Announcement

Collapse
No announcement yet.

Booting in Safe Mode

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Booting in Safe Mode

    Hi
    The usual way to get into Safe Mode is to Start/Restart your computer and during the Start Up - tap the key F8 repeatedly
    This will normally bring up the possibility to choose what kind of Start Up you want.

    There will also - if you notice the screen during Start Up - be information about what key to press to get into the Start Up configuration or alternatively the Bios. Press the key mentioned there according to what you want to accomplish.
    (the different manufacturers select different keys unfortunately - some use F1, F2, Esc, Del or even others, but usually F8 (repeatedly) works)

    A foolproof way (unless a virus has blocked access) of getting into Safe Mode is to write msconfig in Run and then choose the tab Boot.ini and there choose the Start Up Mode Safe Mode (then restart)
    After you have accomplish what you set out to do in Safe Mode go back to msconfig and set it to start up normally (check if it has removed the mark in Safe Mode in Boot.ini )
    (then restart)

    Cheers
    solbjerg
    太阳山 (solbjerg)
    Ceterum censeo Usage of IObit Products esse legendum
    (Furthermore I think that Usage of IObit Products must be read)
    Itemized subjects Table of content
    In relation to defragmentation Think about defragmentation
    Clean Install concept Clean Install
    Introduction to the Forum Forum Guidelines

  • #2
    solbjerg

    Good tip thanks

    Comment


    • #3
      Hi solbjerg :smile:

      A few observations, if I may :

      - The "Boot.ini" option via msconfig only appears on XP systems (and older). You won't have it on Vista or Win7 because they use the newer bootloader, not the Boot.ini file.
      - As a rule, I never suggest using msconfig to get into Safe Mode, because you could put the machine in a reboot loop if malware has deleted the SafeBoot keys (it happens a lot). If the keys are gone and you tick "/SAFEBOOT" from the Boot.ini tab, the machine will be stuck in a loop, garanteed. The only way out is to rebuild Boot.ini from Recovery Console, or a format for those less technically inclined, not being guided by someone who knows...

      Tapping the F8 key will work on most machines. Some newer motheboards need F5 (some by ASUS, for example).
      If F8 and F5 don't work, read the manual, but don't go into msconfig unless you are 100% sure your SafeBoot keys are there.

      Edit to add : if F8 and F5 don't work to get you in Safe Mode, it would be very wise to suspect an infection. Get help on a malware removal forum. Machine will need to be disinfected and then the SafeBoot keys (in the registry) need to be fixed/replaced.

      Hope that helps (and prevents mistakes).

      ===
      Last edited by So_sad; Mar. 16th, 2010, 17:55. Reason: see above
      Is it winter yet ?

      Comment


      • #4
        Hi So_sad
        Of course you may
        The more knowledge - the better.
        Thanks!
        Cheers
        solbjerg
        p.s. I came across this link with a possible solution to missing safeboot keys:
        http://blog.didierstevens.com/2010/0...-safeboot-key/


        Originally posted by So_sad View Post
        Hi solbjerg :smile:

        A few observations, if I may :

        - The "Boot.ini" option via msconfig only appears on XP systems (and older). You won't have it on Vista or Win7 because they use the newer bootloader, not the Boot.ini file.
        - As a rule, I never suggest using msconfig to get into Safe Mode, because you could put the machine in a reboot loop if malware has deleted the SafeBoot keys (it happens a lot). If the keys are gone and you tick "/SAFEBOOT" from the Boot.ini tab, the machine will be stuck in a loop, garanteed. The only way out is to rebuild Boot.ini from Recovery Console, or a format for those less technically inclined, not being guided by someone who knows...

        Tapping the F8 key will work on most machines. Some newer motheboards need F5 (some by ASUS, for example).
        If F8 and F5 don't work, read the manual, but don't go into msconfig unless you are 100% sure your SafeBoot keys are there.

        Edit to add : if F8 and F5 don't work to get you in Safe Mode, it would be very wise to suspect an infection. Get help on a malware removal forum. Machine will need to be disinfected and then the SafeBoot keys (in the registry) need to be fixed/replaced.

        Hope that helps (and prevents mistakes).

        ===
        太阳山 (solbjerg)
        Ceterum censeo Usage of IObit Products esse legendum
        (Furthermore I think that Usage of IObit Products must be read)
        Itemized subjects Table of content
        In relation to defragmentation Think about defragmentation
        Clean Install concept Clean Install
        Introduction to the Forum Forum Guidelines

        Comment


        • #5
          That's an interesting link ! 8-)

          I'm not that interested in the part about fixing/replacing the keys, because I already have a technique for that, but I love the part about restoring the keys with changed permissions, protecting them from further deletion while malware is actively trying to delete the keys :-D

          I have such malware lying around on the test machine, so I'll give it a whirl later on. This malware actively monitors and deletes SafeBoot keys because we can easily get rid of it from Safe Mode ; not so in Normal Mode.

          Should be fun ! I'll let you know how it turns out.

          It doesn't seem to run on Vista/7 though ; too bad. Perhaps an update will cure that.

          Stay tuned. Tomorrow maybe.

          ===
          Is it winter yet ?

          Comment


          • #6
            hi So_sad
            Looking forward to hear about it, sir!
            I will take another look to see if there is a version for Vista and 7 somewhere - probably also tomorrow
            Cheers
            solbjerg



            Originally posted by So_sad View Post
            That's an interesting link ! 8-)

            I'm not that interested in the part about fixing/replacing the keys, because I already have a technique for that, but I love the part about restoring the keys with changed permissions, protecting them from further deletion while malware is actively trying to delete the keys :-D

            I have such malware lying around on the test machine, so I'll give it a whirl later on. This malware actively monitors and deletes SafeBoot keys because we can easily get rid of it from Safe Mode ; not so in Normal Mode.

            Should be fun ! I'll let you know how it turns out.

            It doesn't seem to run on Vista/7 though ; too bad. Perhaps an update will cure that.

            Stay tuned. Tomorrow maybe.

            ===
            太阳山 (solbjerg)
            Ceterum censeo Usage of IObit Products esse legendum
            (Furthermore I think that Usage of IObit Products must be read)
            Itemized subjects Table of content
            In relation to defragmentation Think about defragmentation
            Clean Install concept Clean Install
            Introduction to the Forum Forum Guidelines

            Comment


            • #7
              Well now... the little program works as advertised :mrgreen:

              But please consider that :

              - I'm playing with robust infections on a test machine, and I kinda know what I'm doing, so please don't try this at home lol.

              - This infection is very difficult to remove, partly because Safe Mode doesn't work and protections are really well built, so cleaning from Normal Mode requires a lot of muscle (we have tools). Getting it from Safe Mode is easy pickings, which is why they don't want us to go into Safe Mode.

              I ran the infection, which deleted the SafeBoot keys immediately. Guards are in place to prevent us from simply re-installing them, by deleting them as soon as you try.

              I then ran the little thing from your link, then I merged the appropriate XP SP3 sub keys (all Minimal and Network keys). Rebooted into Safe Mode without a problem, infection very much active. The rest was easy.

              I wouldn't recommend this for just anybody though. Changing permissions on system registry keys is no joke, and could cause problems down the road. This program doesn't offer a way to revert, meaning you can't go back to having keys with default permissions easily ; you would need to tamper with permissions manually, then delete the keys and rebuild. Not impossible to do, but risky for many users. What the program does is basically strip System and Administrators rights to delete the SafeBoot key, but I haven't checked in depth to see what's left (we see "Special" on the guy's blog, that's it). As far as my machine is concerned, I had backed up the key prior to testing and have reverted to default now.

              Might come in handy when dealing with new infections though.

              I learn something new every day :wink:

              ===
              Is it winter yet ?

              Comment


              • #8
                Hi So_sad
                Thanks for checking it out!!
                I haven't found anything for Vista and 7 - I am sorry to say.
                But it isn't too difficult to do by hand, so can't one just do it by hand in those Operating Systems? (I only have XP )!!
                And then after cleaning out the viruses in Safe Mode go back and change it back into default - if you foresee problems by leaving them as they are?
                What problems by the way?
                Cheers
                solbjerg


                Originally posted by So_sad View Post
                Well now... the little program works as advertised :mrgreen:

                But please consider that :

                - I'm playing with robust infections on a test machine, and I kinda know what I'm doing, so please don't try this at home lol.

                - This infection is very difficult to remove, partly because Safe Mode doesn't work and protections are really well built, so cleaning from Normal Mode requires a lot of muscle (we have tools). Getting it from Safe Mode is easy pickings, which is why they don't want us to go into Safe Mode.

                I ran the infection, which deleted the SafeBoot keys immediately. Guards are in place to prevent us from simply re-installing them, by deleting them as soon as you try.

                I then ran the little thing from your link, then I merged the appropriate XP SP3 sub keys (all Minimal and Network keys). Rebooted into Safe Mode without a problem, infection very much active. The rest was easy.

                I wouldn't recommend this for just anybody though. Changing permissions on system registry keys is no joke, and could cause problems down the road. This program doesn't offer a way to revert, meaning you can't go back to having keys with default permissions easily ; you would need to tamper with permissions manually, then delete the keys and rebuild. Not impossible to do, but risky for many users. What the program does is basically strip System and Administrators rights to delete the SafeBoot key, but I haven't checked in depth to see what's left (we see "Special" on the guy's blog, that's it). As far as my machine is concerned, I had backed up the key prior to testing and have reverted to default now.

                Might come in handy when dealing with new infections though.

                I learn something new every day :wink:

                ===
                太阳山 (solbjerg)
                Ceterum censeo Usage of IObit Products esse legendum
                (Furthermore I think that Usage of IObit Products must be read)
                Itemized subjects Table of content
                In relation to defragmentation Think about defragmentation
                Clean Install concept Clean Install
                Introduction to the Forum Forum Guidelines

                Comment


                • #9
                  Hi solbjerg :smile:

                  For Vista/7, I've never edited key permissions manually myself, but have done it with other means (cacls works fine). I wouldn't recommend this though, unless the circumstances were severe enough to warrant such a delicate procedure. With the infections I know to delete SafeBoot keys, we have methods to overcome the obstacles, in Normal Mode.

                  As far as backing up the key goes, it wouldn't be possible on infected machines because the whole key gets deleted. The only way to revert would be to get an export of the key - and sub keys - from a similar machine, with the same OS and same Service Pack.
                  If you are just testing then yes, exporting the key first would work.

                  Possible problems with modified key perms : many third party applications (programs) write sub keys for Safe Mode operation, so I'm not sure what can and cannot be done by those programs once permissions are altered. Not just for operating (the programs), but also when the time comes to uninstall such a program, where the routine would look to delete its sub keys. Permissions on the sub keys don't appear to be inherited from the parent (SafeBoot) key, but we'd need to investigate to be sure. The author should have explained this more clearly.

                  For now, running this thing for prevention wouldn't do much, because the infections capable of deleting the keys would still install and require heavy duty disinfection, by tools that are already capable of doing the job in Normal Mode.

                  I realize this is pretty technical stuff... but in real life, I don't see much use for this other than knowing it can be done. It was fun for me to try, but the outcome is no different, with or without Safe Mode.

                  That's about it :wink:

                  ===
                  Is it winter yet ?

                  Comment


                  • #10
                    OK So_sad
                    Thanks for elaborating.
                    I can see that I will have to study quite a bit to catch up.
                    I will leave it for the time being
                    Cheers
                    solbjerg

                    Originally posted by So_sad View Post
                    Hi solbjerg :smile:

                    For Vista/7, I've never edited key permissions manually myself, but have done it with other means (cacls works fine). I wouldn't recommend this though, unless the circumstances were severe enough to warrant such a delicate procedure. With the infections I know to delete SafeBoot keys, we have methods to overcome the obstacles, in Normal Mode.

                    As far as backing up the key goes, it wouldn't be possible on infected machines because the whole key gets deleted. The only way to revert would be to get an export of the key - and sub keys - from a similar machine, with the same OS and same Service Pack.
                    If you are just testing then yes, exporting the key first would work.

                    Possible problems with modified key perms : many third party applications (programs) write sub keys for Safe Mode operation, so I'm not sure what can and cannot be done by those programs once permissions are altered. Not just for operating (the programs), but also when the time comes to uninstall such a program, where the routine would look to delete its sub keys. Permissions on the sub keys don't appear to be inherited from the parent (SafeBoot) key, but we'd need to investigate to be sure. The author should have explained this more clearly.

                    For now, running this thing for prevention wouldn't do much, because the infections capable of deleting the keys would still install and require heavy duty disinfection, by tools that are already capable of doing the job in Normal Mode.

                    I realize this is pretty technical stuff... but in real life, I don't see much use for this other than knowing it can be done. It was fun for me to try, but the outcome is no different, with or without Safe Mode.

                    That's about it :wink:

                    ===
                    太阳山 (solbjerg)
                    Ceterum censeo Usage of IObit Products esse legendum
                    (Furthermore I think that Usage of IObit Products must be read)
                    Itemized subjects Table of content
                    In relation to defragmentation Think about defragmentation
                    Clean Install concept Clean Install
                    Introduction to the Forum Forum Guidelines

                    Comment


                    • #11
                      Hi solbjerg,

                      If you are going to look into this a little further, just know that something I said yesterday was a load of bull : I did use cacls on Vista and Win7 but not for registry keys... I wrote that part too quickly. It was used for files and directories. For the registry, you need something else but I won't get into that because I don't want folks to experiement with dangerous tools lol. You can edit permissions manually though, but I have to stress again that you need to know how to do it safely (making backups first, etc...).

                      ===
                      Is it winter yet ?

                      Comment


                      • #12
                        Hi So_sad
                        Sure - good advice!
                        I will edit my post a bit accordingly.
                        Thanks!
                        Cheers
                        solbjerg


                        Originally posted by So_sad View Post
                        Hi solbjerg,

                        If you are going to look into this a little further, just know that something I said yesterday was a load of bull : I did use cacls on Vista and Win7 but not for registry keys... I wrote that part too quickly. It was used for files and directories. For the registry, you need something else but I won't get into that because I don't want folks to experiement with dangerous tools lol. You can edit permissions manually though, but I have to stress again that you need to know how to do it safely (making backups first, etc...).

                        ===
                        太阳山 (solbjerg)
                        Ceterum censeo Usage of IObit Products esse legendum
                        (Furthermore I think that Usage of IObit Products must be read)
                        Itemized subjects Table of content
                        In relation to defragmentation Think about defragmentation
                        Clean Install concept Clean Install
                        Introduction to the Forum Forum Guidelines

                        Comment


                        • #13
                          I jsut recently looked at an ASUS netbook. It is the same F8 to go to SafeMode; however, after pressing F8 nothing happens.

                          Then I find out that after pressing F8, you have to press F1 to confirm your choice. Or else it'll stay at a list of choices for you to change your choice. :mrgreen:

                          Bottom line. Two Keys required to go into Safe Mode.
                          F8 then F1



                          Cheers.
                          Usage of IObit Products
                          Clean Install for IObit Softwares

                          Comment


                          • #14
                            BootSafe

                            Does anyone use Bootsafe that comes included with SuperAntispyware ?
                            This is only handy if you know you want to boot into a Safe Mode at the next boot. The options are:
                            • Normal Restart
                            • Safe Made - Minimal
                            • Safe Mode - Networking
                            • Safe Mode - Directory Services Repair


                            I extracted a copy of it (it can be portable) and put it on my USB FlashDrive.
                            Just recently I was checking a friends NoteBook and asked them the key procedure to boot into SafeMode, they looked at me and said "what ?" :roll:
                            Rather than read the manual I just used Bootsafe :-D

                            By the way, we did eventually read the manual and I insisted they memorize the procedure, just in case :mrgreen:

                            All the best, woz of oz
                            FORUM USAGE GUIDELINES - Read this first
                            Description of IObit Forum features and requirements - Reading this is compulsory

                            Comment


                            • #15
                              Hi woz
                              Great!!
                              Good addition to the thread!!
                              Thanks!
                              Cheers
                              solbjerg

                              Originally posted by wozofoz View Post
                              Does anyone use Bootsafe that comes included with SuperAntispyware ?
                              This is only handy if you know you want to boot into a Safe Mode at the next boot. The options are:
                              • Normal Restart
                              • Safe Made - Minimal
                              • Safe Mode - Networking
                              • Safe Mode - Directory Services Repair

                              I extracted a copy of it (it can be portable) and put it on my USB FlashDrive.
                              Just recently I was checking a friends NoteBook and asked them the key procedure to boot into SafeMode, they looked at me and said "what ?" :roll:
                              Rather than read the manual I just used Bootsafe :-D

                              By the way, we did eventually read the manual and I insisted they memorize the procedure, just in case :mrgreen:

                              All the best, woz of oz
                              太阳山 (solbjerg)
                              Ceterum censeo Usage of IObit Products esse legendum
                              (Furthermore I think that Usage of IObit Products must be read)
                              Itemized subjects Table of content
                              In relation to defragmentation Think about defragmentation
                              Clean Install concept Clean Install
                              Introduction to the Forum Forum Guidelines

                              Comment

                              Working...
                              X