Saturday, July 11, 2009

How you can uninstall deep freeze when you forget password?

How to Uninstall Deep Freeze for Windows 2000/XP/Vista without the password.

Note: Without a complete uninstallation you may not be able to reinstall Deep Freeze on your system.

What we are going to do is edit the registry and delete the startup references to Deep Freeze. This will prevent the Deep Freeze driver from starting up the next time you boot. (c:\windows\system32\drivers\deepfrz.sys)

1. First we need a way to edit the registry. The way to do this depends on your situation. If your computer is thawed you can simply use Regedit. If your computer is frozen or if it doesn't boot you'll need to find another way. Here are some alternatives:

If you have a multiboot computer with another copy of Windows 2K/XP you can boot from there. Or, you can physically mount the disk on another computer that uses Windows 2K/XP.

You will probably use a tool that lets you boot and edit the registry. A good example of this is PE Builder that lets you build a Windows PE CD and boot Windows from there. Or use Bart's, http://www.nu2.nu/pebuilder/ or Winternals ERD Commander. There are several, including some USB memory sticks capable of booting like a CD. The goal here is to boot separately from your hard drive and access it while it is "asleep".

2. If your computer is thawed run Regedit. If it's not thawed follow one of the alternatives described above, and run Regedit (or Regedt32 on Windows 2K).

3. On the Find dialog box type UpperFilters and check only the Values checkbox. Then click Find Next.

4. The program will find a value with the name UpperFilters. Open this value and if there's a line with the name of the Deep Freeze driver (DeepFrz or DepFrzLo) delete it including the return, leaving the rest of the lines intact. Also, if you are using ThawSpace and you want to get rid of it delete that line too (ThwSpace), if you want to keep the ThawSpace leave it there. Press F3 to find the next match and repeat the operation until you have fixed all the UpperFilters values inside the HKLM\MySystem key.

5. Navigate to HKLM\MySystem\Select and check the value with the name Default. It has the number of the control set key that the system will use when booted. If it is 1 the control set is ControlSet001, if it is 2 the control set is ControlSet002, and so on. We'll assume the control set is ControlSet001 but you should use the one specified by the value Default.

6. Now go to HKLM\MySystem\ControlSet001\Services and delete the keys with the name of the Deep Freeze drivers (DeepFrz or DepFrzLo and DepFrzHi). Also, if you decided to get rid of the ThawSpace delete the key with the name of the ThawSpace driver (ThwSpace).

7. That's it. Now reboot and Deep Freeze will not load.

QUESTION: What if the BIOS settings prevent me from booting from CD or USB? Answer: Deep Freeze prevents you from decrypting the BIOS password, but it does not prevent removing it, if you have the right tool! Most of the BIOS hacking programs will not work to remove the BIOS password on a Deep Freeze protected computer, but CmosPwd by Christophe Grenier does: http://www.cgsecurity.org/wiki/CmosPwd#CmosPwd_Download

You'll need to know how to use a command line and install the driver. Yes, it uses a driver to remove the BIOS password. But it works, even on Deep Freeze protected computers. Use CmosPwd to remove the BIOS password and reset the default BIOS settings. Then you'll be able to boot from CD or USB and edit your computer's registry and remove the DeepFrz, DepFrzLo, and DepFrzHi references which start Deep Freeze.

Now here is a little known secret: Faronics (the makers of Deep Freeze) uses a special driver to remove broken or malicious Deep Freeze installations. They do not have any backdoor passwords, so they use a special driver to remove a Deep Freeze installation where the password is not known or that someone is having trouble with. Will they send it to you, or even admit to you that they have it? I don't know. But, even if you do have it, you will still have to boot separately from the hard drive and replace the existing Deep Freeze driver with the special one and reboot. And after that, you need to use a Deep Freeze installation file to fully uninstall Deep Freeze (it will be thawed when you boot up with the special driver). If you want to re-install Deep Freeze, you'll have to first delete the special driver too.

Only a few people have this driver. It is the only solution Faronics has for those who need to remove Deep Freeze without the password. And, like I said, you will have to be able to boot from CD or USB and access the NTFS hard drive. If the boot-up order is locked (hard drive first and only) in BIOS settings, use CmosPwd to reset BIOS and boot order. Then you can boot from CD or USB.

Booting from CD or USB and removing the registry references works also, but then you should uninstall Deep Freeze with an installation file once you are able to boot thawed.

If you are dealing with a trial version of Deep Freeze, just forward the BIOS date past 60 days and then restart.

If anyone is wondering if Deep Freeze has ever been hacked, the answer is "yes" it has, several times over the years. Most of the time these were weaknesses that Faronics was able to quickly fix or prevent. However, there was one hacker that really, REALLY gave them headaches. His name was Emiiano Scavuzzo from Argentina. http://usuarios.arnet.com.ar/fliamarconato/pages/emain.html He was really good at low level programming and used OllyDbg http://www.ollydbg.de/ to come up with about five versions of his "Deep Unfreezer" which gave Faronics their greatest challenge to date. Deep Unfreezer now only works on older versions of Deep Freeze.

Faronics is doing very, very well right now (as of 2008). They sold Apple Computer their Mac version of Deep Freeze, which, if you know how to look for it in the Applications folder on a Mac, is used in all the Apple Stores on both their desktops and their laptops. So, if you're ever in a Mac store playing around with PhotoBooth or whatever, and the computer settings are all messed up, just restart the Mac and thank Deep Freeze.

Do I have a copy of that special driver? I'll never tell. ;-)