Microsoft Confirms Windows Wiping Tool Leaves User Data on Disk (Updated)
A big security flaw for those wishing to clean a PC to pass it on.
Update 2/25/2022 6:57 PDT:
Microsoft has now confirmed data persistence issues after a wipe with Windows 10 and Windows 11 in an official post. Additional details have been added to the bottom of this story.
Updated Story
Microsoft MVP Rudy Ooms has discovered that the built-in Windows data wiping functions aren't doing their job. In other words, say you want to sell on or recycle a PC system, and you prudently use the "Reset PC > Remove Everything" option. That should be a good way to wipe your drive, but there will still be personal data left behind on the old system. This error applies to both local and remote wiping of PCs running Windows 10 version 21H2 and Windows 11 version 21H2.
Sorry for ruining your Sunday, but performing a remote or local Wipe on Windows 10 21H2 also leaves the userdata readable in the Windows.old folder#intune #mem #msintune #mempowered https://t.co/439FCyh59MFebruary 20, 2022
Ooms first discovered that there were problems with the disk wipe functionality provided by Microsoft when doing a remote wipe via Microsoft Intune system management. However, he has tested several Windows versions and both local and remote wiping over the weekend to compile the following summary table.
Windows 10/11 Action |
Results |
---|---|
Remote Wipe 21H2 |
User Data NOT removed from Windows.old |
Remote Protected Wipe 21H2 |
User Data NOT removed from Windows.old |
Local Wipe 21H2 |
User Data NOT removed from Windows.old |
Local Wipe Cloud Download 21H2 |
User Data NOT removed from Windows.old |
Local Protected Wipe 21H2 |
User Data NOT removed from Windows.old |
Remote Fresh Start 21H2 |
User Data NOT removed from Windows.old |
All Wipe /Fresh Start actions with 21H1 |
User data REMOVED from Windows.old |
At the bottom of the table you can see that both Wipe and Fresh Start options appear to work as expected in Windows 10 and 11 version 21H1, but are ineffectual in versions 21H2. Ooms installed and tested these four OSes, with local and remote wipe operations, then checked the results.
The most common issue was the leaving behind of user data in a folder called Windows.old on the "wiped" or "fresh start" disk. This is despite Microsoft warning users ahead of the action that "This removes all personal and company data and settings from this device."
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Bitlocker Protection Is Also Removed
In his blog post, Oooms notes that some users might feel assured that their personal data was always stored on a Bitlocker drive. However, when a device is wiped, Bitlocker is removed, and he discovered that the Windows.old folder contained previously encrypted data, now non-encrypted. It was also noted that OneDrive files, which had been marked as "Always Keep on this device" in Windows previously, remained in Windows.old too.
Ooms has kindly put together a PowerShell Script to fix this security blunder by Microsoft. One needs to run the script ahead of wiping / resetting your old device. Hopefully Microsoft will step up and fix this faulty behaviour in the coming weeks, so you don't need to remember to run third party scripts.
If you must reset or refresh a PC soon, you could just restart the reset / refreshed device and go into Windows to check for and delete the Windows.old files manually. Then a wipe-free space utility might be useful to make sure any sensitive data can't be recovered using any undelete style utilities. Always double-check the contents of the drive after wiping, as you might not only find your old files in Windows.old but also on other storage hardware installed in your PC / laptop.
Microsoft Confirms File Deletion Bug
"When attempting to reset a Windows device with apps which have folders with reparse data, such as OneDrive or OneDrive for Business, files which have been downloaded or synced locally from OneDrive might not be deleted when selecting the “Remove everything” option," Microsoft explained. "This issue might be encountered when attempting a manual reset initiated within Windows or a remote reset. Remote resets might be initiated from Mobile Device Management (MDM) or other management applications, such as Microsoft Intune or third-party tools."
Microsoft goes on to say that "cloud only" OneDrive files are not affected by this particular bug. Microsoft says that it is currently working on a fix that will be delivered in a future update for Windows 10 and Windows 11, but for now, here are two workaround:
- This issue can be prevented by signing out or unlinking OneDrive before resetting your Windows device. For instructions, see the "Unlink OneDrive" section in, Turn off, disable, or uninstall OneDrive.
- This issue can be mitigated on devices that have already been reset by following the steps in KB5012334—Delete the Windows.old folder using Storage sense in the Settings app.
Mark Tyson is a news editor at Tom's Hardware. He enjoys covering the full breadth of PC tech; from business and semiconductor design to products approaching the edge of reason.
-
mikeebb sdelete from Windows Internals has been my go-to for disk wiping. Takes a while to run, but does the job, and the price is right. If I feel like belt & suspenders, I might reformat (full, not quick) or even repartition the disk too, but repartitioning using Disk Management in particular seems not to work with really old hard disks being prepared for disposal. If you really want it destroyed, of course, physical damage is recommended, perhaps after doing a basic wipe, but the story is about Fresh Start so presumably the intent is to re-use the system disk not destroy it. I don't keep Top Secret data on my personal computers, so the ultimate isn't really necessary.Reply
One problem with sdelete is that it might actually destroy a SSD. It zeroes and/or rewrites (multiple times if that's chosen) every sector. Does normal-deleting everything then triggering a TRIM leave recoverable data?
The windows.old thing is a problem if it's appearing after a true keep-nothing Fresh Start. That's a major bug needing a fix. -
emike09 I never used the Reset PC function. Clean install and drive wipe is the way to go.Reply
Just pop in your USB Windows installer with cCleaner Portal on it, hit Shift+F10 once in the installer, run diskpart - clean, then install. Once at the setup screen, hit Ctrl+Shift+F3, and the system will reboot to the built-in Administrator account. You'll notice a utility called the System Preparation Tool. I then run a 1-way drive wipe (or 3-way if I knew the drive has sensitive data). If it kills the SSD, not my problem lol. Security first.
After the drive wipe, use the System Prep Tool to enter System Out-of-box experience (oobe) and generalize the system, and have it shut down. When it's booted up next time, it's like a brand new installation of Windows.
If the system is going to someone I know, I'll go an extra step and install all Windows Updates as well as select manufacturer applications, such as Dell Update and Power Manager. I'd use Dell Update to make sure the system has all Dell drivers and firmware updates. This is just a little white glove treatment. If you used Wifi for the updates, remember to forget your SSID when you're done.
Overall, if you're not adding updates, applications, and drivers, it takes about as long as Reset PC. It's the only way of guaranteeing a fresh install of Windows, securely wiped drive, and that new-feeling experience for the next owner. Don't forget to clean the air intakes and wipe the system down with a rag damp with rubbing alcohol as well! Little things go a long way. -
chaos133 I prefer to use the SDD manufacturers Secure Erase utility, it will create a bootable USB in Windows, then restart and follow the prompts, then your SSD is completely erased, and it only takes a few seconds.Reply