Windows offers the useful option of “Safe Mode” to recover from any damage caused by various malfunctions in the system. Booting in Safe Mode loads limited drivers and services that are required for the basic operation of the system, but avoids adding many extras that complicate the environment. In general, Safe Mode is very helpful in recovering the system from malware infections. However, malware can exploit this feature by loading in Safe Mode, thus creating great difficulties for users and administrators in recovering from these infections.

The services and drivers that load in Safe Mode are listed under the following registry key(s):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot. This type of malware is difficult to remove manually; you’ll need an anti-virus product to detect and clean such malware.