1

I have some monitoring software that users are attempting to bypass by booting Windows in Safe Mode. I can't prevent this, since any change I make to the boot menu programmatically can be undone manually, but it would be useful to know if the previous boot was in Safe Mode because that is potential evidence of tampering.

I know I can use GetSystemMetrics() to find out what the current boot state is, but I'm wondering if there's any record of the immediately previous boot.

jeffm
  • 3,120
  • 1
  • 34
  • 57
  • 1
    Maybe you can find hints in the Event Log (`eventvwr.exe`), just maybe, but its probable its there. In any case you can detach your software from such dependency and make your own record. – Havenard Mar 26 '15 at 17:35
  • @Havenard how would you make your own record? You cannot run when it is in safe mode. I guess you could look for a boot without a marker saying it is NOT safe mode? – Yakk - Adam Nevraumont Mar 26 '15 at 17:46
  • You could be even more general than that and create a record every time your monitoring software starts. If you find an instance where there is a boot record without a matching monitoring software record, then you know the user booted without the monitoring software. – Julian Mar 26 '15 at 17:50
  • @Yakk You can run it alright, just not using the common process start up methods. I don't know for sure how but many services start even in Safe Mode, that could be looked up, also the `.sys` drivers and winsock plugins (like the infamous Apple's "Bonjour"). Could also abuse DLL injection in some process known to be called in Safe Mode. – Havenard Mar 26 '15 at 18:06

1 Answers1

3

Yes, you can tell this via eventvwr.exe. In Windows Logs\System, there will be event with ID 12 from source "Kernel-General"

This event's description is:

"The operating system started at system time <timestamp>"

In the details for this event, the event is tagged with "BootMode". A value of 0 indicates normal boot, a value of 1 indicates SafeMode.

Leslie Davies
  • 4,052
  • 1
  • 16
  • 14