If you press the F8 key while Windows is booting, you should be presented with a text menu screen that provides several boot options. For the purpose of rootkit localization, Safe Mode with Command Prompt is the best selection. This will cause Windows to load a minimal set of drivers and services and provide a command prompt that can be used to navigate the file system and run Windows programs individually. To investigate anomalies from a command prompt, you need to know the following basic commands:
cd xxx–Change directory to xxx (e.g., cd c:\windows\system32)
dir–List the contents of the current directory
xxx–Run the program xxx (e.g., Notepad)
type xxx–List the contents of file xxx (e.g., type autoexec.bat)
regedt32–Start the registry editor
You will also need to know how to launch the detector that found the original anomaly. If you don’t already know the location of the program, check the properties of the shortcut. You need to navigate to the directory and execute the program manually once you have booted into Safe Mode.
The reason Safe Mode with Command Prompt is a great environment for localizing rootkits is because the rootkit has probably not been loaded and cannot protect itself. From this mode you can get an unobstructed view of your environment and delete files and registry entries that would otherwise be protected. Of course, this assumes the rootkit in question was not loaded, so remember to check for the anomaly that spawned the investigation. If the anomaly is still there, Safe Mode will not be very helpful.
There are many ways to load and run software during the boot process of a Windows operating system. Rootkits can be piggybacked onto required operating system files, causing them to be loaded when the required operating system file is loaded. Rootkits can replace common programs and call the original (renamed) program after loading. Rootkits can be loaded as required Safe Mode drivers. These are all ways to defeat Safe Mode rootkit detection. Fortunately, most rootkits strive to blend in as much as possible, making these clever loading techniques unlikely. Just like file, process, and registry key hiding, rootkit initialization is most easily detected when uncommon techniques are employed. This makes standard device driver loading a preferred method for rootkit initialization, which can be detected using Safe Mode.
If you are uncomfortable working inside a command prompt, Safe Mode (without network or command prompt) will add Windows Explorer. This will provide an environment similar to a standard boot, but remember that rootkits can be launched from extensions to Windows Explorer. If booting to standard Safe Mode does not eliminate a suspected rootkit anomaly, try Safe Mode with Command Prompt.