I got called out on a support call today where the computer had completely reloaded Windows 10 from scratch. All existing customer data, configuration, apps, etc were gone. There wasn't even anything in the Windows.old folder.
It appears to have happened last night around 4-6 pm, and the manager tells me nobody was using the computer since last week.
When powering it up, it went through the Welcome To Windows screens and required a user to be created.
I am not aware of any way to trigger a complete system wipe and reinstall without user interaction, so I am pretty sure this had to be user-initiated.
Testing the hard drive indicates a good drive - no errros/bad sectors.
Is there anything that comes to mind that could trigger this, or should we assume someone was using the PC without authorization and triggered the wipe to cover their tracks?
Thanks for any insight.
UPDATE: I have conducted some tests on a VM and I can confirm: it is possible to initiate a full system restore and deletion of all user data from within Windows (no need to reboot into EFI or Windows Boot). The process is as follows:
- Open Settings (gear) app and search for Recovery Options.
- In Recovery, click the Get Started button below "Reset This PC"
- Choose the option "Remove everything" (screenshot below)
- Choose the Local option for the source of Windows installation media.
- Answer any remaining questions
- The computer will reboot and initiate full system restore and wipe out the user files, and will not require further input from the user to confirm this operation.
This confirms that it's entirely possible to initiate a full System Restore with erasure of user data directly from the Windows environment without going through a reboot process or shell. Therefore remote users and also applications could initiate this process with no need for a local user to be present. (Thanks @starcat for your input also)
This opens up another set of possible sources for this reset: it could have been an app that initiated the reset, or it could have been a remote user. It seems the most likely scenario would be the new Malwarebytes software, since the reset happened very shortly after installing MB. But MB support assured me their software has no ability to perform this type of action. I suppose it could have been dormant malware, which was triggered to run a system restore upon detection of the new MB software, but that doesn't seem likely as we were already running another version of the paid Malwarebytes product on this PC before upgrading to MB EDR.
TLDR: I'm still stumped, but there are a lot more possibilities to initiate such a system restore than I originally thought.