ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SCSP / DCS Server Advanced - Trying to track when a Windows machine goes into Safe Mode

book

Article ID: 161964

calendar_today

Updated On:

Products

Critical System Protection Data Center Security Monitoring Edition Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

Customer is unable to track when a device was booted into safe mode.  They need to track this for security purposes.

Cause

Windows does not track boot mode by default.

Resolution

Have the customer set the boot logs to write, this will only create 3 events when a machine is rebooted normally or to safe mode.  The shutdown event and two boot up events.

To turn on boot logging:
1. Press Win+R to summon the Run dialog box
2. Type msconfig and press enter
3. Click on the Boot tab
4. Check the box called Boot Log

To turn on the logs will require a reboot.

Once rebooted you will see the events in the System event logs.

Here is an example of the events, The BootMode section shows the state of the OS.  0 is normal boot, 1,2 and 3 are safe mode.




Once these events are in the Event Logs then the customer can edit their policy to watch for these events.

 **There is also the option to disable SafeBoot on the device.  This can be done multiple ways per OS, please check with your documentation to disable this if that is a preferred. 

Attachments