Windows built-in data wiping tool is leaving behind sensitive information

[Shawn Knight]

In brief: Windows users looking to run Microsoft’s Intune disk wipe function might want to reconsider. Microsoft MVP Rudy Ooms recently discovered that performing a remote or local wipe on Windows 10 21H2 or Windows 11 21H2 leaves behind personal data in the Windows.old folder.

According to Microsoft, performing the wipe function “removes all personal and company data and settings” from a device.

Sorry for ruining your Sunday, but performing a remote or local Wipe on Windows 10 21H2 also leaves the userdata readable in the Windows.old folder#intune #mem #msintune #mempowered
https://t.co/439FCyh59M

— Rudy Ooms | MVP 🇳🇱 (@Mister_MDM) February 20, 2022

Upon further testing, Ooms found the operation did work as advertised with Windows version 21H1 but not 21H2. Worse yet, it didn’t take much work to be able to read the left-behind files and access potentially sensitive data as BitLocker protection is also removed. Not good.

Ooms created a PowerShell Script to address the issue until Microsoft can introduce a formal patch. It's available to download in his blog post on the issue should you be interested.

The fiasco brings up a good question. We’ve discussed data backup strategies in the past, but what is your data wiping strategy? Do you rely on software tools to wipe and repurpose or take a hardware-centric approach?

I personally have no problem with handing down old hardware, but I always pull the storage drive and replace it with a new unit as it’s just not worth the risk in my opinion. Once I’m certain I’ve backed up everything I need, I’ll format the old drive before physically destroying it.

Turns out, they’re great for target practice.

Image credit Pixabay

Permalink to story.

https://www.techspot.com/news/93521-microsoft-windows-data-wiping-tool-leaves-behind-sensitive.html

 

[antiproduct]

Physical destruction is my way of dealing with old drives. From HDDs you can get some nice magnets and mirrors. Sadly, no fun stuff like that from SSDs.

 

[VitalyT]

What is your data wiping strategy?

 

[Hexic]

My AK has some fun with old HDDs, and thankfully so do I. Win-win for everyone!

 

[bviktor]

Physical destruction is my way of dealing with old drives. From HDDs you can get some nice magnets and mirrors. Sadly, no fun stuff like that from SSDs.

Or maybe... just run Eraser on it a couple of times, so that instead of just producing e-waste, maybe, someone less fortunate can still put it to good use.

 

[McKocoa]

When wiping it with a cloth doesn't work I thought I heard you could do a wipe 8 times consecutively

 

[Phyrino]

Part of my job is removing data, so I use Blancco.
and if the drive is broken I throw it in a machine that cuts it into tiny tiny pieces.

 

[Lew Zealand]

Or fill it with random data once or twice, then wipe it and toss in a 4 drive case to use as a triplicate backup. If it ain't broke, it doesn't need to end up as e-waste.

 

[nodfor]

Encrypting the drive, would make the leftovers unreadable, I think? Not an expert on this one.
Other than that, I don't know, burning down the drive in a furnace and scattering the ashes should do the trick.

 

[madboyv1]

Physical destruction is my way of dealing with old drives. From HDDs you can get some nice magnets and mirrors. Sadly, no fun stuff like that from SSDs.

I too like to harvest magnets from the actuators of dead or decommissioned drives. I just run them through a disk wiping utility a couple times first, and while I'm in the drive getting the magnets I'll pull the platters too and chuck em separately.

 

[captaincranky]

I should make backup copies the HDDs from my XP machine and throw the originals away intact. That way, whoever finds it, will think they're gotten a treasure trove of my personal information, when all it will be, is a face full of porn. (Sorry, I meant "erotic art").

Either that, or donate the drives directly Joel Osteen's church. I'll bet he'd have a ball with them while flying around in his private jet

 

[kiwigraeme]

Let's do the basics - don't allow dumpster diving or selling direct to ebay .
Let's be truthful - 99% of data is not worth the effort to read it .
The main attack or stupidity is Wetware .
I'm sure drives, paper dumps that end up in the wrong place is mainly greed/fraud .
Paying people to destroy things - and the only pretend to do - or employees trying to make some money with secret eBay account .
Bio-hazards , asbestos - yes Sir - you have to pay top dollar ( Joe find a piece of land - with out of town landlord - just say need a paddock for your daughters 2 horses ).
Or just leaving that bag on the metro. - I nearly lost my camera bag once in Berlin - the S Bahn - lucky it was the Zoo Bahnhof stop - so doors stayed open much longer

 

[Plutoisaplanet]

Personally I just use SDelete from Windows Sysinternals for wiping individual files (I have no need to wipe a disk): https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

You need to use it as a command line tool and typically you'd want to specify the number of passes, but it's a tiny no-nonsense tool that gets the job done for me:

sdelete -p 3 filename.txt

 

[antiproduct]

Or maybe... just run Eraser on it a couple of times, so that instead of just producing e-waste, maybe, someone less fortunate can still put it to good use.

For hard drives, it takes too much time to run a good low level format to write 0s to the entire drive at least a couple times to really ensure the data is truly gone. Then I would need to find out who wants a 250GB or 500GB, hopefully 7200RPM drive. My guess is not many people would want that at this point when you can get a decent 500GB SSD for ~$50. Plus, I want my magnets and mirrors!

For SSDs, yeah, I wipe those and re-use. The only ones I get rid of are dead ones... which get smashed and e-wasted. Even the 60GB SSDs have some use... sometimes. Not many uses, but sometimes.

 

[yRaz]

For hard drives, it takes too much time to run a good low level format to write 0s to the entire drive at least a couple times to really ensure the data is truly gone. Then I would need to find out who wants a 250GB or 500GB, hopefully 7200RPM drive. My guess is not many people would want that at this point when you can get a decent 500GB SSD for ~$50. Plus, I want my magnets and mirrors!

For SSDs, yeah, I wipe those and re-use. The only ones I get rid of are dead ones... which get smashed and e-wasted. Even the 60GB SSDs have some use... sometimes. Not many uses, but sometimes.

I use old SSDs as boot drives in older computers to help speed them up. That, or I'll use them to image an OS onto before a reinstall as a "just incase" thing. They usually float around in a drawer until I forget what's on them. I only keep media like movies, books and long term back ups on HDDs in my NAS. All of my important stuff is encrypted because I store those in the cloud as well as locally so even if someone got my drives they likely wouldn't be able to get anything from them.

With HDDs being as big as they are it takes too long to do a secure wipe.

 

[captaincranky]

I use old SSDs as boot drives in older computers to help speed them up. That, or I'll use them to image an OS onto before a reinstall as a "just incase" thing.

My sentiments exactly. As long as the old machine has at least SATA 2 speed, they really fly once you install an SSD. I always spring for the Samsung SSDs, due to their excellent migration software. Slap the OS and programs in on a " $25.00 Saturday night special", make the transfer, and leave it right in the case.

You probably haven't tried to have a copy of Windows 7 activated recently, but it's like pulling teeth. Phone calls, 7 number fields to copy, since M$ won't activate with the product key on the package anymore.

Oh well, at least the number is still toll free, that's some small consolation

 

[IMABEARLOL]

Personally I just use SDelete from Windows Sysinternals for wiping individual files (I have no need to wipe a disk): https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

You need to use it as a command line tool and typically you'd want to specify the number of passes, but it's a tiny no-nonsense tool that gets the job done for me:

sdelete -p 3 filename.txt

As someone who has done forensic data recovery your post has given me a brain aneurysm. I'll use the time before the life leaves my body to try and deter anyone else from following your example.

Just because you overwrite a file doesn't mean that files zeros and ones didn't exist anywhere else on the physical medium at some other point in time. There are hundreds of reasons on a Windows PC why that could happen. NTFS, ShadowCopies, System Restore, Windows Upgrade, disk defragmentation, SSD wear leveling, etc... Heck, if you open a document, make no changes and hit save it's likely the file was written to another location on your hard drive before Windows just tells the file system the original files location is now free space.

You are wiping the zeros and ones that the file currently occupies, not every location on the physical drive the files or previous versions of those files may have occupied at earlier times.

If you are passing storage on to anyone else, wipe it. A simple "full format" of the entire drive (not quick format, or some partitions) will completely destroy the original data beyond what is readable by software, and if your concerns go beyond that you should be physically destroying anyway.

 

[Theinsanegamer]

My sentiments exactly. As long as the old machine has at least SATA 2 speed, they really fly once you install an SSD. I always spring for the Samsung SSDs, due to their excellent migration software. Slap the OS and programs in on a " $25.00 Saturday night special", make the transfer, and leave it right in the case.

You probably haven't tried to have a copy of Windows 7 activated recently, but it's like pulling teeth. Phone calls, 7 number fields to copy, since M$ won't activate with the product key on the package anymore.

Oh well, at least the number is still toll free, that's some small consolation

That really annoys me in the case of windows 11. So much hardware out there just needs a SSD and it's got another decade of life in it for 90% of people. Dirt cheap core 2 hardware has been the saving grace of many a poor family in my neck of the woods.

Or maybe... just run Eraser on it a couple of times, so that instead of just producing e-waste, maybe, someone less fortunate can still put it to good use.

IF it's a 5+ year old HDD, its outside of its lifespan anyhow, and the likelihood of a failure increases every day.

If its an SSD, just reuse it in another one of your systems. If they're not hammered on writes they will usually outlast the machine they are put in.

 

[yRaz]

You probably haven't tried to have a copy of Windows 7 activated recently, but it's like pulling teeth. Phone calls, 7 number fields to copy, since M$ won't activate with the product key on the package anymore.

I use Linux A LOT. I duel boot(I know what I said) Windows 10 but I'm trying to get a near-zero performance impact by running a VM in linux. Only reason I haven't worked too hard on it is that with an SSD, restarting and booting into windows takes a fraction of time as actually loading the program I need to use in windows.

That really annoys me in the case of windows 11. So much hardware out there just needs a SSD and it's got another decade of life in it for 90% of people. Dirt cheap core 2 hardware has been the saving grace of many a poor family in my neck of the woods.

I've been playing around with Linux Lite a lot recently, it's amazing how much bloat we have in modern operating systems. If all you need is an internet machine then a dual core with with 2gb of ram, preferably 4 is all anyone needs. I have a 4gb Rasp Pi 4 and it's one hell of a computer for $50, I'm a firm believer any techie should have one. I picked it up after my friends laptop was stolen and I gave him my old RaspPi3. The RaspPi3 was "acceptable" but the RaspPi4 is an actual desktop replacement

 

[captaincranky]

IF it's a 5+ year old HDD, its outside of its lifespan anyhow, and the likelihood of a failure increases every day.

I think that's only partly true with today's high capacity drives. due to the high data density, the actuator arm's placement has to be more accurate. So, any wear in the mechanism, will cause it to "miss the mark", so to speak. (At least that's my theory).

The only heavily used box I ever retired, was an eMachines, circa 2005. THE WD Blue 160 GB SATA 1, never missed a beat throughout its lifetime, 13 years,. and was working perfectly when I yanked it.

Admittedly, there's one me, and a half dozen desktops lying around most of the time. But my 2 internet machines are heavily used. I've never had an HDD fail, under 1 TB.

 

[Mowserx]

I use Linux A LOT. I duel boot(I know what I said) Windows 10 but I'm trying to get a near-zero performance impact by running a VM in linux. Only reason I haven't worked too hard on it is that with an SSD, restarting and booting into windows takes a fraction of time as actually loading the program I need to use in windows.

I've been playing around with Linux Lite a lot recently, it's amazing how much bloat we have in modern operating systems. If all you need is an internet machine then a dual core with with 2gb of ram, preferably 4 is all anyone needs. I have a 4gb Rasp Pi 4 and it's one hell of a computer for $50, I'm a firm believer any techie should have one. I picked it up after my friends laptop was stolen and I gave him my old RaspPi3. The RaspPi3 was "acceptable" but the RaspPi4 is an actual desktop replacement

Have you considered running Windows as the primary OS and using Windows Subsystem for Linux to just run Linux at the same time?

I don’t use Linux a lot, but when I do I use WSL.

Windows Subsystem for Linux Documentation

Overview of the Windows Subsystem for Linux documentation.

docs.microsoft.com

 

[Uncle Al]

I have another fool-proof way to wipe the drive without destroying it. Find yourself an old electric "bulk eraser" like was used by the audio industry years ago. Haven't tried it on an SSD but for all other drives it works flawlessly and to date (after several hundred uses) it has yet to destroy a drive ... but finding one is all but impossible, especially since Radio Shack went away .....

 

[Plutoisaplanet]

If you are passing storage on to anyone else, wipe it. A simple "full format" of the entire drive (not quick format, or some partitions) will completely destroy the original data beyond what is readable by software, and if your concerns go beyond that you should be physically destroying anyway.

I agree with you there but part of my point was that I don't need to take too many measures, and the reason is because I am not passing on storage to anyone else. My needs are much more limited, which is I'll download a file with some financial information, open it to look at it, and then be finished with it. My strategy is more to reduce some risk in case my device gets stolen or somehow I get spyware onto my computer for some amount of time. I know I'm not going to completely protect myself from any data being left over each time I'm done using my computer.

Of course if I was getting rid of a disk drive, I would be wiping the entire hard drive. Realistically it could be useful for me to wipe free space as I go, but I don't have much of value on my system in the first place. Probably the best way to prevent data theft would be to live without any persistent storage at all using a live OS. The security problem with those is keeping your software updated.

 

[yRaz]

Have you considered running Windows as the primary OS and using Windows Subsystem for Linux to just run Linux at the same time?

I don’t use Linux a lot, but when I do I use WSL.

Windows Subsystem for Linux Documentation

Overview of the Windows Subsystem for Linux documentation.

docs.microsoft.com

Why? My hate for windows 10 and especially 11 has pushed me away from Microsoft. I'm hoping to eventually live a completely MS free lifestyle.

 

[Fastturtle]

As someone who has done forensic data recovery your post has given me a brain aneurysm. I'll use the time before the life leaves my body to try and deter anyone else from following your example.

Just because you overwrite a file doesn't mean that files zeros and ones didn't exist anywhere else on the physical medium at some other point in time. There are hundreds of reasons on a Windows PC why that could happen. NTFS, ShadowCopies, System Restore, Windows Upgrade, disk defragmentation, SSD wear leveling, etc... Heck, if you open a document, make no changes and hit save it's likely the file was written to another location on your hard drive before Windows just tells the file system the original files location is now free space.

You are wiping the zeros and ones that the file currently occupies, not every location on the physical drive the files or previous versions of those files may have occupied at earlier times.

If you are passing storage on to anyone else, wipe it. A simple "full format" of the entire drive (not quick format, or some partitions) will completely destroy the original data beyond what is readable by software, and if your concerns go beyond that you should be physically destroying anyway.

Easiest is to delete all of the partitions then create new ones and do a full format (no quick). It's not quick as it does a full format (low level) but it ensures that everything is readable even if the drive capacity is reduced.