search cancel

SCSP / DCS Server Advanced - Trying to track when a Windows machine goes into Safe Mode


Article ID: 161964


Updated On:


Critical System Protection Data Center Security Monitoring Edition Data Center Security Server Critical System Protection Client Edition Data Center Security Server Advanced


Customer is unable to track when a device was booted into safe mode.  They need to track this for security purposes.


Windows does not track boot mode by default.


Have the customer set the boot logs to write, this will only create 3 events when a machine is rebooted normally or to safe mode.  The shutdown event and two boot up events.

To turn on boot logging:
1. Press Win+R to summon the Run dialog box
2. Type msconfig and press enter
3. Click on the Boot tab
4. Check the box called Boot Log

To turn on the logs will require a reboot.

Once rebooted you will see the events in the System event logs.

Here is an example of the events, The BootMode section shows the state of the OS.  0 is normal boot, 1,2 and 3 are safe mode.

Once these events are in the Event Logs then the customer can edit their policy to watch for these events.

 **There is also the option to disable SafeBoot on the device.  This can be done multiple ways per OS, please check with your documentation to disable this if that is a preferred.