Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can Malware Survive If I Reset My PC?

Can a virus survive Windows 10’s “Reset this PC” and “Remove everything”?

Technically, yes — certain types of malware can survive a reset.

Pragmatically, though, these types of malware are very rare, especially if you take a couple of additional steps as you “remove everything”.

Become a Patron of Ask Leo! and go ad-free!

Persistent, resistant, malware

I’ll say there are three places malware could, in theory, survive the default “Remove everything” option in Windows 10’s “Reset this PC”.

Rootkits. A rootkit is a form of malware that takes additional steps to hide its existence from the operating system. This means that when “Reset this PC” deletes the existing files on a hard disk (or moves them aside into Windows.old)  the rootkit could survive to re-infect the resulting clean installation of Windows.

Partitions. Malware could install itself, or a copy of itself, into one of the reserved partitions, including the recovery partition from which Widows will be reinstalled. The fresh copy of Windows could then come with malware.

Firmware. Some malware infects the firmware on your machine, such as your BIOS or UEFI. By definition, this is the software that runs on every boot up and manages access to certain hardware. It’s not affected by “Reset this PC”.

Everything isn’t always everything

If you chose to “Reset this PC”, one of the options you you select is how to remove your files.

"Just" remove your files
“Just” remove your files.

The default is to “just” remove your files. This is, presumably, the equivalent of a normal delete. The “less secure” comment acknowledges that some files could be recovered after the reinstall, using data recovery tools.

It also means that a rootkit could be overlooked and not deleted.

Click on “Change settings” to expose an additional option.

Data erasure -- clean the drive option
The data erasure, or “clean the drive” option.

The warning that “Data erasure” can take hours implies that this option formats the drive — meaning any and all files (including rootkits) on the system partition will be removed prior to the installation.

But it’s still not really “everything”.

Start with an empty drive

The only way to really make sure that everything on the hard drive is truly removed is to boot from a Windows 10 Setup disk and reinstall Windows 10 from scratch. In other words, don’t use “Reset this PC” at all,  because it relies on possibly compromised software in those hidden partitions.

Even then, there are additional steps to take.

You’ll be asked what type of installation you want.

Which type of installation do you want?
Windows 10 Setup: Which type of installation do you want?

Choose Custom, which presents a list of partitions on the disk.

Windows Setup - Partition Management
Windows setup partition management.

My recommendation is that you carefully delete each listed partition (click on each in turn, and click Delete). Then click on New to create a new partition out of unallocated space. Windows Setup may create more than one partition. Click on each, and click on Format to format it into a drive for use by Windows Setup.

Then continue to install Windows normally.

But even that doesn’t cover “everything”.

The firmware dilemma

Malware entrenched in firmware is significantly more difficult to remove.

You can try the procedure outlined by your computer’s manufacturer to update your UEFI or BIOS, even if you’re “updating” it to the same version as already installed.

Other devices that could be compromised may or may not have similar procedures for updating or replacing their firmware. The problem here is knowing which are installed on your system, and whether this is an option for them.

There’s no easy answer when it comes to firmware.

Don’t panic!

You could easily become very concerned at this point.

I’ll put it this way: you should never, ever jump to the conclusion that you have persistent malware that cannot be removed.

Never.

I hear from people all the time who are absolutely convinced they have malware that cannot be removed — be it in their BIOS, UEFI, or somewhere else.

As long as I’ve been doing this, I have yet to encounter it. Not once. As I said, it’s extremely rare. There’s always been some other, fixable explanation.

If you really suspect this is the case on your machine, take it to a professional for more detailed analysis before throwing in the towel.

Just because something is possible doesn’t mean it’s likely.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Leo

Podcast audio

Play

Video Narration

13 comments on “Can Malware Survive If I Reset My PC?”

  1. Leo –

    Hi. Let’s say my PC gets infected today with one of those nearly impossible to remove malware mentioned in this article. But because of your friendly nagging, I have a disk image (of all disks and partitions) that was created one month ago, which I use to restore my PC.

    By restoring to a disk image that was created definitely before my PC got infected:

    1. Will that definitely (100%) remove the malware from my PC?

    2. Or am I subject to the same malware survival possibilities (via rootkits, reserved partitions, firmware) as a user who performs a Reset This PC?

    3. Which is more likely to remove that persistent malware: Reset This PC or disk image restoration?

    Thanks.

    Reply
    • 1. 99.9999% yes. (There are no absolutes in this business. Smile)
      2. You could get infected again however you got infected before, but in restoring the image you are NOT(*) infected.
      3. Assuming you know that the image does not, itself, include the infection (i.e. it was created before you became infected) then either will do it. Otherwise, reformat/reinstall, aka Reset this PC, always(*) works.

      (*): 99.9999% — there are no absolutes. Smile

      Reply
  2. You probably did something which got you the malware in the first place. If the malware comes back, you probably did it again.

    Reply
  3. I confess, I haven’t read ALL of the article because I still use Windows 7 professional and am still reluctant to up-grade because of practical experiences by both my ex-wife and now, by my new partner with Windows 10. She stubbornly wants to stay with Apple-Mac, after her bad experience with Windows 10.

    This is not to say that I am not interested to know if that problem will persist within Windows 7 but I’m beginning to feel like the poor relation. I know that you have largely migrated to Windows 10 but, and I agree with you, Windows 7 and even Windows XP, are still viable operating systems but we, too, need a little help from time to time.

    Just saying…

    Reply
    • Yeah, I’m with you, Tom. I’ve heard so many bad things about Windows 10 and its continually, incessantly defective updates that supposedly “fix” one problem only to introduce another one, that I’m sticking with Win7 until Microsoft gets its s**t together. MS needs to stop futzing around with adding features and making unnecessary changes, and throw its resources behind fixing the myriad of defects in Windows 10 once and for all.

      Reply
    • “…but we, too, need a little help from time to time”. Perhaps. But, you are running a far more reliable OS than W10, so you’re not always running into a mess.

      Reply
  4. I use Refresh to lock the positions of the shortcut Icons on the desktop when I have them positioned the way I want them. It is frustrating to have them all move to the left of the screen after an update.

    Reply
  5. Question: Has anyone heard about a diminishing level of malware infections as a result of the pandemic? I ask this because I’ve noticed a significant drop in crank and solicitous phone calls and junk mail. The bright side.

    Reply
  6. When Reinstalling Windows “bare metal style” just press next after deleting all partitions. Windows knows what to do 😉

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.