Last August, I wrote an article discussing the different ways to access Safe Mode in Windows 10. The aim was for IT pros to use this knowledge to prevent unauthorized access by users who might unknowingly (or knowingly) cause irreparable damage to a system by using the powerful tools available in the WinRE.
Microsoft has made great strides in providing users at all knowledge levels with simple tools they can use to walk back a PC from errors or general instability without having to call IT for each minor issue that may arise. The problem is that some of these tools lack the proper protections (like authenticating users) to prevent a user from performing a task, such as a system restore, that will roll the computer back to any snapshot available— including the snapshot taken when the system boots for the first time—without any security, apps, or data in place.
This lapse in security is the default behavior for all new Windows 10 installations. Some attacks involve malicious users seizing this opportunity to effectively restore Windows to the initial installation, where they are then walked through the wizard to create a new local administrator account, allowing them to compromise the device wholly. This is a growing concern, especially in settings where large numbers of users share access to computing resources, such as schools and libraries. But it is not without a solution and it's a rather simple one that system administrators will be pleased to know can be deployed in a number of ways. Here's how it works.
SEE: Desktop migration checklist (Tech Pro Research)
Disable System Restore in WinRE
- Log on to a Windows 10 computer with admin credentials.
- Launch the command line, choosing Run As Administrator.
- Enter the following command:
Once the command has executed on the PC, the command prompt will confirm that WinRE has been disabled. That's it! The command must be run per computer, but it need run only once to disable the System Restore functionality from WinRE.
Note: WinRE will still be accessible, though features such as the CLI do incorporate support for authentication and will not run anonymously the way that System Restore did prior to being disabled.
As far as deployment goes, sysadmins can have this run in any number of ways: during imaging sessions as part of their thick-image; as a separate post-installation command during MDT/SCCM; as a scheduled task; through a startup script in Group Policy or Group Policy Preference; through a variety of third-party management suites; or manually, via good ole' fashioned sneakernet. The choice is yours!
- Windows 10 tip: Repair your Windows 10 installation (ZDNet)
- Special report: Cybersecurity in an IoT and mobile world (free ZDNet/TechRepublic PDF)
- Video: 3 tips for proper security in edge computing (TechRepublic)
- How to revive your Windows 10 installation with System Image Recovery (TechRepublic)
- ReAgentC.exe command-line options (Microsoft)
- Get familiar with the Windows 10 Recovery Drive... before you need it (TechRepublic)
- Windows 10 tip: How to enable the built-in Administrator account (and why you shouldn't) (ZDNet)
Have you experienced attacks of this kind? How did you mitigate them and recover? Share your story below in the comments section to help fellow TechRepublic members who may be facing the same issues.
Jesus Vigo is a Network Administrator by day and owner of Mac|Jesus, LLC, specializing in Mac and Windows integration and providing solutions to small- and medium-size businesses. He brings 19 years of experience and multiple certifications from several vendors, including Apple and CompTIA.