Restoring Safe Mode with a .REG file
I posted about a virus that disables Safe Mode by deleting the SafeBoot registry keys, and later I talked about tricks to restore the SafeBoot keys. Now I’m posting another way to restore the SafeBoot keys: merging a .reg file with the missing SafeBoot entries.
A comment by Mirco made me take a closer look at the SafeBoot registry key. I thought that they would contain settings and drivers that
are hardware dependent, but this turned out to be false. In fact, it just contains a list of references to devices, drivers and services that have to be started when booting into Safe Mode.
The registry keys to boot into Safe Mode are under the SafeBoot key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
You can boot into Safe Mode without or with networking, there is a subkey for each mode: Minimal (no networking) and Network (with networking).
Each device, driver or service that has to be started has a subkey under the Minimal or Network key.
In this screenshot, you see the Cryptographic Services service:
BTW, if you want to disable a device, driver or service in Safe Mode, just delete the corresponding subkey (make a backup first).
I tested this with key {4D36E965-E325-11CE-BFC1-08002BE10318} (resulted in a disabled CD-ROM drive) and PlugPlay (resulted in a disabled Plug and Play service).
I compared several SafeBoot registry keys for Windows XP SP2 on different hardware platforms, and they were all identical. However, there were some small differences when comparing different operatings systems (Windows XP SP1, SP2 and Windows 2003 SP1). Remember that Safe Mode was introduced with Windows 2000.
These are minor differences, just listing devices, drivers or services that are only present on one version of Windows. For example, I found Volume shadow copy on a Windows 2003 and not on Windows XP. And Windows 2003 also had less network services than Windows XP, this is probably a result of the default hardening of Windows 2003: more services and applications are disabled by default on Windows 2003 than on Windows XP.
I’m now publishing a registry export file (.reg) with the SafeBoot keys from a clean Windows XP SP2 install and a clean Windows 2000 SP4 Professional install. You can use it to repair your PC when the SafeBoot keys have been deleted and System Restore cannot help you. I would not be surprised if you can use this REG file with other versions of Windows as well.
Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg or SafeBoot-for-Windows-2000-SP4-Professional.reg file on the crippled PC and merge it into the registry by double-clicking it:
Download:
MD5: ADF70E98A9A1BAC7DB1689E140CD777E
SHA256: 6F6139AE0CA3DA2E3485B9CEAD55D524971CBF2E8B0BF77247AA179EBD61B019
I stumbled on your site yesterday, saw the post about a virus that disables Safe Mode by deleting the SafeBoot registry keys and did exactly what you did just now. I only tested on two PCs, but thought to myself, this should be good enough. Comparing your “version” using WinMerge with the one I had reassured me even further.
Thanks so much for the confirmation, a great site and excellent utilities. I esp. like UserAssist. I wish it didn’t need .net 2.0 so it would find its place among all the truly portable apps on my USB key, but that would probably be pushing it.
Keep up the great work!
Comment by CypherBit — Monday 19 February 2007 @ 17:29
This is great! I’m bookmarking this post for future reference. Thanks!
Comment by Luke — Monday 19 February 2007 @ 19:06
This was very helpful, thank you
Comment by Mehmet N. — Wednesday 21 February 2007 @ 19:11
that’s a great tool for the thumb drive : ) thank you.
Comment by nabiy — Thursday 22 February 2007 @ 11:38
I realy dneed to delete malware in my computer,now my computer infected with not-virus:Hoax.JS.Aqent.a
Comment by delete Malware — Friday 23 March 2007 @ 9:08
How did you detect this, doesn’t your AV clean it?
Comment by Didier Stevens — Saturday 24 March 2007 @ 7:36
I’d been looking for a fix for the safeboot problem and after reading here realize that another problem, my DVD drive not showing up, is also probably related. I look forward to applying this fix, many thanks for this!
Comment by John Kellas — Monday 16 April 2007 @ 2:01
Update: THe reg fix worked and I can now boot into safe mode. Unfortunately it did not fix the problem with finding the drive so it must relate to another cause. I took some creative Google searches for a couple of weeks on and off to find a fix for the safe boot problem, so just knowing about this site is invaluable.
Comment by John Kellas — Monday 16 April 2007 @ 16:26
absolutely great! Thanks for your donation!!!
Comment by kerf — Sunday 22 April 2007 @ 15:20
many thanks for this wounderful achievement to the rest.
i personaaly hounor in high regards.
Comment by MUBASS — Thursday 31 May 2007 @ 13:44
I appreciate the time you spent researching this issue and the elegant fix. Well done.!
Comment by M. Sebzda — Wednesday 6 June 2007 @ 0:34
Thanks for that. I’m sure it’ll be useful. Didn’t work for me, unfortunately. I still can’t boot into safe mode. The system just reboots, after the drivers have started loading and then gives me the “last configuration that worked” option. I am not sure exactly when the safe mode stopped working but suspect that it may of been when I uninstalled Norton Antivirus, as I also had an issue then with Corel Draw not opening. Or it may have been after a Trojan hijacked my start page. I seem to have eliminated this now, although it took all day, but I would still like to be able to get back into safe-mode. Apart form your fix, I’ve tried System Recovery bootcfg /rebuild /fastdetect, and a program called AVZ - as well as searching for hours through the web but,so far, all to no avail.
Any further suggestions would be much appreciated.
Comment by R Armstrong — Sunday 15 July 2007 @ 21:20
Thanks a million,
Been struggeling with Bagle now for weeks in normal mode and decided to clear the system restore. Then I find this fix which seems to make it possibe to really wipe out Bagle.
Thanks again.
Comment by Emiel Koeman — Tuesday 14 August 2007 @ 12:59
Thanks for this (and previous related) post.
I experienced the same attack and was strugling since several weeks in order to restore safe mode function.
I first compared my current Safeboot registry file with another PC and realized that only had 3-4 entries - the remaining were just deleted by the virus in order to prevent you from booting in SM.
I didn’t try your .reg file though, but just took one from another PC running the same OS & SP & similar config. All worked just fine. Which confirms your saying that this .reg entry is not specially related to a given PC & config, but just to an OS with related SPs.
It’s also a good idea, I think, to often backup the registry (just export the whole .reg file) and then restore the needed section. In this particular case, that would have been the best solution.
Thanks.
Comment by John Smith — Monday 3 September 2007 @ 11:59
Excellent !!! You are the best ! Just What I Needed , SUUUUUUUUUUUUUUUUUUUUUUUUUUPERB Thanks!
Comment by Will — Wednesday 26 September 2007 @ 4:40
Thanks a lot !
I will test this eveninig… but it seem’s that is the solution of my safe mode problems (crash). I had been infected with Bagle too.
Comment by luigix — Wednesday 26 September 2007 @ 9:39
I tried your SafeBoot.reg file to fix my Safe Mode problem, but sorry to say, it didn’t help. I’ve been putting up with this problem for a long, long time. Sure wish I could find a fix for it. After a friend directed me to your page, I really had my hopes up. Glad to hear it has worked for some people.
Comment by Jim Mowrey — Tuesday 2 October 2007 @ 2:02
Concerning my last entry, do you have any other ideas?
Comment by Jim Mowrey — Tuesday 2 October 2007 @ 2:04
Was your Safeboot registry data deleted? Which OS are you using?
Comment by Didier Stevens — Tuesday 2 October 2007 @ 10:52
No, as far as I could tell, nothing had been deleted. The SafeBoot entry was still there. Don’t know if anything under that key had been deleted though. I’m using XP SP2.
Comment by Jim Mowrey — Tuesday 2 October 2007 @ 14:46
I got a blue screen with INACCESSIBLE_BOOT_DEVICE STOP 0×0000007B when trying to boot into safemode (win2k), turns out this exact “safeboot” keys were missing in my registry, fixed it using a different PC, export/import, and now I can boot into safe mode.
Comment by stormy — Monday 22 October 2007 @ 16:55
I also had the 0×0000007B error, although I could not read exactly what it referred to, the reboot was so fast—and in my boot options “disable automatic reboot” was only applicable to normal mode. Well, I am very pleased to say that your SafeBoot.reg program solved the problem for me! My hat off to you for your excellent work. [My system is recovering from worms/trojans that infected more than 300 files and stopped updates from working, as well as crashing the machine every time I tried to download a file, or in most cases, execute one. Still trying to get updates to work again.]
Best regards, Gernot
Comment by Gernot Hassenpflug — Thursday 1 November 2007 @ 4:39
Thank you ! Thank you ! You save me from format my PC !! I got the virus W32.Beagle.DZ (hidr.exe) and I was able to remove it but it leave the windows registry damaged. Like wireless and Safeboot don´t work anymore. One more time, thank you.
Comment by SuperCelso — Wednesday 21 November 2007 @ 21:46
Wow! Works great! I can’t thank you enough! I hope I’ll never need to use it again on my own pc.
Comment by E. Falconer — Thursday 22 November 2007 @ 6:37
It worked! It Worked! YES! Now I can get my friend’s computer off my desk and get back to playing Elder Scrolls!
Comment by Patrick — Wednesday 28 November 2007 @ 4:38
We were a Bagle victim and you made a difference here too! Fixed. Thanks a lot for providing this, Didier. Merci beaucoup!
Comment by DBZ — Wednesday 28 November 2007 @ 16:57
Worked for me. I’ve been trying to fix this for more than six months. Did everything short of a clean install. Thanks, sure appreciate it.
Comment by BWO — Thursday 29 November 2007 @ 4:27
Anyone have the same reg file for Windows 2000 SP4?
Thanks
Comment by Tony S — Thursday 6 December 2007 @ 3:16
For which version of Windows 2000 SP4 do you need the safe mode entries, Professional or Server?
Comment by Didier Stevens — Thursday 6 December 2007 @ 8:54
Professional. (5.00.2195)
Thanks.
Comment by Tony S — Friday 7 December 2007 @ 23:12
I added the SafeBoot reg keys for Windows 2000 SP4 Professional to the zip file.
Comment by Didier Stevens — Sunday 9 December 2007 @ 10:56
Thanks, Didier I was able to boot into SafeMode now using your reg-key for windows 2000sp4. I could already run in normal mode , but I was wondering why I never could run into safemode to find things out about my PC. But thanks to your reg-key I can now work in Safemode too. Under the old key there weren’t any sevices mentioned at all and I don’t know why, but finnaly -thanks to you- everything turned out to be fine.
Comment by Joop — Sunday 16 December 2007 @ 19:35
thank u very much for the information..
just got stuck at fixing 1 comp.. this 1 is too helpful…
thanx again
Comment by piyush chandra — Friday 21 December 2007 @ 16:46
hi piyush,
i am still suffering from the problem i am not able to boot the system on safemode with promt it is getting restart… plz help me
Comment by abdul — Saturday 5 January 2008 @ 8:26
I believe you wanted to post this on the Piyush Labs site?
Comment by Didier Stevens — Saturday 5 January 2008 @ 19:46
[...] abgesicherten Modus kannst du reparieren, indem du die reg Datei aus diesem Link nutzt: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/bei WD weiss ich es nicht genau, aber versuch es mit deinstallation und erneuter [...]
Pingback by Windows defender wird nicht mehr angezeigt (in der Taskleiste) - Virus Hilfe — Tuesday 8 January 2008 @ 0:50
I’ve cleaned all viruses I had.
Tried to use the utility you provided in order to boot in safe mode (I’ve lost it due to a virus), but when I press F8, i’m getting regular boot
What could be wrong
In addition I’m not able to install Windows XP security updates. PC works fine , but security updates…..
Any idea what to do?
Comment by YP — Tuesday 8 January 2008 @ 19:33
Thanks a bunch for the info. It worked great!
Comment by KJ — Wednesday 9 January 2008 @ 1:05
@YP
If you mail me your exported Safeboot reg keys, I’ll have a look at them.
Comment by Didier Stevens — Wednesday 16 January 2008 @ 20:31
Thank you very much for your very useful information.
The net is becoming step by step time by time always more “degradated”: it’s always more difficult to find someone who uses his brains to solve problems.
If I can add something to your post,I would advice people when they install an OS, to install another clean copy on a separate partition and forget it, so that they can use it when they need, as spare parts.
Thank you again
Comment by Ermanno — Saturday 9 February 2008 @ 16:24
Stumbling on your page was a godsend. My w2k machine has been able to boot into Normal Mode but NOT Safe Mode for quite some time and I suspected a virus. I kept getting the Inaccessible Boot Device bluescreen and figured the mbr was infected but was reluctant to fiddle with this. I did a final google about the problem and found this site. I downloaded and installed your fix and can now finally boot into Safe Mode which will enable me to remove viruses and malware.
Thanks 1000 times.
Doug
Comment by Doug — Tuesday 26 February 2008 @ 19:39
Just to add another thank you to the list, I can now clean the bagle
Will check more of the site, merci,
Fab
Comment by Fab — Thursday 6 March 2008 @ 18:35
I don’t know if this is the right place to post but there seem to be a lot of satisfied commenters. My computer won’t boot in Safe Mode, but it also won’t boot in normal mode (even “last known good configuration”). More specifically, I can reach the login page, but the system logs out immediately after logging in. Possibly the reg keys would fix the problem, but I can’t figure out how to merge them without starting the OS. Any ideas?
Comment by Chris — Wednesday 12 March 2008 @ 22:09
I doubt that your problem is caused by a deleted Safeboot key. But if you want to try: boot from a Windows Live CD like UBCD4WIN, load the registry hive of the local machine, edit the reg file to point to the loaded hive and then merge it.
Comment by Didier Stevens — Monday 17 March 2008 @ 22:34
Dear didier,
I would like to enable direct cable connection. Even I enabled com port, remote access and telephony, I can not enable direct cable connection. Can you help?
I can give more detailed info, if you are interested.
fatih
Comment by fatih — Sunday 23 March 2008 @ 16:30
I think you must enable networking.
Comment by Didier Stevens — Monday 31 March 2008 @ 18:27
Thank you for the safe boot fix for xp, it worked.
Comment by Len — Tuesday 15 April 2008 @ 14:11
Many kudos for you, Didier.
I have spent “gazillion” hours searching for a solution to the “STOP:………” error message I get when trying to boot in Safe Mode, alas, without success.
Your fix worked!
Amen
Comment by Wojtek Sangowicz — Sunday 4 May 2008 @ 23:22
did not work, not way to make it work
Comment by julie — Monday 5 May 2008 @ 8:28
Did you check if the Safeboot registry entries were created (and if they were missing in the first place)?
Comment by Didier Stevens — Monday 5 May 2008 @ 10:31