As more malware seems to delete the SafeBoot keys nowadays, and even prevents you from restoring these keys, I’m posting this “Enhanced Fix Safe Mode” procedure. In essence, it’s the same as my first procedure, but to avoid interference by the malware, we will boot from a Live CD and then fix the registry. Booting from a Live CD means that we boot a clean OS from the CD, and thus prevent the malware from running and interfering with our rescue operation. In a nutshell: boot from a Live CD, load the HKLM registry hive and merge the missing SafeBoot keys.
Notice that the configuration of the machine you’re fixing might be different from the one I’m describing. The system directory could be on another drive than C, you could need to fix ControlSet002 in stead of ControlSet001, …
So watch out, and update this procedure according to the configuration of the crippled machine.
And since you’re going to modify a critical system file, make a backup first (at least of the CONFIG directory).
Copy the respective reg file to your C:\ drive (for example SafeBoot-for-Windows-XP-SP2.reg for XP SP2).
Shutdown the PC and start from a Windows Live CD, like the Ultimate Boot CD For Windows.
Start RegEdit:
Select HKEY_LOCAL_MACHINE, and load the hive file C:\WINDOWS\system32\config\system (File / Load Hive…):
Name the loaded hive FixSafeboot:
Open the key HKLM\FixSafeboot\ControlSet### which is lacking the Safeboot key (there could be more than one ControlSet key you want to fix):
If the SafeBoot key is not missing (or the keys beneath it), you’re either looking in the wrong place or you’re not dealing with a corrupted SafeBoot key (in which case applying this procedure is useless).
If you’re not sure which ControlSet### to fix, take a peek at the value of Current in the Select key:
Here the value for Current is 1, so it’s ControlSet001 which will be used when the system boots, and that’s the one we want to fix.
Open C:\SafeBoot-for-Windows-XP-SP2.reg (the one you copied on the C:\ drive) with notepad:
Perform a search and replace: replace SYSTEM\CurrentControlSet with FixSafeboot\ControlSet### (### being the number of the ControlSet you want to fix, like 001). Save the modified reg file:
Import the reg file C:\SafeBoot-for-Windows-XP-SP2.reg with regedit (File / Import…):
Check that the SafeBoot key has been added:
Select the FixSafeboot key and unload it (File / Unload Hive…):
Shutdown the PC and start in Safe Mode (F8).
If you still can’t boot into Safe Mode, you’re either facing another problem than a Safe Mode disabling malware, or the malware operates early in the boot process and interferes with Safe Mode booting. If you suspect malware, try scanning with a Live CD with an anti-virus scanner, like the F-Secure Rescue CD.
Didier Stevens 