Custom Search

Search My Download Corner

Thursday, July 3, 2008

Repairing Safe Mode

Cannot Boot into Safe Mode!

Restoring Safeboot Windows XP
Case 1

Here is to shows how to recover the Safeboot key (possibly deleted by a virus like the newest Bagle), not how to remove the malware.

If Windows hasn’t been rebooted since the infection and you haven’t made changes to your system configuration since the last boot, follow this procedure:

1. Reboot Windows Enter “Windows Advanced Options Menu” by pressing F8 twice after the BIOS splash screen.
2. Select “Last Known Good Configuration (your most recent settings that worked)”.
3. You can now reboot a second time and select Safe Mode.

Case 2

If Windows has been rebooted since the infection, follow this procedure:
1 Start System Restore: (you can find it here: Start / All Programs / Accessories / System Tools / System Restore)
2 Select a restore point that predates the infection (i.e. the Safeboot key removal), this may require some trial-and-error if you don’t know exactly when the Safeboot key was deleted
3 Confirm the restore operation
4 Windows will perform a System Restore and reboot
5 Click OK
6 You can now reboot a second time and select Safe Mode

Case 3

If you’ve made changes to your system configuration that you want to keep, follow this procedure:

1. Follow the steps of case 2
2. Start regedit once you’ve booted in Safe Mode
3. Navigate to the “HKLM\System\CurrentControlSet\Control\Safeboot” key
4. Export the key (right-click export)
5. Start System Restore: Start / All Programs / Accessories / System Tools /
System Restore
6. Select “Undo my last restoration”
7. Confirm the restore operation
8. Windows will perform a System Restore and reboot
9. Click OK
10. Select the Safeboot registry file you exported and Merge it to the registry
(double click the file)
11. Confirm the merge
12. You can now reboot again and select Safe Mode.

Under normal condition when you hit the F8 key, Windows XP OS takes you to the boot menu screen.Click on Safe Mode, and it scrolls with all the script, briefly, and then kicks into regular boot mode! Normally, with Safe Mode, it scrolls with row of scripts, stays still for a few moments, and then goes into Safe Mode (after a prompt).

If you are having trouble entering Safe Mode via the F8 method, you should not use the System Configuration Tool(msconfig) Method to force it to startup into safe mode. Windows XP-In the Run field type msconfig\"BOOT.INI" .......Windows Vista-In the Start Menu Search Box type msconfig\Boot

Problems that can occur by forcing Safe Mode using the System Configuration Utility

It is possible to make your computer continuously boot up into safe mode using the System Configuration utility as described above. The program does this by changing your boot.ini file, the settings file that configures your computer's boot sequence, and adding the /safeboot argument to your operating systems startup line. An example of this can be seen below.

Original [operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT /NOEXECUTE=OPTIN
After using MsConfig.exe [operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT /NOEXECUTE=OPTIN /safeboot:minimal

When you are done using safe mode, you would then run the System Configuration utility again and uncheck the /Safeboot option, thus removing the /safeboot argument from the boot.ini file, and allowing your computer to boot up normally.

On a computer that is operating properly this is normally not a problem. Unfortunately, though, a new trick that some of the more recent malware are using is to delete certain Windows Registry keys so that your computer can not properly boot into safe mode. It is in these situations that using the System Configuration utility to boot into safe mode can cause the computer to become inoperable for many users.

This is because once you set the computer to boot into Safe Mode using /Safeboot, it will continuously attempt to start Safe Mode until the /safeboot argument is removed from the boot.ini. Since the malware is not allowing us to actually boot into safe mode, you have no way of getting to a point where you can run the System Configuration utility again to uncheck the /Safeboot option. Thus, you are stuck with a computer constantly attempting to get into safe mode and not being able to do so.

If a situation like this has happened to you it is possible to fix this problem by renaming your boot.ini file. The first step would be to use a boot disk to start your computer. If your computer does not have a floppy disk, then you can typically boot off the Windows CD that came with your computer in order to access the Windows Recovery Console. More information about the Windows Recovery Console can be found here. Once booted to a command prompt, you would simply rename your C:\Boot.ini file to another name like C:\Boot.ini.bak. The command to rename the file at the command prompt is:

ren C:\Boot.ini Boot.ini.bak

Once the file is renamed, you can then remove the boot disk and reboot your computer to get back to normal mode. When booting up after the rename, do not be surprised if you see an error stating that you do not have a valid Boot.ini file. When you get back to normal Windows mode, you can then rename C:\Boot.ini.bak to C:\Boot.ini and run Msconfig again to remove the /safeboot flag.

Download the following registry files & double click to install/merge into the registry. This will restore Safe Mode to its normal working state.
SafeBoot-for-Windows-2000-SP4-Professional & SafeBoot-for-Windows-XP-SP2
The registry keys to boot into Safe Mode are under the SafeBoot key:
Delete this key first & replace with the given Safe Boot Registry file .

Download Safe Boot Registry files

If necessary repair all system files, go to Start/Run, and type (or paste in): SFC /SCANNOW
(Its windows system CD is required)

If the above doesn't work try- Restoring Safe Mode with a .REG file, and a Live CD by boot from a Live CD, load the HKLM registry hive and merge the missing SafeBoot keys.
Avoid interference by the malware, boot from a Live CD and then fix the registry.
Booting from a Live CD means booting a clean OS from the CD, and thus prevent the malware from running and interfering with the rescue operation.

The configuration of the machine you’re fixing might be different and the system directory could be on another drive than C, you could need to fix ControlSet002 in stead of ControlSet001, …
1) Make a backup first. See Acronis True Image Home
2) Copy the respective reg file (Download from above) to your C:\ drive (for example SafeBoot-for-Windows-XP-SP2.reg for XP SP2).
Shutdown the PC and start from a Windows Live CD, like the Ultimate Boot CD For Windows. or download Win XP Live CD with KaperSky Anti-Virus 2009 or
Windows Xp Pro LIVE CD (Portable)

See Download Utility: ĀµTorrent file download
-Burn ISO to blank CD with CDBurnerXP Pro or another app

1. Rename USB stick through file HPUSBFW.exe and format with FAT file system.
(it can format USB stick and make it bootable ) HP USB Disk Storage Format Tool Version 2.0.6
2. Copy all the files from a folder on USB stick.
1. Reboot the computer.
2. In BIOS or through Quick-boot menu choose boot from the USB.

Start RegEdit:
Select HKEY_LOCAL_MACHINE, and load the hive file C:\WINDOWS\system32\config\system (File / Load Hive…):
Name the loaded hive FixSafeboot:
Open the key HKLM\FixSafeboot\ControlSet### which is lacking the Safeboot key (there could be more than one ControlSet key you want to fix):
If the SafeBoot key is not missing (or the keys beneath it), you’re either looking in the wrong place or you’re not dealing with a corrupted SafeBoot key (in which case applying this procedure is useless).
If you’re not sure which ControlSet### to fix, take a peek at the value of Current in the Select key:
Here the value for Current is 1, so it’s ControlSet001 which will be used when the system boots, and that’s the one we want to fix.
Open C:\SafeBoot-for-Windows-XP-SP2.reg (the one you copied on the C:\ drive) with notepad:
Perform a search and replace: replace SYSTEM\CurrentControlSet with FixSafeboot\ControlSet### (### being the number of the ControlSet you want to fix, like 001). Save the modified reg file:
Import the reg file C:\SafeBoot-for-Windows-XP-SP2.reg with regedit (File / Import…):
Check that the SafeBoot key has been added:
Select the FixSafeboot key and unload it (File / Unload Hive…):
Shutdown the PC and start in Safe Mode (F8).

If you still can’t boot into Safe Mode, you’re either facing another problem than a Safe Mode disabling malware, or the malware operates early in the boot process and interferes with Safe Mode booting. If you suspect malware, try scanning with a Live CD with an anti-virus scanner, like the F-Secure Rescue CD
See also Restoring Safe Mode affected by Virus
See also Avast CD ROM Bart

View blog reactions


Post a Comment