0

I got called out on a support call today where the computer had completely reloaded Windows 10 from scratch. All existing customer data, configuration, apps, etc were gone. There wasn't even anything in the Windows.old folder.

It appears to have happened last night around 4-6 pm, and the manager tells me nobody was using the computer since last week.

When powering it up, it went through the Welcome To Windows screens and required a user to be created.

I am not aware of any way to trigger a complete system wipe and reinstall without user interaction, so I am pretty sure this had to be user-initiated.

Testing the hard drive indicates a good drive - no errros/bad sectors.

Is there anything that comes to mind that could trigger this, or should we assume someone was using the PC without authorization and triggered the wipe to cover their tracks?

Thanks for any insight.

UPDATE: I have conducted some tests on a VM and I can confirm: it is possible to initiate a full system restore and deletion of all user data from within Windows (no need to reboot into EFI or Windows Boot). The process is as follows:

  1. Open Settings (gear) app and search for Recovery Options.
  2. In Recovery, click the Get Started button below "Reset This PC"
  3. Choose the option "Remove everything" (screenshot below)
  4. Choose the Local option for the source of Windows installation media.
  5. Answer any remaining questions
  6. The computer will reboot and initiate full system restore and wipe out the user files, and will not require further input from the user to confirm this operation. enter image description here

This confirms that it's entirely possible to initiate a full System Restore with erasure of user data directly from the Windows environment without going through a reboot process or shell. Therefore remote users and also applications could initiate this process with no need for a local user to be present. (Thanks @starcat for your input also)

This opens up another set of possible sources for this reset: it could have been an app that initiated the reset, or it could have been a remote user. It seems the most likely scenario would be the new Malwarebytes software, since the reset happened very shortly after installing MB. But MB support assured me their software has no ability to perform this type of action. I suppose it could have been dormant malware, which was triggered to run a system restore upon detection of the new MB software, but that doesn't seem likely as we were already running another version of the paid Malwarebytes product on this PC before upgrading to MB EDR.

TLDR: I'm still stumped, but there are a lot more possibilities to initiate such a system restore than I originally thought.

Improve this question
8
  • There would have to be a significant hardware event (bad disk ) for we Windows to try its own repair but you say the disk is good so likely user initiated in this case
    – anon
    Commented Sep 7, 2022 at 18:53
  • There would be nothing that would happen automatically that would cause a Reset to happen. Sounds like Windows was reinstalled outside of Windows which is the only way I know to avoid Windows.old from being generated
    – Ramhound
    Commented Sep 7, 2022 at 20:20
  • To clarify, windows.old exists, but it is an empty folder.
    – Ryan Griggs
    Commented Sep 7, 2022 at 20:28
  • I ran an extended test on the disk with WD tools, but it came back clean.
    – Ryan Griggs
    Commented Sep 7, 2022 at 20:28
  • 1
    Was the machine managed as part of a corporate network and might it have been wiped remotely, either accidentally or on purpose?
    – StarCat
    Commented Sep 7, 2022 at 20:59

1 Answer 1

Reset to default
1

You should be concerned the hard drive could have been switched and that is the reason for the reinstall. Customer data could be stolen rather than lost. If the machine has tamper switches, it would be a good thing to check.

Improve this answer
8
  • As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Sep 7, 2022 at 19:02
  • 1
    The system did a reload from the recovery partition so it seems unlikely the drive was switched due to theft
    – anon
    Commented Sep 7, 2022 at 19:07
  • @John: The whole disk could have been cloned and then the new disk was reset.
    – harrymc
    Commented Sep 7, 2022 at 19:08
  • @John the system won't use the recovery partition without human intervention, so it is not as unlikely as you think. You need to go in advanced options from the repair screen to get the reset options.
    – moo
    Commented Sep 7, 2022 at 19:20
  • That is what I said in my first comment.
    – anon
    Commented Sep 7, 2022 at 19:21

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .