|
Donation/Premium |
|
 |
|
|
|
|
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
 Posted: Wed Aug 16, 2006 2:13 am Post subject: Ultimate Safemode |
|
|
Directions for ultimate safemode
1. Enable task scheduler in safemode
Create a .txt file , open it and copy and paste :
| Code: | Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Schedule]
@="Service" |
into it . Close and save the changes . Rename it to task.reg . Double click the file and click yes , ok to accept the changes .
2. Reboot into safemode
Reboot and tap f8 while booting . At the safemode menu select safemode from the menu . If prompted select Administrator to log in .
3. Shut down unnecessary tasks .
Press ctrl+alt+delete . Click the processes tab . Right click each process and select end process tree EXCEPT :
taskmgr.exe
explorer.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system Idle Process
Ignore the ones that won't close or reappear .
4. Shut down explorer and log into system account .
Note the time on the clock . Right click explorer and select end process tree . (from Windows Task Manager) Click file , New Task (Run...) , type cmd and press enter . At the command prompt type "at xx:xx /interactive cmd.exe" (without the quotes) and press enter (xx:xx is the time you noted in 24 hour notation plus 2 minutes) . Type exit and press enter . Close Windows Task Manager . Wait for the new command prompt to appear .
Anything that is executed from that prompt will be running in the maximum clean environment with the maximum authority .
This is the ideal environment to run antimalware apps in . Note your antimalware's apps exact paths , write them down and enter the paths at the command prompt .
Example : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
50% of these instructions were borrowed from here :  /t107505-Run_Antispyware_as_the_System_account.html
|
|
| Back to top |
|
 |
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Sun Oct 15, 2006 4:40 am Post subject: |
|
|
Hi all,
A few questions before I begin this procedure.
| Quote: | 1. Enable task scheduler in safemode
Create a .txt file , open it and copy and paste :
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Schedule]
@="Service"
into it . Close and save the changes . Rename it to task.reg . Double click the file and click yes , ok to accept the changes .
|
What does that code do, exactly?
| Quote: | Press ctrl+alt+delete . Click the processes tab . Right click each process and select end process tree EXCEPT :
taskmgr.exe
explorer.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system Idle Process |
Which svchostshould I leave running. I usually have 5 at a time.
Shut down explorer?
| Quote: | 4. Shut down explorer and log into system account .
|
How do I do that?
I have the target paths to my software saved in a WordPad document so I can just copy/paste them at the cmd prompt in the system account when I run the apps from my administrator desktop. Will I be able to do this when only those few processes are running or do I need to print a hard copy?
Just out of curiosity, what is the difference between the system account and the administrator account?
| Quote: | At the safemode menu select safemode from the menu . If prompted select Administrator to log in .
|
Thanks.
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Sun Oct 15, 2006 11:47 am Post subject: |
|
|
| Quote: | Hi all,
A few questions before I begin this procedure.
Quote:
1. Enable task scheduler in safemode
Create a .txt file , open it and copy and paste :
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Schedule]
@="Service"
into it . Close and save the changes . Rename it to task.reg . Double click the file and click yes , ok to accept the changes .
What does that code do, exactly? |
It enables task scheduler to run in safemode . You mentioned that logging into safemode prevented the system account log in trick from running . This allows the combination of safemode and the system account log in .
| Quote: | Quote:
Press ctrl+alt+delete . Click the processes tab . Right click each process and select end process tree EXCEPT :
taskmgr.exe
explorer.exe
svchost.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system Idle Process
Which svchostshould I leave running. I usually have 5 at a time. |
Leave all of them . If you shut down the wrong one the system will shut down . This step just tries to get anything that is running in the background cleared up before we begin .
| Quote: | How do I do that?
I have the target paths to my software saved in a WordPad document so I can just copy/paste them at the cmd prompt in the system account when I run the apps from my administrator desktop. Will I be able to do this when only those few processes are running or do I need to print a hard copy?
Just out of curiosity, what is the difference between the system account and the administrator account? |
I will be posting better instructions shortly . I found a way to log into the system desktop . This will allow you to run all of your applications the regular way .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Sun Oct 15, 2006 12:06 pm Post subject: |
|
|
Directions for ultimate safemode
1. Enable task scheduler in safemode
Create a .txt file , open it and copy and paste (only the green part) :
| Code: | Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Schedule]
@="Service" |
into it . Close and save the changes . Rename it to task.reg . Double click the file and click yes , ok to accept the changes .
2. Reboot into safemode
Reboot and tap f8 while booting . At the safemode menu select safemode from the menu . If prompted select Administrator to log in .
3. Shut down unnecessary tasks .
Press ctrl+alt+delete . Click the processes tab . Right click each process and select end process tree EXCEPT :
taskmgr.exe
explorer.exe
svchost.exe (all of them)
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system Idle Process
Ignore the ones that won't close or reappear .
4. Shut down explorer and log into system account .
Note the time on the clock . Right click explorer and select end process tree . (from Windows Task Manager) Click file , New Task (Run...) , type cmd and press enter . At the command prompt type "at xx:xx /interactive cmd.exe" (without the quotes) and press enter (xx:xx is the time you noted in 24 hour notation plus 2 minutes) . Type exit and press enter . Close Windows Task Manager . Wait for the new command prompt to appear . Now type explorer and press enter (you can close the command prompt now) . You will now be logged into the system desktop . None of your shortcuts will exist here so you will have to navigate to the programs folder (C:\programs) to run your antimalware applications . You will also have access to every file and folder on your system . For example you can open the system volume information folder from this mode and manually delete your old restore points or manually back them up .
****DO NOT INSTALL ANYTHING FROM THE SYSTEM DESKTOP (ONLY RUN EXISTING APPLICATIONS) . DOING SO WILL PREVENT APPLICATIONS FROM FUNCTIONING PROPERLY UNDER ALL OTHER ACCOUNTS . ALSO DO NOT SURF THE INTERNET FROM HERE (IF YOU CHOSE SAFEMODE WITH NETWORKING) . IF MALWARE INSTALLS UNDER THE SYSTEM ACCOUNT IT WILL HAVE FAR MORE AUTHORITY OVER YOUR SYSTEM THAN THE IT WOULD NORMALLY HAVE .****
|
|
| Back to top |
|
|
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Sun Oct 15, 2006 3:11 pm Post subject: |
|
|
Hi nosirrah,
Thanks for the updated information. That helps. You left out one question. What is the difference between the system account and the administrator account (as logged into during safemode).
Thank you.
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Sun Oct 15, 2006 4:27 pm Post subject: |
|
|
The system account has access to each and every file on the system . Scanning from the system account will allow scanning of every account on the system (including the admin account) .
To see the access difference in action do this (you will have to set hidden and system files as shown to do this test) :
Boot into safemode as administrator . Open C:\system volume information . It won't work .
Boot into safemode as administrator and follow my instructions to access the system desktop . Open C:\system volume information . The door is now open .
Any file or folder that will give access denied errors in the admin account will be open to you (and any scanner) from the system account .
There are also other advantages to the system desktop . You can create files here and use the security tab (xp home can only access the security tab from safemode) to set their access right to the system account only . From that point on only the system desktop can be used to open , edit or delete these files . It is a good way prevent other users from deleting or undoing your work . From the system account you can also use the security tab to take ownership of any file or folder on the system and then give any other user full access to that file or folder . You can use this trick to leave a password on an account but give other accounts access to only certain files and folders .
I have been experimenting with the system desktop only for a short time myself . There may be other useful discoveries waiting for someone to stumble onto . You seem to know what you are doing and have an inquisitive personality like myself so go do some exploring . I did not look up how to add the task scheduler to safemode , I figured it out for myself trough trial and error . It feels awesome when you discover something like this . We are in an interesting and not well documented area of windows functionality , who knows what we will find .
BTW I have noticed you helping out in the forums . Keep the the good work . We can always use more guys like you .
|
|
| Back to top |
|
|
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Sun Oct 15, 2006 4:55 pm Post subject: |
|
|
Hi nosirrah,
What I know how to do, I do well. All the other stuff, I ask questions. There is a lot about computers that I don't know, but I am learning.
Thank you for the lesson. And thank you for the thank you! Glad to help.
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Mon Oct 16, 2006 9:05 pm Post subject: |
|
|
Hi nosirrah,
Ok, why can't I figure this out?
Boot into safemode..........check!
create .txt file..........right click desktop>new>Text document....check!
copy/paste green text............check!
close and save changes...........check!
rename to task.reg...........check!
double click file and click yes to accept changes? It doesn't do that. It just opens the file. Am I doing something wrong?
I am posting this here (instead of a pm) so that others might learn from my..., how do you say?, doh!
Thanks.
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Mon Oct 16, 2006 9:27 pm Post subject: |
|
|
| Code: | Open My computer .
Click tools , folder options , view .
Uncheck "Hide extensions for known file types ." and click apply and then ok . |
Do this first . I will add it to my instructions . I left it out accidentaly .
What is happening is that the hidden extension is keeping this from becomming a true .reg file .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Mon Oct 16, 2006 9:31 pm Post subject: |
|
|
Directions for ultimate safemode
1. Enable task scheduler in safemode
Open My computer .
Click tools , folder options , view .
Uncheck "Hide extensions for known file types ." and click apply and then ok .
Create a .txt file , open it and copy and paste (only the green part) :
| Code: | Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Schedule]
@="Service" |
into it . Close and save the changes . Rename it to task.reg . Double click the file and click yes , ok to accept the changes .
2. Reboot into safemode
Reboot and tap f8 while booting . At the safemode menu select safemode from the menu . If prompted select Administrator to log in .
3. Shut down unnecessary tasks .
Press ctrl+alt+delete . Click the processes tab . Right click each process and select end process tree EXCEPT :
taskmgr.exe
explorer.exe
svchost.exe (all of them)
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system Idle Process
Ignore the ones that won't close or reappear .
4. Shut down explorer and log into system account .
Note the time on the clock . Right click explorer and select end process tree . (from Windows Task Manager) Click file , New Task (Run...) , type cmd and press enter . At the command prompt type "at xx:xx /interactive cmd.exe" (without the quotes) and press enter (xx:xx is the time you noted in 24 hour notation plus 2 minutes) . Type exit and press enter . Close Windows Task Manager . Wait for the new command prompt to appear . Now type explorer and press enter (you can close the command prompt now) . You will now be logged into the system desktop . None of your shortcuts will exist here so you will have to navigate to the programs folder (C:\programs) to run your antimalware applications . You will also have access to every file and folder on your system . For example you can open the system volume information folder from this mode and manually delete your old restore points or manually back them up .
****DO NOT INSTALL ANYTHING FROM THE SYSTEM DESKTOP (ONLY RUN EXISTING APPLICATIONS) . DOING SO WILL PREVENT APPLICATIONS FROM FUNCTIONING PROPERLY UNDER ALL OTHER ACCOUNTS . ALSO DO NOT SURF THE INTERNET FROM HERE (IF YOU CHOSE SAFEMODE WITH NETWORKING) . IF MALWARE INSTALLS UNDER THE SYSTEM ACCOUNT IT WILL HAVE FAR MORE AUTHORITY OVER YOUR SYSTEM THAN THE IT WOULD NORMALLY HAVE .****
|
|
| Back to top |
|
|
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Mon Oct 16, 2006 9:35 pm Post subject: |
|
|
Thanks nosirrah
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Mon Oct 16, 2006 10:39 pm Post subject: |
|
|
Ok, so that worked. Thanks. Now I have another issue. When I type:
"at xx:xx /interactive cmd.exe" >enter (from administrator account cmd
prompt in safemode). The next line says "The service is not started." I had to
hard boot. Twice (cause the first time I thought maybe I typed the time
incorrectly.) Is one of the services that I have disabled responsible for this?
Help. Thank you.
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Mon Oct 16, 2006 11:39 pm Post subject: |
|
|
There may be a need to go to the services control panel from the admin account while in safemode and set that service to automatic .
Do this :
Boot into safemode and log in as administrator .
Go to start , run , type services.msc and press enter .
Scroll down to Task Scheduler and double click it .
Change its startup type to automatic , click apply and then reboot .
|
|
| Back to top |
|
|
nosirrah
Security Expert
Special Response Team
Joined: Apr 19, 2006
Posts: 6301
Location: USA
|
| Posted: Mon Oct 16, 2006 11:47 pm Post subject: |
|
|
Directions for ultimate safemode
1. Enable task scheduler in safemode .
Open My computer .
Click tools , folder options , view .
Uncheck "Hide extensions for known file types ." and click apply and then ok .
Create a .txt file , open it and copy and paste (only the green part) :
| Code: | Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Schedule]
@="Service" |
into it . Close and save the changes . Rename it to task.reg . Double click the file and click yes , ok to accept the changes .
2. Reboot into safemode and set task scheduler to automatic .
Reboot and tap f8 while booting . At the safemode menu select safemode from the menu . If prompted select Administrator to log in .
Go to start , run , type services.msc and press enter .
Scroll down to Task Scheduler and double click it .
Change its startup type to automatic , click apply and then reboot into safemode . Log in as administrator .
3. Shut down unnecessary tasks .
Press ctrl+alt+delete . Click the processes tab . Right click each process and select end process tree EXCEPT :
taskmgr.exe
explorer.exe
svchost.exe (all of them)
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system Idle Process
Ignore the ones that won't close or reappear .
4. Shut down explorer and log into system desktop .
Note the time on the clock . Right click explorer and select end process tree . (from Windows Task Manager) Click file , New Task (Run...) , type cmd and press enter . At the command prompt type "at xx:xx /interactive cmd.exe" (without the quotes) and press enter (xx:xx is the time you noted in 24 hour notation plus 2 minutes) . Type exit and press enter . Close Windows Task Manager . Wait for the new command prompt to appear . Now type explorer and press enter (you can close the command prompt now) . You will now be logged into the system desktop . None of your shortcuts will exist here so you will have to navigate to the programs folder (C:\programs) to run your antimalware applications . You will also have access to every file and folder on your system . For example you can open the system volume information folder from this mode and manually delete your old restore points or manually back them up .
****DO NOT INSTALL ANYTHING FROM THE SYSTEM DESKTOP (ONLY RUN EXISTING APPLICATIONS) . DOING SO WILL PREVENT APPLICATIONS FROM FUNCTIONING PROPERLY UNDER ALL OTHER ACCOUNTS . ALSO DO NOT SURF THE INTERNET FROM HERE (IF YOU CHOSE SAFEMODE WITH NETWORKING) . IF MALWARE INSTALLS UNDER THE SYSTEM ACCOUNT IT WILL HAVE FAR MORE AUTHORITY OVER YOUR SYSTEM THAN THE IT WOULD NORMALLY HAVE .****
Last edited by nosirrah on Mon Oct 16, 2006 11:51 pm, edited 1 time in total |
|
| Back to top |
|
|
mrsugg
Special Response Team
Premium Member
Joined: Aug 15, 2006
Posts: 2758
Location: Somewhere, over the rainbow...
|
| Posted: Mon Oct 16, 2006 11:48 pm Post subject: |
|
|
Hi nosirrah,
Task Scheduler is already set to automatic in the limited account that I am surfing with right now. Will it be different in safemode?
_________________
"We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness." -- Thomas Jefferson
|
|
| Back to top |
|
|
|
|
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum
|
Powered by phpBB © 2001 phpBB Group
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
