Reset is the ultimate removal. Or is it?
by Leo A. Notenboom
It's possible for malware to be difficult or nearly impossible to remove. It's also extremely rare.
Can a virus survive Windows 10’s “Reset this PC” and “Remove everything”?
Technically, yes — certain types of malware can survive a reset.
Pragmatically, though, these types of malware are very rare, especially if you take a couple of additional steps as you “remove everything”.
There are certain types of malware that can persist across a “Reset this PC” operation, including some types of rootkits, malware that installs into recovery or other partitions, or malware that installs into your computer’s firmware. These types of malware are rare. “Reset this PC” also has different levels of “reset” that may preserve files including malware. Regardless, it’s much more common to unwittingly re-install the malware as part of the steps taken or software downloaded as you rebuild the reset PC.
Persistent, resistant, malware
I’ll say there are three places malware could, in theory, survive the default “Remove everything” option in Windows 10’s “Reset this PC”.
Rootkits. A rootkit is a form of malware that takes additional steps to hide its existence from the operating system. This means that when “Reset this PC” deletes the existing files on a hard disk (or moves them aside into Windows.old) the rootkit could survive to re-infect the resulting clean installation of Windows.
Partitions. Malware could install itself, or a copy of itself, into one of the reserved partitions, including the recovery partition from which Widows will be reinstalled. The fresh copy of Windows could then come with malware.
Firmware. Some malware infects the firmware on your machine, such as your BIOS or UEFI. By definition, this is the software that runs on every boot up and manages access to certain hardware. It’s not affected by “Reset this PC”.
Everything isn’t always everything
If you chose to “Reset this PC”, one of the options you you select is how to remove your files.
The default is to “just” remove your files. This is, presumably, the equivalent of a normal delete. The “less secure” comment acknowledges that some files could be recovered after the reinstall, using data recovery tools.
It also means that a rootkit could be overlooked and not deleted.
Click on “Change settings” to expose an additional option.
The warning that “Data erasure” can take hours implies that this option formats the drive — meaning any and all files (including rootkits) on the system partition will be removed prior to the installation.
But it’s still not really “everything”.
Start with an empty drive
The only way to really make sure that everything on the hard drive is truly removed is to boot from a Windows 10 Setup disk and reinstall Windows 10 from scratch. In other words, don’t use “Reset this PC” at all, because it relies on possibly compromised software in those hidden partitions.
Even then, there are additional steps to take.
You’ll be asked what type of installation you want.
Choose Custom, which presents a list of partitions on the disk.
Related
Here’s a video walk-through of Resetting Windows 10.
My recommendation is that you carefully delete each listed partition (click on each in turn, and click Delete). Then click on New to create a new partition out of unallocated space. Windows Setup may create more than one partition. Click on each, and click on Format to format it into a drive for use by Windows Setup.
Then continue to install Windows normally.
But even that doesn’t cover“everything”.
The firmware dilemma
Malware entrenched in firmware is significantly more difficult to remove.
You can try the procedure outlined by your computer’s manufacturer to update your UEFI or BIOS, even if you’re “updating” it to the same version as already installed.
Other devices that could be compromised may or may not have similar procedures for updating or replacing their firmware. The problem here is knowing which are installed on your system, and whether this is an option for them.
There’s no easy answer when it comes to firmware.
Don’t panic!
You could easily become very concerned at this point.
I’ll put it this way: you should never, ever jump to the conclusion that you have persistent malware that cannot be removed.
Never.
I hear from people all the time who are absolutely convinced they have malware that cannot be removed — be it in their BIOS, UEFI, or somewhere else.
As long as I’ve been doing this, I have yet to encounter it. Not once. As I said, it’s extremely rare. There’s always been some other, fixable explanation.
If you really suspect this is the case on your machine, take it to a professional for more detailed analysis before throwing in the towel.
Just because something is possible doesn’t mean it’s likely.
Related Questions
Can spyware survive a factory reset?
It’s very rare that spyware survive a factory reset. Most spyware, a subset of malware in general, is typically installed in such a way that it can be removed by most anti-malware tools, a “Reset this PC” operation, or a complete reformat and reinstall of Windows. A factory reset should be equivalent to the later: a completely clean reinstall.
Is resetting PC harmful?
No, resetting a PC is not harmful to the PC, though it will be harmful to your data, and installed applications. A full reset of a PC will erase all of your data and remove all of the applications installed that aren’t part of the operating system. It’s important to have, or create, a complete backup before resetting the PC, in order to not lose any data, and to have all the installation files or media for the applications you run so that they can be reinstalled after the reset is complete.
Does reset PC remove hackers?
No, in general resetting your PC does not remove hackers. Resetting your PC is all about what’s on the computer. If the hackers have left malware on your machine, this will be removed. However, when we talk about hackers, we’re generally talking about online activity, such them gaining unauthorized access as your online email or other accounts. These accounts will be completely unaffected by what happens on your PC, and hackers will not be removed by a reset.
Will refreshing PC remove viruses?
Refreshing a PC may, or may not, remove viruses. A refresh reinstalls only the operating system files and attempts to keep your applications and data intact. Unfortunately, if the malware on your machine is stored in, or arrived via, your applications or your data, it will not be removed. You stand a chance of still being infected, or being reinfected when you get back to work. Safest is a a “reset” rather than a “refresh”, and safer still is a complete format and reinstall of the operating system from scratch.
Does a factory reset delete everything?
Yes, factory reset will delete everything on your PC or device. Even if some random factory reset does not, you must assume that it will, because it’s extremely likely that it will. That means you must backup your data and installed applications prior to the factory reset. If you have an automated and comprehensive backup strategy in place you may already be doing this.
How often should you reset your PC?
There’s no hard-and-fast rule about how often you should reset your PC. It’s very likely you may never need to. However depending on how you use your machine, what kind of problems you encounter, or what kind of malware has come and gone over time, it might be wise to do it “every so often”. Again, there’s no fixed time frame, other than when performance seems to be suffering, or if you are attempting to diagnose or repair an elusive problem.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
