Reset is the ultimate removal. Or is it?
Technically, yes — certain types of malware can survive a reset.
Pragmatically, though, these types of malware are very rare, especially if you take a couple of additional steps as you “remove everything”.
Become a Patron of Ask Leo! and go ad-free!
There are certain types of malware that can persist across a “Reset this PC” operation, including some types of rootkits, malware that installs into recovery or other partitions, or malware that installs into your computer’s firmware. These types of malware are rare. “Reset this PC” also has different levels of “reset” that may preserve files including malware. Regardless, it’s much more common to unwittingly re-install the malware as part of the steps taken or software downloaded as you rebuild the reset PC.
Persistent, resistant, malware
I’ll say there are three places malware could, in theory, survive the default “Remove everything” option in Windows 10’s “Reset this PC”.
Rootkits. A rootkit is a form of malware that takes additional steps to hide its existence from the operating system. This means that when “Reset this PC” deletes the existing files on a hard disk (or moves them aside into Windows.old) the rootkit could survive to re-infect the resulting clean installation of Windows.
Partitions. Malware could install itself, or a copy of itself, into one of the reserved partitions, including the recovery partition from which Widows will be reinstalled. The fresh copy of Windows could then come with malware.
Firmware. Some malware infects the firmware on your machine, such as your BIOS or UEFI. By definition, this is the software that runs on every boot up and manages access to certain hardware. It’s not affected by “Reset this PC”.
Everything isn’t always everything
If you chose to “Reset this PC”, one of the options you you select is how to remove your files.
The default is to “just” remove your files. This is, presumably, the equivalent of a normal delete. The “less secure” comment acknowledges that some files could be recovered after the reinstall, using data recovery tools.
It also means that a rootkit could be overlooked and not deleted.
Click on “Change settings” to expose an additional option.
The warning that “Data erasure” can take hours implies that this option formats the drive — meaning any and all files (including rootkits) on the system partition will be removed prior to the installation.
But it’s still not really “everything”.
Start with an empty drive
The only way to really make sure that everything on the hard drive is truly removed is to boot from a Windows 10 Setup disk and reinstall Windows 10 from scratch. In other words, don’t use “Reset this PC” at all, because it relies on possibly compromised software in those hidden partitions.
Even then, there are additional steps to take.
You’ll be asked what type of installation you want.
Choose Custom, which presents a list of partitions on the disk.
My recommendation is that you carefully delete each listed partition (click on each in turn, and click Delete). Then click on New to create a new partition out of unallocated space. Windows Setup may create more than one partition. Click on each, and click on Format to format it into a drive for use by Windows Setup.
Then continue to install Windows normally.
But even that doesn’t cover “everything”.
The firmware dilemma
Malware entrenched in firmware is significantly more difficult to remove.
You can try the procedure outlined by your computer’s manufacturer to update your UEFI or BIOS, even if you’re “updating” it to the same version as already installed.
Other devices that could be compromised may or may not have similar procedures for updating or replacing their firmware. The problem here is knowing which are installed on your system, and whether this is an option for them.
There’s no easy answer when it comes to firmware.
You could easily become very concerned at this point.
I hear from people all the time who are absolutely convinced they have malware that cannot be removed — be it in their BIOS, UEFI, or somewhere else.
As long as I’ve been doing this, I have yet to encounter it. Not once. As I said, it’s extremely rare. There’s always been some other, fixable explanation.
If you really suspect this is the case on your machine, take it to a professional for more detailed analysis before throwing in the towel.
Just because something is possible doesn’t mean it’s likely.