AIR Responder in Windows 'Safe Mode'
AIR Responder Operation in Windows Safe Mode
Last updated
Was this helpful?
AIR Responder Operation in Windows Safe Mode
Last updated
Was this helpful?
Binalyze AIR Responder is now capable of functioning in Safe Mode, allowing forensic acquisition and remote tasking on machines operating in a restricted state. However, to maintain full functionality and allow task execution via the AIR Console, specific registry modifications must be applied before entering Safe Mode.
Before booting into Safe Mode, execute the following Registry modifications to register the AIR Agent Service:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Binalyze.AIR.Agent.Service" /VE /T REG_SZ /D "Service" /F
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Binalyze.AIR.Agent.Service" /VE /T REG_SZ /D "Service" /F
These registry changes can also be enforced via the Windows UI by running msconfig to get to the System Configuration window where in the Boot tab, the user can select Safe Boot with the Network button active:
These registry entries ensure the Binalyze AIR Agent Service is recognized and loaded in Safe Mode.
Safe Mode with Networking
If a machine enters Safe Mode with Networking, the AIR Agent will continue operating as expected, maintaining communication with the AIR Console.
Safe Mode (Without Networking)
The AIR Agent cannot communicate with the console if networking is unavailable unless an off-network package is used for forensic acquisitions.
Remote Task Execution
Without the registry modifications, the AIR Console cannot issue remote tasks to the endpoint in Safe Mode.
Adding the registry keys before booting into Safe Mode ensures that Responder and interACT remain functional.
If the registry modifications are not applied and the AIR Agent does not load, users can manually execute AIR.exe after entering Safe Mode to establish a temporary connection.
However, this approach is not recommended due to potential inconsistencies and administrative overhead.
By proactively applying the recommended registry changes, organizations can ensure seamless forensic investigations even when endpoints are booted in Safe Mode.
