Windows 10 and 11 21H2 Data Wiping Tool Leaves User Data On Disk

Microsoft MVP Rudy Ooms has discovered that the built-in Windows data wiping functions leave user data behind in the latest versions of Windows 10 and Windows 11. "This error applies to both local and remote wiping of PCs running Windows 10 version 21H2 and Windows 11 version 21H2," reports Tom's Hardware. From the report: Ooms first discovered that there were problems with the disk wipe functionality provided by Microsoft when doing a remote wipe via Microsoft Intune system management. However, he has tested several Windows versions and both local and remote wiping over the weekend to compile the following summary table [embedded in the article]. At the bottom of the table you can see that both Wipe and Fresh Start options appear to work as expected in Windows 10 and 11 version 21H1, but are ineffectual in versions 21H2. Ooms installed and tested these four OSes, with local and remote wipe operations, then checked the results. The most common issue was the leaving behind of user data in a folder called Windows.old on the "wiped" or "fresh start" disk. This is despite Microsoft warning users ahead of the action that "This removes all personal and company data and settings from this device."

In his blog post, Oooms notes that some users might feel assured that their personal data was always stored on a Bitlocker drive. However, when a device is wiped, Bitlocker is removed, and he discovered that the Windows.old folder contained previously encrypted data, now non-encrypted. It was also noted that OneDrive files, which had been marked as "Always Keep on this device" in Windows previously, remained in Windows.old too. Ooms has kindly put together a PowerShell Script to fix this security blunder by Microsoft. One needs to run the script ahead of wiping/resetting your old device. Hopefully Microsoft will step up and fix this faulty behavior in the coming weeks, so you don't need to remember to run third party scripts.

I think that windows.old get auto removed after X

[Joe_Dragon]

I think that windows.old get auto removed after X days? after an update may even be an GPO to change the timer on that.

Re:I think that windows.old get auto removed after

[King_TJ]

It does, after 10 days.... but it can still be undeleted using tools like this:

https://www.easeus.com/file-re... [easeus.com]

Re:

[Software]

OK, but does that help anything? "My sensitive, formerly-encrypted data was only available for X days after I donated my machine" is not reassuring.

Sometimes there's just no substitute for:
dd if=/dev/zero of=/dev/sdX bs=4M

Re: I think that windows.old get auto removed afte

[jobslave]

I don't donate my drives. Those get physically destroyed.

Re:

[slazzy]

Thermite is fun and works great!

Re:

[ctilsie242]

If I had the drives FDE protected, I would zero out the volume key sectors, then run hdparm and do a enhanced secure erase, or a secure erase. That is good enough. If I had data that is bound by compliance restrictions, it will be going into the shredder, with a certificate of destruction and a video of it hitting oblivion to make the auditors happy. Otherwise, I'll zero out the drives and repurpose them, especially if the previous data was encrypted via BitLocker, LUKS, VeraCrypt, or another utility.

If you use an SSD, don’t dd!

[martynhare]

hdparm —user-master user —security-erase password /dev/sdX; # or

nvme format /dev/nvmeX —ses=1; # For nvme SSDs

You want to have the controller guarantee proper wiping, you also get the benefit of wiping it all in a flash!

Re:

[ctilsie242]

You can also use the blkdiscard command. If the SSD supports the "-s" option, if you do a "blkdiscard -s -v /dev/sdwhatever", it ensures that all data on the drive is gone, as the SSD controller went in and erased all the free pages. Even without supporting the "-s", the SSD controller will eventually get around to wiping stuff.

However, hdparm or the nvme command are a lot better, as they actually tell the drive to do a secure erase, not just clean up blocks.

Re:

[hawk]

I prefer

      yes "why are you reading this, you nosy bastard? "

as my data source . . .

Can't track and trace

[RitchCraft]

... without prior data. Not a bug but a feature.

_NSAKEY

[bill_mcgonigle]

Just another programming error!

I guess nobody read Snowden's slides afterall.

dd

[MrKaos]

Yet hundreds of thousands of perfectly good hard drives are shredded because there is an assumption that the dd [man7.org] command and the vendors own secure erase options don't work properly.

crazy.

Re:

[Dwedit]

Not all shreded hard drives are "perfectly good", they might be too old and low-capacity to be worth the power required to run them.

Re:

[fafalone]

I'm sure someone could make use of them. If you sold them on government surplus sites for just the cost of processing and shipping, I'd bet you'd have takers. Like a version of the 1033 program for a social good instead of making sure every podunk small town sheriff is equipped like the US military.

Re:

[justinleona]

Drives are cheap - it's much simpler to trust a sledge hammer than some untested, closed source tool written by the same guys who make a hot mess out of hard drive firmware. Properly executed 'dd' is probably good enough for your average person, but yet again - why spend all the time and effort for a used drive? Of course against a well funded adversary - anything short of total destruction isn't likely to be reliable due to magnetic remenance (sp?), internal block remappings, caching, etc.

Re:

[MrKaos]

Drives are cheap - it's much simpler to trust a sledge hammer than some untested, closed source tool written by the same guys who make a hot mess out of hard drive firmware. Properly executed 'dd' is probably good enough for your average person, but yet again - why spend all the time and effort for a used drive?

Because there is a market for used gear and a lot of perfectly ok gear, including functional motherboards, are destroyed. Frankly a better motivator would be to allow the techs that look after the gear to be responsible for wiping the data and then give it to them as a bonus to their pay if they wanted it.

Of course against a well funded adversary - anything short of total destruction isn't likely to be reliable due to magnetic remenance (sp?), internal block remappings, caching, etc.

Maybe I'm missing something but I've spent a fair bit of time recovering data from filesystems that have barfed and if you can't recover the superblock from one of the spare locations on the disk the data

Re:

[Rockoon]

The fact is, modern file systems are too complex to do "surgical" erasure. Only a complete wipe, up to and including mbr's and boot sectors, is even close to acceptable.

If you fear more than a software attack, then even what constitutes a "complete wipe" using low level formatting tools, becomes questionable.

Re:

[MrKaos]

The fact is, modern file systems are too complex to do "surgical" erasure. Only a complete wipe, up to and including mbr's and boot sectors, is even close to acceptable.

Which is exactly what dd would do.

If you fear more than a software attack, then even what constitutes a "complete wipe" using low level formatting tools, becomes questionable.

If your data is *that* sensitive then you are probably one of the few who could justify a complete physical destruction of the drive. For most others good asset management processes would suffice.

Re:

[ctilsie242]

This is what full disk encryption is for. Be it BitLocker, LUKS, FileVault, or even ZFS's subvolume based encryption. I try to have everything that sits on platters encrypted. What this gives is assurance that a simple erase of a drive is good enough to guarantee that the data is history for everyone and anyone, up to a rich nation-state (and if someone like that wants my stuff, I'm hosed anyway.)

However, disk encryption and what gets stored on drives is just one link in the security chain. There are ma

The whole concept seems pointless

[Anonymous Coward]

Given modern mass storage devices are usually flash-based - and not overwriting previously allocated pages but assigning new ones - what's the point of overwriting a file with zeros and/or random data before deleting a file? The data will still be resident on now-unallocated pages inside the device.

Re:

[gweihir]

That has not been true for a long time now. It is just an old ritual that will not die.

Re:

[gweihir]

File overwrite on flash-based media can and often is completely worthless. Hovever disk-overwrite is not.

If you overwrite the disk with random data, it has no choice to but to overwrite the data storage area as well. That is why you do a full overwrite. Sure, on flash some buffer areas can retain data. That is why you also issue a "secure erase" command. And finally, if the data is critical enough, you add physical destruction.

Re:

[ZiggyZiggyZig]

how about writing a file/files full of 0s to fill the whole space of the flash media? This should defeat the controller's block reallocation system.

Re:

[ShanghaiBill]

how about writing a file/files full of 0s to fill the whole space of the flash media?

Because either the filesystem or an intelligent controller may compress and/or de-dupe the zeros.

It is better to write random data.

Re:

[gweihir]

Many Flash drives recognize zero-sectors and treat them specially, and never write them to "disk". Hence a zero-overwrite may or may not work.

Re:

[ZiggyZiggyZig]

Oh thanks! I never considered that. I'll look into it :-)

Re:The whole concept seems pointless

[CaptQuark]

Actually, using multi-pass overwrite on a Solid State Drive (SSD) is ineffective in the short term or potentially damaging in the long term, due to a feature in SSDs called Wear Leveling.

The best way to wipe an SSD is using either a vendor or BIOS supplied utility that envokes the Secure Erase routine built into most new SSDs. Here is a good article that explains the limitations and processes for wiping SSDs. https://www.makeuseof.com/tag/... [makeuseof.com]

Re:

[gweihir]

Actually, using multi-pass overwrite on a Solid State Drive (SSD) is ineffective in the short term or potentially damaging in the long term, due to a feature in SSDs called Wear Leveling.

It really depends. What is ineffective is a multi-pass overwrote of a _file_. What is at least somewhat effective and must be is a multi-pass overwrite of a _drive_.

There's a lot of Edge Data--Even If Not Used.

[BrendaEM]

Perhaps MS is copying user data to Edge so it can be shipped out. I don't use Edge, there should be nothing in the cache.

There's a fix

[kmoser]

Did the Windows data-wiping tool mistakenly leave some of your data on disk? It's ok, your next Windows Update will wipe *all* your data.

One just needs ...

[PPH]

... to unroll a few more squares of Windows to wipe properly.

couple of easy fixes for this:

[nerdonamotorcycle]

1. Boot from a Linux live USB stick, use hdparm [lsu.edu] to secure-erase the drive, or "nvme sanitize" [archlinux.org], whatever method your drive might support.
2. Use a specialty tool from the drive manufacturer that claims to provide secure data deletion.
3. There are commercial solutions that claim to do whole-drive erasure, presumably with a friendlier front-end for the less technically inclined, but I don't know much of anything about them.

Ooms?

[Rosco P. Coltrane]

I think you misspelled Oops.