Author Topic: Enable Safe mode after Malware have deleted the registry key to Safe Mode  (Read 19201 times)

0 Members and 1 Guest are viewing this topic.

Offline Tomas_Sweden

  • Sr. Member
  • ****
  • Join Date: Oct 2011
  • Posts: 260
  • Location: Falköping
  • Karma: 7
    • View Profile
Shane, what do you think about adding a "Enable Safe mode after Malware have deleted the registry key to Safe Mode" to Windows Repair?
 
"Malware will actually delete the registry key: HKLM\System\CurrentControlSet\Control\Safeboot to prevent safe mode from loading. You will still be able to see Windows Advanced Options Menu when you press F8 on boot, however there will be an error when you select "Safe Mode" preventing you from entering Safe Mode to delete the malware."
The text above is taken from http://sleepincot.hubpages.com/hub/Safe-Mode-Disabled-By-Malware

I have collected some registry key from: Windows-2000-SP4, Windows-Server-2003-Standard-R2-SP2, win xpsp2, win xpsp3, vista and win 7sp1. I post the key here!

From what I have seen from forums for some people adding this registry key will help. But I don't know if overwritting already existing safeboot key, if that can cause trouble for some.

Here are more links about Safe Mode:

http://blog.didierstevens.com/2006/06/22/save-safeboot/
http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
http://www.malwarehelp.org/restart-into-safe-mode-how-to-2010.html

Tomas
Dell Laptop XPS L501X Intel i5-560M(2.66GHz), Win 7 Home Prem(SP1) 64 Bit, 4 GB RAM. Samsung SSD 850 PRO 256 GB.

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Re: Enable Safe mode after Malware have deleted the registry key to Safe Mode
« Reply #1 on: September 30, 2012, 11:42:03 AM »
Yeah I am planning on looking into this and getting it added as well :-)

I had one person tell me I should delete the reg keys first as some viruses add themselves to there so they run when you load safe mode. But I am not sure I can do that as what about raid drivers needed to boot the system? So I have to check that.

Simply replacing the keys and not deleting them is the safer way. I will have to see what i find :-)

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Here is an example of what I was talking about.

On the Windows 7 reg file you can tell you have Microsoft security essentials installed. I can tell this because it adds its service tot he safeboot reg keys.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MsMpSvc]
@="Service"

Where on my system I dont have it installed so it isnt in there. All other keys so far match up.

This is why I cant, and wont delete the safeboot reg keys first. Installing over it is fine as custom keys wont be removed that way and only the system defaults are put back in.

I have to dig more into this one but I can see this being a good repair option.

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com

Offline Tomas_Sweden

  • Sr. Member
  • ****
  • Join Date: Oct 2011
  • Posts: 260
  • Location: Falköping
  • Karma: 7
    • View Profile
I don't think you should delete "Safe Boot Keys" either, what I've read, it still seems rare that virus adds itself into safe mode, so far anyway.

Quote
Installing over it is fine as custom keys wont be removed that way and only the system defaults are put back in.

Yes, that way they still have their antivirus keys intact in Safe Mode.

Tomas
Dell Laptop XPS L501X Intel i5-560M(2.66GHz), Win 7 Home Prem(SP1) 64 Bit, 4 GB RAM. Samsung SSD 850 PRO 256 GB.

Offline Shane

  • Top Geek, err uh Dog.
  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9280
  • Location: USA
  • Karma: 138
  • "Knowledge should be shared not hidden."
    • View Profile
    • Tweaking.com
Added to the Windows Repair v1.9.0 :-D

Shane
PLEASE EDIT YOUR TOPIC AND PUT (SOLVED) IF YOU ARE ALL FIXED.

(My weekends belong to my wife and kids, I will try my best to answer all posts daily during the work week)

(About Shane)
Site Owner, Top Admin, Lead Programmer, Wife & 5 kids, Needs a lot more coffee.

When people ask "Why fix what isn't broken?" I reply "To make it better."
"Only a life lived for others is a life worthwhile"
Honor & Respect is all that matters.

Owner & Programmer of: www.pcwintech.com & www.tweaking.com