Microsoft TechNet: 10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore
I know it seems quite drastic, but the only real way to completely fix your computer once it’s been compromised is to start over from a known good source. For most people, that means a reinstall from the original media. It’s much more important on servers and such where things need to be secure and there can’t be any uncertainties. Even if you don’t feel that your PC requires that much, sometimes it’s actually easier just to start over. Rather than trying to find and remove all the bad stuff, while at the same time not removing anything good, it can actually be faster and easier just to backup your data and reinstall. Malware just keeps getting more and more advanced – some programs now have redundant processes that will actually restart each other if you terminate them. While there are still ways to get past that, the old idea of just Ctrl+Alt+Delete-ing the bad programs won’t do much against those.
I’ve seen people spend hours upon hours trying to track down the cause of a problem, then find out exactly what to disable and what to delete to get rid of it. Add in some faulty information (which can be quite common on messageboards where people usually end up finding a “solution” for their problem), and you either don’t remove all of it or you remove something you weren’t supposed to.
On the other hand, I can format my Windows drive and have it reinstalled and running in about an hour. I know that I have my system setup in a way that makes this much easier, and I have more experience with it. But if you do backups on a regular basis, or at least arrange your data in a way that’s easy to backup, you can probably still get out with just a few hours invested. That way you’re 100% sure that you don’t have anything unwanted left on your system, and it will generally benefit from a fresh install (less junk means a faster PC).
Use a slipstreamed install CD along with a custom answer file and you can do a complete reinstall automatically, and get the exact install options you want. With the proper answer file, your install won’t require you to sit around hitting Next for an hour, and will basically only take as long as actually copying the files.
Here are some tips that should make things faster:
If you divide your drive into several volumes, it makes it much easier to save your stuff in one place, and have all your system stuff in another. That way, you can format the system drive without affecting the data drive at all.
- Customize Windows
Tweaking your Windows install can also make it easier to separate the data from the system stuff you want to reinstall. Once you have your disk partitioned, you can use ProfilesDir to save all your user account data on a different drive. All of your per-user settings and desktop items will be placed there instead. I don’t think the old profiles will work once you’ve reinstalled (even with the same names, the accounts will have different IDs), but at least you’ve got them there for easy recovery. Likewise, ProgramFilesDir and CommonProgramFilesDir will let you put your “Program Files” directory elsewhere. Some programs save settings in the registry, so they won’t work on your fresh install of Windows until you rerun the program’s setup. However, some programs will still work fine without having to do anything. Plus you have the benefit of not losing anything that you saved in the program’s directory (My Documents has helped that, but stuff does still get saved in program’s install locations sometimes).
Nobody seems to make backups as often as they should. Many who have automated backup systems don’t test their backups to make sure they actually work. If you already have everything backed up until yesterday, it’s not a big deal when your system crashes today. You don’t need a tape library or fancy network device to do backups. Copying your needed stuff to another partition means you can wipe the first partition without a second thought. A second physical drive works basically the same as another partition, but it’s safe even if the first drive has a hardware failure. RAID 1 uses two drives to make a duplicate of everything you do. If the first drive fails, you have an exact duplicate of the drive as a backup. However, this doesn’t protect against system files getting messed up or accidental deletion and other user errors. The biggest downside is that it requires a second matching drive for a backup, so you’re basically paying twice as much to get the same amount of storage space.