Вы находитесь на странице: 1из 13

Didier Stevens

Monday 19 February 2007

Restoring Safe Mode with a .REG file
Filed under: Malware Didier Stevens @ 13:57 I posted about a virus that disables Safe Mode by deleting the SafeBoot registry keys, and later I talked about tricks to restore the SafeBoot keys. Now Im posting another way to restore the SafeBoot keys: merging a .reg file with the missing SafeBoot entries. A comment by Mirco made me take a closer look at the SafeBoot registry key. I thought that they would contain settings and drivers that are hardware dependent, but this turned out to be false. In fact, it just contains a list of references to devices, drivers and services that have to be started when booting into Safe Mode. The registry keys to boot into Safe Mode are under the SafeBoot key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

You can boot into Safe Mode without or with networking, there is a subkey for each mode: Minimal (no networking) and Network (with networking). Each device, driver or service that has to be started has a subkey under the Minimal or Network key. In this screenshot, you see the Cryptographic Services service:

BTW, if you want to disable a device, driver or service in Safe Mode, just delete the corresponding subkey (make a backup first). I tested this with key {4D36E965-E325-11CE-BFC1-08002BE10318} (resulted in a disabled CD-ROM drive) and PlugPlay (resulted in a disabled Plug and Play service). I compared several SafeBoot registry keys for Windows XP SP2 on different hardware platforms, and they were all identical. However, there were some small differences when comparing different operatings systems (Windows XP SP1, SP2 and Windows 2003 SP1). Remember that Safe Mode was introduced with Windows 2000. These are minor differences, just listing devices, drivers or services that are only present on one version of Windows. For example, I found Volume shadow copy on a Windows 2003 and not on Windows XP. And Windows 2003 also had less network services than Windows XP, this is probably a result of the default hardening of Windows 2003: more services and applications are disabled by default on Windows 2003 than on Windows XP.

Im now publishing a registry export file (.reg) with the SafeBoot keys from a clean Windows XP SP2 install and a clean Windows 2000 SP4 Professional install. You can use it to repair your PC when the SafeBoot keys have been deleted and System Restore cannot help you. I would not be surprised if you can use this REG file with other versions of Windows as well. Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg or SafeBoot-forWindows-2000-SP4-Professional.reg file on the crippled PC and merge it into the registry by double-clicking it:

Download: SafeBoot.zip (https) MD5: 5C1E3698877F79DD1C35F3107D4DC459 SHA256: 876D1C85E7556A334664C96F263781F5A9DBC9AB4DA26EDC6070AD947D09641D Comments (253) Like Be the first to like this post.

1. I stumbled on your site yesterday, saw the post about a virus that disables Safe Mode by deleting the SafeBoot registry keys and did exactly what you did just now. I only tested on two PCs, but thought to myself, this should be good enough. Comparing your version using WinMerge with the one I had reassured me even further. Thanks so much for the confirmation, a great site and excellent utilities. I esp. like UserAssist. I wish it didnt need .net 2.0 so it would find its place among all the truly portable apps on my USB key, but that would probably be pushing it. Keep up the great work! Comment by CypherBit Monday 19 February 2007 @ 17:29 2. This is great! Im bookmarking this post for future reference. Thanks!

Comment by Luke Monday 19 February 2007 @ 19:06 3. This was very helpful, thank you Comment by Mehmet N. Wednesday 21 February 2007 @ 19:11 4. thats a great tool for the thumb drive : ) thank you. Comment by nabiy Thursday 22 February 2007 @ 11:38 5. I realy dneed to delete malware in my computer,now my computer infected with notvirus:Hoax.JS.Aqent.a Comment by delete Malware Friday 23 March 2007 @ 9:08 6. How did you detect this, doesnt your AV clean it? Comment by Didier Stevens Saturday 24 March 2007 @ 7:36 7. Id been looking for a fix for the safeboot problem and after reading here realize that another problem, my DVD drive not showing up, is also probably related. I look forward to applying this fix, many thanks for this! Comment by John Kellas Monday 16 April 2007 @ 2:01 8. Update: THe reg fix worked and I can now boot into safe mode. Unfortunately it did not fix the problem with finding the drive so it must relate to another cause. I took some creative Google searches for a couple of weeks on and off to find a fix for the safe boot problem, so just knowing about this site is invaluable. Comment by John Kellas Monday 16 April 2007 @ 16:26 9. absolutely great! Thanks for your donation!!! Comment by kerf Sunday 22 April 2007 @ 15:20 10. many thanks for this wounderful achievement to the rest. i personaaly hounor in high regards. Comment by MUBASS Thursday 31 May 2007 @ 13:44 11. I appreciate the time you spent researching this issue and the elegant fix. Well done.! Comment by M. Sebzda Wednesday 6 June 2007 @ 0:34

12. Thanks for that. Im sure itll be useful. Didnt work for me, unfortunately. I still cant boot into safe mode. The system just reboots, after the drivers have started loading and then gives me the last configuration that worked option. I am not sure exactly when the safe mode stopped working but suspect that it may of been when I uninstalled Norton Antivirus, as I also had an issue then with Corel Draw not opening. Or it may have been after a Trojan hijacked my start page. I seem to have eliminated this now, although it took all day, but I would still like to be able to get back into safe-mode. Apart form your fix, Ive tried System Recovery bootcfg /rebuild /fastdetect, and a program called AVZ as well as searching for hours through the web but,so far, all to no avail. Any further suggestions would be much appreciated. Comment by R Armstrong Sunday 15 July 2007 @ 21:20 13. Thanks a million, Been struggeling with Bagle now for weeks in normal mode and decided to clear the system restore. Then I find this fix which seems to make it possibe to really wipe out Bagle. Thanks again. Comment by Emiel Koeman Tuesday 14 August 2007 @ 12:59 14. Thanks for this (and previous related) post. I experienced the same attack and was strugling since several weeks in order to restore safe mode function. I first compared my current Safeboot registry file with another PC and realized that only had 3-4 entries the remaining were just deleted by the virus in order to prevent you from booting in SM. I didnt try your .reg file though, but just took one from another PC running the same OS & SP & similar config. All worked just fine. Which confirms your saying that this .reg entry is not specially related to a given PC & config, but just to an OS with related SPs. Its also a good idea, I think, to often backup the registry (just export the whole .reg file) and then restore the needed section. In this particular case, that would have been the best solution. Thanks. Comment by John Smith Monday 3 September 2007 @ 11:59 15. Excellent !!! You are the best ! Just What I Needed , SUUUUUUUUUUUUUUUUUUUUUUUUUUPERB Thanks! Comment by Will Wednesday 26 September 2007 @ 4:40

16. Thanks a lot ! I will test this eveninig but it seems that is the solution of my safe mode problems (crash). I had been infected with Bagle too. Comment by luigix Wednesday 26 September 2007 @ 9:39 17. I tried your SafeBoot.reg file to fix my Safe Mode problem, but sorry to say, it didnt help. Ive been putting up with this problem for a long, long time. Sure wish I could find a fix for it. After a friend directed me to your page, I really had my hopes up. Glad to hear it has worked for some people. Comment by Jim Mowrey Tuesday 2 October 2007 @ 2:02 18. Concerning my last entry, do you have any other ideas? Comment by Jim Mowrey Tuesday 2 October 2007 @ 2:04 19. Was your Safeboot registry data deleted? Which OS are you using? Comment by Didier Stevens Tuesday 2 October 2007 @ 10:52 20. No, as far as I could tell, nothing had been deleted. The SafeBoot entry was still there. Dont know if anything under that key had been deleted though. Im using XP SP2. Comment by Jim Mowrey Tuesday 2 October 2007 @ 14:46 21. I got a blue screen with INACCESSIBLE_BOOT_DEVICE STOP 0x0000007B when trying to boot into safemode (win2k), turns out this exact safeboot keys were missing in my registry, fixed it using a different PC, export/import, and now I can boot into safe mode. Comment by stormy Monday 22 October 2007 @ 16:55 22. I also had the 00000007B error, although I could not read exactly what it referred to, the reboot was so fastand in my boot options disable automatic reboot was only applicable to normal mode. Well, I am very pleased to say that your SafeBoot.reg program solved the problem for me! My hat off to you for your excellent work. [My system is recovering from worms/trojans that infected more than 300 files and stopped updates from working, as well as crashing the machine every time I tried to download a file, or in most cases, execute one. Still trying to get updates to work again.] Best regards, Gernot Comment by Gernot Hassenpflug Thursday 1 November 2007 @ 4:39

23. Thank you ! Thank you ! You save me from format my PC !! I got the virus W32.Beagle.DZ (hidr.exe) and I was able to remove it but it leave the windows registry damaged. Like wireless and Safeboot don t work anymore. One more time, thank you. Comment by SuperCelso Wednesday 21 November 2007 @ 21:46 24. Wow! Works great! I cant thank you enough! I hope Ill never need to use it again on my own pc. Comment by E. Falconer Thursday 22 November 2007 @ 6:37 25. It worked! It Worked! YES! Now I can get my friends computer off my desk and get back to playing Elder Scrolls! Comment by Patrick Wednesday 28 November 2007 @ 4:38 26. We were a Bagle victim and you made a difference here too! Fixed. Thanks a lot for providing this, Didier. Merci beaucoup! Comment by DBZ Wednesday 28 November 2007 @ 16:57 27. Worked for me. Ive been trying to fix this for more than six months. Did everything short of a clean install. Thanks, sure appreciate it. Comment by BWO Thursday 29 November 2007 @ 4:27 28. Anyone have the same reg file for Windows 2000 SP4? Thanks Comment by Tony S Thursday 6 December 2007 @ 3:16 29. For which version of Windows 2000 SP4 do you need the safe mode entries, Professional or Server? Comment by Didier Stevens Thursday 6 December 2007 @ 8:54 30. Professional. (5.00.2195) Thanks. Comment by Tony S Friday 7 December 2007 @ 23:12 31. I added the SafeBoot reg keys for Windows 2000 SP4 Professional to the zip file. Comment by Didier Stevens Sunday 9 December 2007 @ 10:56

32. Thanks, Didier I was able to boot into SafeMode now using your reg-key for windows 2000sp4. I could already run in normal mode , but I was wondering why I never could run into safemode to find things out about my PC. But thanks to your reg-key I can now work in Safemode too. Under the old key there werent any sevices mentioned at all and I dont know why, but finnaly -thanks to you- everything turned out to be fine. Comment by Joop Sunday 16 December 2007 @ 19:35 33. thank u very much for the information.. just got stuck at fixing 1 comp.. this 1 is too helpful thanx again Comment by piyush chandra Friday 21 December 2007 @ 16:46 34. hi piyush, i am still suffering from the problem i am not able to boot the system on safemode with promt it is getting restart plz help me Comment by abdul Saturday 5 January 2008 @ 8:26 35. I believe you wanted to post this on the Piyush Labs site? Comment by Didier Stevens Saturday 5 January 2008 @ 19:46 36. [...] abgesicherten Modus kannst du reparieren, indem du die reg Datei aus diesem Link nutzt: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/bei WD weiss ich es nicht genau, aber versuch es mit deinstallation und erneuter [...] Pingback by Windows defender wird nicht mehr angezeigt (in der Taskleiste) - Virus Hilfe Tuesday 8 January 2008 @ 0:50 37. Ive cleaned all viruses I had. Tried to use the utility you provided in order to boot in safe mode (Ive lost it due to a virus), but when I press F8, im getting regular boot What could be wrong In addition Im not able to install Windows XP security updates. PC works fine , but security updates.. Any idea what to do? Comment by YP Tuesday 8 January 2008 @ 19:33 38. Thanks a bunch for the info. It worked great! Comment by KJ Wednesday 9 January 2008 @ 1:05

39. @YP If you mail me your exported Safeboot reg keys, Ill have a look at them. Comment by Didier Stevens Wednesday 16 January 2008 @ 20:31 40. Thank you very much for your very useful information. The net is becoming step by step time by time always more degradated: its always more difficult to find someone who uses his brains to solve problems. If I can add something to your post,I would advice people when they install an OS, to install another clean copy on a separate partition and forget it, so that they can use it when they need, as spare parts. Thank you again Comment by Ermanno Saturday 9 February 2008 @ 16:24 41. Stumbling on your page was a godsend. My w2k machine has been able to boot into Normal Mode but NOT Safe Mode for quite some time and I suspected a virus. I kept getting the Inaccessible Boot Device bluescreen and figured the mbr was infected but was reluctant to fiddle with this. I did a final google about the problem and found this site. I downloaded and installed your fix and can now finally boot into Safe Mode which will enable me to remove viruses and malware. Thanks 1000 times. Doug Comment by Doug Tuesday 26 February 2008 @ 19:39 42. Just to add another thank you to the list, I can now clean the bagle Will check more of the site, merci, Fab Comment by Fab Thursday 6 March 2008 @ 18:35 43. I dont know if this is the right place to post but there seem to be a lot of satisfied commenters. My computer wont boot in Safe Mode, but it also wont boot in normal mode (even last known good configuration). More specifically, I can reach the login page, but the system logs out immediately after logging in. Possibly the reg keys would fix the problem, but I cant figure out how to merge them without starting the OS. Any ideas? Comment by Chris Wednesday 12 March 2008 @ 22:09

44. I doubt that your problem is caused by a deleted Safeboot key. But if you want to try: boot from a Windows Live CD like UBCD4WIN, load the registry hive of the local machine, edit the reg file to point to the loaded hive and then merge it. Comment by Didier Stevens Monday 17 March 2008 @ 22:34 45. Dear didier, I would like to enable direct cable connection. Even I enabled com port, remote access and telephony, I can not enable direct cable connection. Can you help? I can give more detailed info, if you are interested. fatih Comment by fatih Sunday 23 March 2008 @ 16:30 46. I think you must enable networking. Comment by Didier Stevens Monday 31 March 2008 @ 18:27 47. Thank you for the safe boot fix for xp, it worked. Comment by Len Tuesday 15 April 2008 @ 14:11 48. Many kudos for you, Didier. I have spent gazillion hours searching for a solution to the STOP: error message I get when trying to boot in Safe Mode, alas, without success. Your fix worked! Amen Comment by Wojtek Sangowicz Sunday 4 May 2008 @ 23:22 49. did not work, not way to make it work Comment by julie Monday 5 May 2008 @ 8:28 50. Did you check if the Safeboot registry entries were created (and if they were missing in the first place)? Comment by Didier Stevens Monday 5 May 2008 @ 10:31 51. Thanks i was affraid of reinstalling xp sp2 after being infected with bagle,srosa and mdelk.exe. your reg file made it possible to boot in safe mode again, and run antvirus and i got rid af it all. THANK YOU!

Comment by geert Saturday 17 May 2008 @ 22:04 52. Thank you very much, Didier!! I have been infected by a Beagle variant, my safe boot entries were disappeared. I have tested your .reg file in my PC that has SP3 installed, anddddd IT WORKS!!!!! Comment by Ramn Monday 26 May 2008 @ 0:21 53. would your reg key fix also work on xp pro 64 Comment by alan Tuesday 3 June 2008 @ 16:37 54. I dont know. The format is probably the same, check it by exporting the SafeMode keys and compare them with my reg file. And for the entries: I dont know if XP 64 has services & drivers that XP 32 hasnt Comment by Didier Stevens Tuesday 3 June 2008 @ 17:08 55. Thank you, thank you, thank you. This works perfectly on xp 64 bit pro version too. My situation was this. I got infected with hldrrr.exe and srosa rootkits which removed many things including booting to safe mode. hldrrr.exe and srosa were removed with prevx csi and then my virus scanners were re installed, but i still didnt have the use of safe mode even though the system was now clean because of the removal of registry entries to which i had no backups. Ran this reg key, tried booting in safe mode. Worked first time. you have saved me from a complete re-install. Comment by James Saturday 21 June 2008 @ 13:15 56. Thank you, thank you, and thank you. I am very glad that I found your information I have been working in PCs for years (thank you Microsoft for making your systems so unstable that they have kept me employed all these years!!!) an I can honestly say I have never encountered a PC that would not go into Safe mode. Your explanations make total sense, and your information has helped me to bring a computer back to life. I really appreciate your efforts. Do you take Paypal?? Roger(10-4) Comment by Roger(10-4) Thursday 26 June 2008 @ 14:33 57. @Roger(10-4) No problem. My stuff is free, no need for Paypal. And if you absolutely want to donate something, make a donation to your favorite charity in my name.

Comment by Didier Stevens Thursday 26 June 2008 @ 14:42 58. it contains files for win2k & winxp, what about win2k3? Comment by Remo Harsono Saturday 28 June 2008 @ 20:29 59. Do you need to restore Safe Mode on a Windows 2003 server? If you have a backup, recover the system registry hive, load it in regedit and recover the safeboot keys. Let me know if you dont have a backup. Comment by Didier Stevens Monday 30 June 2008 @ 15:28 60. Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks, Thanks. Past saturday I was browsing on the internet. Within Emule, the server sugested to go to a website. I do not remember if I was browsing with IE or Firefox. My screen went black and my system rebooted. Then I got an error when trying to start AVG this is not a valid win32 application. I have received the Bagle/beagle worm. I have tried to start in Safe Mode, but my system reboots, I see agpxxx.sys . When I chose to startup without rebooting, I receive an error in BSOD 0x0000007b 0xf7c46528. Telling me my boot partion or drive is broken. After 4 days trying to repair my system (I slept very bad) I see your posting. AND IT MADE MY SYSTEM BOOT IN SAFE MODE !!!!! Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, Thanks !, now I can continue to repair my computer !!! Comment by ushi jansen Wednesday 9 July 2008 @ 17:36 61. I am missing the hard disk reg key so it will not boot in safe mode only normal mode. When I add you reg keys it does not take. If I manually make key it is there but within a sec it say key is not accessable. Seems the trojan removes the key as fast as it can be added. Any suggestions? Comment by guy Thursday 10 July 2008 @ 3:35 62. Never mind found a wininternals pe boot disk with reg editor on it. Booted on the cd and added the key for the Diskdrive and it booted into safemode fine. Thanks for pointing in the right direction. Comment by guy Thursday 10 July 2008 @ 4:15 63. You could also have done it with BartPE or Universal Boot CD For Windows: boot from a the CD, load the registry hive of the local machine, and add the missing keys. If you want to merge the reg file, youll have to edit it to point to the loaded hive and then merge it. Comment by Didier Stevens Thursday 10 July 2008 @ 8:28

64. Wow thank you loads! Really helped alot since I had Mal/Emogen-E which blocked a number of antivirus programs, hijackthis and safemode! I was actually trying to repair my registry line by line until I found your site! Comment by James Friday 11 July 2008 @ 3:03 65. [...] Safeboot registry : saya gunakan supaya bisa masuk ke safe mode. Karena setiap kali ke safe mode pasti akan stuck waktu import driver (ini bagian dari strategi trojan/virus/spyware/malware dan keluarganya :p ). [...] Pingback by Me-remove spyware akibat Video ActiveX Object error R420rs Weblog Wednesday 16 July 2008 @ 5:09 66. Very smart solution. Thanks!! Comment by Jose Sunday 20 July 2008 @ 21:32