Windows Safe Mode could be a new source for the hackers to steal your password

If you’re a Windows user you must’ve known about the Safe Mode, an awesome feature of Windows that lets users fix issues that aren’t possible to address in the Normal Mode. It’s because the Safe Mode only runs software that is essential for the basic functioning of the Windows operating system.

However, running Safe Mode doesn’t actually keep you safe. Researchers from CyberArk Labs outlined that it could be exposing you to risk as due to the absence of security measures, it’s really easy for an attacker to freely run tools and steal your login credentials. They’ve also described a method of how to utilize a Windows PC’s Safe Mode to launch pass-the-hacks attacks.

The security researchers explained that it’s necessary for the attackers to avoid several third party security measures and Microsoft’s new Virtual Secure Mode once they have remote, local administrative privileges. However, what makes it easier for them to attack that those measures only work in Normal Mode.

Hacking in a safe Mode can be completed in these three steps:


During the next reboot, attackers can use BCDEdit to oblige a machine to boot into Safe Mode and change the configuration. This will make the machine boot in minimal Safe Mode by default.


This can be done by including a malicious service, which runs only in Safe Mode in their primary payload. On the other hand, attackers can register a malevolent COM to object to load every time explorer.exe executes.

CyberArk Labs described how this attack can be processed:

“Once an attacker has booted a machine into Minimal Safe Mode, the attacker can access registry keys and alter configurations to disable or manipulate endpoint security solutions. Once that’s complete, an attacker can reboot the machine back into Normal Mode and freely proceed with the attack without the risk of being blocked by an endpoint security solution.”


The final step requires restarting the machine to execute the next phase of the attack. Instead of forcing the users to restart their computer, the attacker can wait for the next restart and show a fake Windows Update window to evade any kind of suspicion.

The researchers have already reported to Microsoft about the risk, but it wasn’t considered as a valid vulnerability because “it needs an attacker to have already compromised the system.”

Describing the risk involved, the researchers recommended that the sysadmins must restrict administrator privileges, proactively rotate account credentials, employ security tools in the safe Mode, and monitor who’s going to the Safe Mode what they are actually doing.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.