently inaccessable in DOS-mode (win98 startup disk only, not the Xp “command prompt”), if any, should be considered highly-suspicious, because anything you need to operate the computer is on that floppy. If you still can’t delete it on a real DOS-mode, you might be better-off wiping the partition and starting over.

    Yes, it sounds kinda silly, but newer isn’t always better….some old things still work better than the new things do. Kind of ironic that I have saved many an XP machine using win98 files, most notably the startup disk left over from my win98SE days. Just be careful, because deleting the wrong partition on the wrong disk could really ruin your weekend. Fdisk will give you due warning before you do anything that would cause any catastrophic failure, so READ CAREFULLY before you proceed.

    If you don’t know where to get a win98 startup disk, you can get one at the link below. Copy the contents of the folder (not the folder itself) to a floppy disk and boot to it.

    If you don’t have a floppy drive on your machine, you should not have bought a Dell.

    If you don’t think you need a floppy drive because they are “outdated technology”, you are kidding yourself and have made troubleshooting your machine much harder than it has to be.

    If you don’t know what a floppy drive is, contact a competent professional PC technician for assistance

    If you think you’ll find a professional or competent PC technician in “customer support”, you REALLY need to look elsewhere.

    Win98SE boot disk from my protected archives (created from win98SE from a clean install. Use the “switch” on the disk istself to force it as “read-only” just as a matter of course…..it’s not like you have anything to add or alter [nor should] to a win98 pre-install/startup disk. Remember to copy the contents of the folder, not the folder itself. There are no folders/sub-directoris on a windows98 startup disk):

    Sygate Personal Firewall v5.6 (currently unsupported?):

    I swear on my mother’s grave that these are clean, but scan them anyway to be sure. I don’t write viruses, I remove them. If you don’t trust my uploads to depositfiles.com (and tactful paranoia says you shouldn’t anyway, because as I said earlier, you don’t know me personally), then you can easily find these from other sources. I can only give you my solemn oath that these are clean and un-altered files. No matter what, scan them first as is a good habit to have/create. Don’t trust me because I said so, but if you have any problems with these files then you can contact the admin who has my real and unpublished e-mail address, who can then contact me with any complaints.

    I hope someone finds this helpful. All this drama with trying to recover a broken XP installation only to save a few mp3’s or other nonsense which can be replaced so easily in the first place is beyond me. If it was so important, you should have archived it where it could not be altered externally, like a CD-R or other external storage device that your system has no ready-access to. Ideally have C: drive just for Windows, and another drive to mamange swap-file space and carry less-often used files such as games and archives. This alone can sometimes stop the proliferation of many viruses because they are focused on attacking the operating system, not some nonsense on some other drive with no access to the OS root directory. This also makes repairing/replacing your OS far easier, as well as further improving performance.

    If you actually read all this so far without skipping or skimming, your patience will be rewarded by your desire for details, and your chance of success is high for curing what ails your machine. Some online research will pay off for you in large dividends with the same kind of patience.

    Comment by Random Commentary — Friday 1 January 2010 @ 10:04

  23. My workaround is as follows.

    1. If the directory named “repair” under C:\Windows\repair, make a copy of it onto the Desktop for instance.
    2. As Administrator, start regedit, load the SYSTEM hive (filename is “system”), and name it “repair” for example.
    3. Navigate to HKEY_LOCAL_MACHINE\repair\ControlSet001\Control\Safeboot, and export the Safeboot key
    4. Use notepad to replace “repair” by “SYSTEM”, save the first file to restore ControlSet001
    5. Make the replacement accordingly to have restoration file for ControlSet002, and a 3rd file for CurrentControlSet.
    6. Merge the .reg file with the registry.
    7. Reboot in Safe Mode.

    Works perfectly if the contents of C:\Windows\repair is not tampered or wiped out by the virus.

    Comment by Jean-Marie — Tuesday 21 September 2010 @ 19:04

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.