“SafeBoot is corrupted (92h)” when McAfee Endpoint Encryption is installed

Here’s a rare example of a situation where I was actually very close to contemplating a reformat before finally stumbling across an idea which led to its resolution.

The client was an employee of a large company whose laptop hard drives (like many) are encrypted using McAfee Safeboot (Endpoint Encryption).  This is a great strategy for protecting against data theft in the event that the machine is stolen, but like all data encryption, any sort of problem whatsoever with regard to either data integrity or the encryption/decryption process can be potentially disastrous.

Since SafeBoot/EE is a boot sector encryption (“pre-boot authentication” it’s called) which applies to the entire storage volume, any problems relating to its boot partition information can completely break the entire system until either the information is repaired or the volume is manually decrypted.  Fortunately, McAfee provides a method for decrypting volumes offline using a special boot CD (called SafeTech/WinTech, depending on your version) and a rolling Authorization Code which changes daily.  Unfortunately, they only make these tools available directly to clients… meaning that us independent techs are completely out of luck, even if we have the decryption key (which the customer provided me).

While I was able to bypass the rolling Authentication Code by adjusting the system’s date to a specific day years back and using a code I found posted on an online forum, the built-in tools and even a SafeBoot Admin CD I located weren’t helpful in resolving the issue.  We had already tried contacting the IT department, who says they had no such tools at their disposal and that a reformat would be necessary.  Worse yet, my client was only in Louisville on a brief business trip, and there was data they needed on the encrypted volume.

The next morning, I had planned to contact the customer and suggest that we do just that: reformat.  But on a last-minute whim, I stumbled across an idea which could perhaps explain the strange behavior we were experiencing.

If you Google the Safeboot 92h error, you’ll find a variety of reasons why it can occur, and plenty of situations where it was never properly resolved.  Reverse-engineering the situation in my mind, however, led me to an important point which I had almost disregarded in the midst of my desire to quickly resolve the situation and return a working PC to my busy traveling executive: the possibility that malware had triggered the problem to begin with.

You see, the very first step I performed was a drive image of the encrypted data for safety.  And I had noticed that, throughout the course of the imaging process, no read errors/bad sectors had been encountered.  For surety, I even performed a hardware diagnostic subsequently, and no memory or hard drive errors were found.  This means that the encryption probably had not failed due to a hardware issue, and that instead, some sort of software was likely to blame.  Malware is the perfect culprit here; most notably, boot sector rootkits, which specifically alter the MBR and/or partition information of a victim’s machine to provide a filtering mechanism for the malware where it is also entirely undetectable.

One such rootkit you’ve already seen me write about in the past: Rootkit.Boot.Pihar.B.  It creates a hidden, encrypted partition at the end of a drive and sets it as the main Active partition, after which it chainloads the operating system partition (which is set as Inactive by the rootkit).  This effectively allows the rootkit to leave the MBR “clean” by storing all code in its encrypted partition and then loading the OS normally afterwards.  While this rootkit wasn’t currently detected as active on my client’s system (using an offline TDSSKiller run), after booting to a partition management software, I found that the hidden/encrypted partition was present.  And the OS partition, predictably, was Inactive.

It was just that simple.  Setting the OS partition as Active and then booting normally did the trick.  Following that, I had plenty of malware cleanup on my hands, most of it related to a rogue which had piggybacked on the rootkit.  This was a lot of fun since the machine’s Administrator restrictions and policies stood in the way, but in the end, the machine was repaired, all data was recovered, and my client was happy.  That is, until he returns to his hometown, where he’ll then request an updated Windows 7 machine to replace this dinosaur. 🙂

Donate to say "Thanks" if this post has helped save you time and money! 🙂

15 thoughts on ““SafeBoot is corrupted (92h)” when McAfee Endpoint Encryption is installed

  1. Thanks for the info, i just had this problem the last thursday. I recieved the computer the monday, i downloaded the back up of my info to the newest, more than 100GBs. The thursday i defragmented the PC, i used a freeware called Galry, then i restarted and i got this infamous error code. Was very shocking because i waited three weeks to get my new laptop, and hope that the IT department can solve this fast.

    Greetings from Mexico

  2. Certainly your problem was caused by Glary Utilities (I’m assuming that’s what you’re referring to). It’s not supposed to mess with protected files, but perhaps there’s a problem with its implementation, or worse, even the hard disk itself. I hope it gets corrected for you; my guess is it likely will!

  3. Steve,
    I am facing the same issue. Please let me know if you can resolve it for me. I have been trying to contact your since yesterday.

  4. Hey Sri,

    Unfortunately I am unavailable this week. I am covering an expo in LA. However I will be back next week if you are still needing help.

    Thanks and my apologies!

    Steve

  5. Hi Steve, Yes I can wait until next week. This can be doing right. My issue is when I boot my laptop, I am getting “safeboot has been corrupted error 92h” message. And my company IT support does not offer any help regarding this.

    Thanks
    Sri

  6. Hi, it’s me again. The IT team could solve it really fast, just one day. The technician wanted to kill me but at the end was not a big problem.

    Keep trying and always trust to th professionals.

  7. can you tell me which aprition management software you use to boot the machine and correct the parition?

  8. I, too have this error. I was defragging my computer, it shut down & the error message was present when I tried to restart my laptop. Are you available to help?

  9. Hey Valerie,

    Honestly, doesn’t sound good at all. The Windows Defragmentation engine is an incredibly robust thing; if the PC’s filesystem integrity is compromised as a result of the procedure (which sounds like it may be the case based on your symptoms), it is most likely a failing hard drive. Since the drive is encrypted, recovery may be impossible. You will need to get as much of the data as possible to render the partition bootable.

    Not sure if you are anywhere near me or if you can ship, but I use this procedure for my recoveries:

    http://www.triplescomputers.com/datarecovery.html

    It’s the best drive imager in the world. Full-blown data recovery companies rely on it to image data, but they charge multiple times my cost to do so. If you are in need of this data and you don’t mind shipping, my cost is a flat-rate $349 for successful recoveries (and it’s no charge if I’m unsuccessful). After that, there may be a small amount of additional work needed to repair or decrypt the data, if possible. Again, if it isn’t possible, there will be no charge.

    It’s also possible (though less likely in this case) that you may be dealing with boot-sector malware as detailed in my post. I can diagnose either case, but I would proceed with extreme caution on this one, as it sure sounds like bad hardware to me, and once they start to fail, drives often go very quickly.

    Hope this helps, and sorry to alarm you!

    -Steve

  10. Hi Steeve, It’s for me now. The same error 92h after a smart non MS defrag. 4 years of work in the garbage if I don’t recover my data. This is a disaster for my small business.
    I’m in France, and I’m ready to go to Louisville simming by Atlantic if necessary! Could you be able to help me? Hope you should.

    Julien

  11. Julian,

    Apologies for my missing your comment. I wish I could help. It sounds very likely that you are actually dealing with a data recovery situation (a failed storage device) which has led to a corrupt SafeBoot partition. I fear you may have to locate a data recovery professional locally, which is usually very expensive. I perform such services here for my clients for a lot less, but unfortunately you are just too far away! 🙂

    Please do let me know of your progress, and good luck!

    -Steve

  12. Hi Steve I have the same error in a Thinkpad r40 from IBM, but in my case I want to format whole hard drive inserting a win XP cd but I can’t because It’s display safeboot is corrupted(92h).
    Thanks

  13. Hi Maito,

    Might be best to physically remove the drive and format from another system, then return it to the system and boot to the CD.

    Hope this helps!

    Also you do know that XP is no longer safe to use… I hope!

    -Steve

  14. Thanks a lot Steve, tell me where I can add you in FACEBOOK or another Social Network?

Leave a Reply

Your email address will not be published. Required fields are marked *