Safe Mode has been on my mind lately, now that I discovered that the SafeBoot registry keys simply reference devices, services and drivers that have to be enabled when booting into Safe Mode. Could it be that one can easily configure his own service to run in Safe Mode? Yes, one can!
Here is a very simple service I programmed to test my idea. This service just writes a string to debug output every second. You can view the debug output with Sysinternal’s DebugView utility.
You install the service with this command (admin rights are needed to install services):
MySafeModeService -i
This will configure the Service Control Manager to automatically start MySafeModeService when the machine is booted (for now, the service is just installed, it is not started).
During the installation of the service, the following registry keys are created:
HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\MySafeModeService, Default = Service HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\MySafeModeService, Default = Service
The HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot registry key is where all Safe Mode settings are persisted, deleting this key prevents you from booting into Safe Mode.
The subkeys Minimal and Network are for the 2 Safe Boot modes: without and with networking. Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
Boot into Safe Mode after installing MySafeModeService. Start DebugView, you’ll get an error, but just ignore it:
When I asked Mikko Hyponen if he knew of a virus that would add itself to the SafeBoot key, he came up with a surprising answer: the Sony Rootkit!
Didier Stevens 
[…] Article Link […]
Pingback by Liquidmatrix Security Digest » SafeBoot And Safe Mode — Monday 26 March 2007 @ 22:09
Didier,
Great post! I’ve been working on something for parsing Registry keys (and other stuff) and your post reminded me of something important.
Also, keep in mind that the contents of the Run and RunOnce keys are parsed but not launched during SafeMode boot, unless the entry in the RunOnce key has a “*” at the beginning. I mention this because (a) its in a KB article, and (b) I’ve actually seen it used, in the wild!
Thanks,
Harlan
author of “Windows Forensic Analysis”
Comment by keydet89 — Tuesday 3 April 2007 @ 11:49
mmmmmm
Comment by ddd — Sunday 15 April 2007 @ 10:50