Okay people I think I have a compromised laptop!! I’ve tried resetting it, it won’t reset, I can’t change my PIN I need help please. . .ready go!! Any help is appreciated guys!!<3
You can reinstall the complete os with a bootable USB drive by clearing the whole disk.
Your Laptop’s Not Haunted — Here’s Exactly How to Fix It
Your PIN won’t change. Reset won’t work. Something feels deeply wrong. You’re not imagining it — but you’re also probably not doomed. Let’s fix this thing step by step, scariest stuff first.
Do This Right Now (60-Second Triage)
Before you scroll anywhere — do these five things. Don’t skip any of them.
- Kill your internet. Wi-Fi off. Ethernet unplugged. Airplane mode. If something nasty is calling home, you just cut the phone line. Do it now.
- Don’t factory reset yet. Seriously. If this is firmware-level malware, reset does nothing — you just destroyed your evidence for no reason. If it’s just Windows being stupid, there are easier fixes below.
- Try Safe Mode. Hold
Shiftwhile clicking Restart → Troubleshoot → Startup Settings → Safe Mode. If Safe Mode works but normal mode doesn’t? Something ugly is loading at startup that shouldn’t be there. - Check your Microsoft account from your phone. Go to account.microsoft.com on a different device. Can you log in? Change your password? If yes → your account is fine, the problem is local to the laptop. If no → change that password immediately from a clean device.
- Write down what happened. When did this start? What did you install recently? Any sketchy downloads? This info matters later.
Good. You’ve bought yourself time. Now let’s actually fix this.
What This Guide Covers (and How It’s Organized)
A laptop that blocks its own reset and locks you out of PIN changes is one of three things:
- Genuinely compromised — something nasty got root and dug in deep
- Broken in a boring way — Windows being Windows, TPM having a tantrum, a Microsoft account sync gone sideways
- Both — because the universe thinks that’s funny
This guide is organized fix-first. The stuff most likely to actually solve your problem is at the top. The deep forensic rabbit holes are further down for people who want to investigate.
Fix Your PIN — Right Now (Start Here)
Your PIN is probably broken, not stolen. Windows Hello PINs break on their own constantly — especially after the 24H2 update. Here’s how to fix it, from easiest to nuclear, in order.
🔑 Method 1: The 'I Forgot My PIN' Button (Try This First)
This one’s embarrassingly simple but works more often than people expect.
At the login screen:
- Click “I forgot my PIN” below the PIN entry box
- Sign in with your Microsoft account password (the actual password, not the PIN)
- Verify your identity via email or phone code
- Create a new PIN
Didn’t work? Your Microsoft password might also be stuck. Go to account.live.com from your phone and reset the password there first, then try again.
Still nothing? Look for the key icon on the login screen — that’s the password sign-in option. Click it, type your Microsoft account password (not the PIN), and press Enter. Once you’re in, go to Settings → Accounts → Sign-in Options → PIN → Remove → Re-add.
- https://learn.microsoft.com/en-us/answers/questions/4105553/how-do-i-reset-my-windows-pin — Microsoft’s own walkthrough for PIN reset when you can still reach the login screen
- https://droidwin.com/pin-not-working-in-windows-11-how-to-delete-ngc-folder/ — step-by-step with screenshots for when the Settings menu approach also fails
🗑️ Method 2: Delete the NGC Folder (The Real Fix for 90% of PIN Problems)
Here’s what’s actually happening. Your PIN data lives in a hidden folder called NGC at:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc
If that folder gets corrupted — which happens a lot after Windows updates — your PIN dies. The fix: nuke the folder, let Windows rebuild it.
If you CAN get into Windows (via password or Safe Mode):
Open Command Prompt as Administrator and run these three commands in order:
takeown /f C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /r /d y
icacls C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc /grant administrators:F /t
rmdir /S /Q C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc
What this does: takes ownership of the locked folder → gives yourself permission to touch it → deletes everything inside it. Restart. Windows will ask you to set up a new PIN. Problem solved.
If you CAN’T get into Windows at all:
- At the login screen, click the Power icon
- Hold Shift and click Restart
- Go to Troubleshoot → Advanced Options → Command Prompt
- IMPORTANT: Your drive letter might not be C: in recovery mode. Run this first:
bcdedit | find "osdevice"
That tells you the real drive letter. Replace C: with whatever it says (often D: in recovery).
- Then run:
rd /s /q D:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc
(Replace D: with your actual drive letter from step 4)
- Restart. Set up a new PIN.
- https://www.elevenforum.com/t/renaming-ngc-folder-to-reset-pin-on-win11-partition-without-internet-connection.28819/ — real people troubleshooting the exact drive letter gotcha in recovery mode
- https://www.wisecleaner.com/think-tank/547-How-to-Fix-Unable-Set-Remove-or-Use-Windows-Hello-PIN-on-Windows-11.html — clean walkthrough with the takeown + icacls command chain
- https://learn.microsoft.com/en-us/answers/questions/4062447/cant-reset-windows-hello-pin-and-cant-find-ngc-fol — Microsoft Q&A: what to do when you can’t even find the NGC folder (it’s a permissions thing)
- https://learn.microsoft.com/en-us/answers/questions/2262284/something-happened-and-your-pin-is-not-available-o — the classic “something happened and your PIN isn’t available” error with official NGC fix
⚡ Method 3: certutil -deleteHelloContainer (One-Command Fix for 24H2)
If your PIN broke after the Windows 11 24H2 update — this is probably your fix. Microsoft tightened how Windows Hello verifies your identity, and it broke a TON of PINs that were technically already damaged but working before.
If you can log in with your password:
Open PowerShell (not Command Prompt — PowerShell specifically) and run:
certutil -deleteHelloContainer
That’s it. One command. Restart. Set up a new PIN.
Why this works: The 24H2 update enforces stricter checks on the Hello Container (the encrypted blob that ties your PIN to your TPM chip). If your UPN (User Principal Name) changed at any point — email changed, organization policy shuffled, domain migration — the container becomes invalid. This command deletes the broken container so Windows can build a clean one.
Error codes that confirm this is your problem: 0xC0000064, AADSTS50034, or AADSTS135010 in the output of dsregcmd /status /verbose
- https://patchmypc.com/blog/windows-hello-pin-stops-working-after-the-windows-11-24h2-upgrade/ — the definitive writeup on why 24H2 breaks PINs, plus both the NGC and certutil fixes
- https://smbtothecloud.com/removing-windows-hello-whfb-as-a-sign-in-method-when-its-already-configured-on-devices/ — IT pro guide with PowerShell scripts to detect and remove broken WHfB PIN data, plus SetACL-based cleanup
🔄 Method 4: TPM Reset (When the Crypto Is Just... Gone)
Your PIN is cryptographically glued to your laptop’s TPM chip (Trusted Platform Module). If the glue breaks — which happens after BIOS updates, hardware changes, or random TPM tantrums — no amount of folder deletion fixes it. You need to reset the TPM itself.
From Windows (if you can get in):
Windows Security → Device Security → Security Processor → Security Processor Troubleshooting → Clear TPM → Restart
From BIOS (if you can’t get into Windows):
- Restart and mash
F2,F10,Del, orEscduring boot (depends on your laptop brand) - Find Security → TPM → Clear TPM (wording varies by manufacturer)
- Save and restart
WARNING: Clearing your TPM will invalidate ALL Windows Hello PINs, fingerprints, and face unlock on that machine. If you have BitLocker enabled, make sure you have your recovery key first or you’ll be completely locked out. Check at aka.ms/myrecoverykey from your phone.
After clearing: Windows will ask you to set up new sign-in methods on next boot. Your Microsoft account password still works — only the biometric/PIN stuff resets.
- https://www.elevenforum.com/t/your-pin-is-no-longer-available-cant-log-into-w11-account.13265/ — community walkthrough of the TPM clear process when PIN is completely dead
- https://www.bleepingcomputer.com/forums/t/758532/every-bios-update-requires-a-pin-reset-is-this-bad/ — explains why BIOS updates break PINs (Intel PTT behavior)
- https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/tpm-fundamentals — official docs on TPM lockout (32 wrong attempts = 1 attempt every 2 hours)
- https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm — TPM troubleshooting: clear to factory defaults, auto-initialization, dealing with non-Microsoft TPM drivers
🧊 Method 5: Totally Locked Out? Offline Tools That Bypass Everything
When you can’t get into Windows at all — no PIN, no password, nothing — you need tools that work from outside the operating system entirely. These boot from a USB drive and edit the password database directly.
Option A: chntpw (Offline NT Password & Registry Editor)
The OG of password bypasses. Free, open-source, works from a Linux USB. It directly edits the SAM file (where Windows stores password hashes) to blank out passwords.
How it works:
- Download and burn to a USB on another computer
- Boot the locked laptop from the USB
- It finds the SAM file → shows all user accounts → you pick which one to reset
- Type
1to clear the password → save changes → reboot - Log in with no password → immediately set a new PIN
- http://www.chntpw.com/guide/ — official walkthrough with every step
- https://www.kali.org/tools/chntpw/ — it’s built into Kali Linux, so if you have a Kali USB already, you’re set
- https://github.com/minacle/chntpw — GitHub mirror of the source code
- https://github.com/OothecaPickle/chntpw — another maintained fork
Option B: Medicat / Hiren’s Boot CD PE
These are all-in-one rescue USBs packed with password reset tools, antivirus scanners, disk repair utilities — everything you’d need when a computer won’t cooperate.
Hiren’s Boot CD PE — Windows PE-based, familiar interface, includes NTPWEdit (GUI password editor):
- https://www.hirensbootcd.org/ — official download and instructions
Medicat USB — the Swiss army knife of boot toolkits. Includes Hiren’s tools plus extras like Lazesoft Recovery, NT Password Edit, and more. Larger download but covers more edge cases.
Option C: The utilman.exe / sethc.exe Trick (Classic Bypass)
The oldest trick in the Windows lockout book. You replace the Accessibility program (utilman.exe) or Sticky Keys (sethc.exe) with Command Prompt. Then at the login screen, you press the accessibility button or hit Shift 5 times — and get a system-level command prompt instead.
From WinRE or a boot USB:
cd /d C:\Windows\System32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe
Reboot. At the login screen, click the accessibility icon (bottom-right). Command prompt opens with SYSTEM privileges. Create a new admin account:
net user TempAdmin YourPassword123 /add
net localgroup administrators TempAdmin /add
Log in with the new account → fix your original account’s PIN → delete the temp account → rename utilman.exe.bak back.
Note: This won’t work if BitLocker is active (the drive is encrypted and you can’t access System32 without the recovery key). Also won’t work on the latest 24H2 builds that have additional integrity checks — but still works on most machines.
- https://learn.microsoft.com/en-us/answers/questions/4042445/windows-11-forgot-pin-and-cant-use-other-sign-in-o — Microsoft community thread walking through the WinRE command prompt method
- https://learn.microsoft.com/en-us/answers/questions/3987263/resetting-local-windows-10-password — the net user approach from recovery command prompt
🔍 Method 6: Phantom Organization Policies (The Invisible Blocker)
Your laptop might think it belongs to a company when it doesn’t. You’ll see stuff like “Your organization requires you to change your PIN” — but you don’t have an organization. Ghost registry keys from a previous setup (school account, work trial, whatever) are messing with you.
Check your device registration status:
dsregcmd /status
Look for AzureAdJoined: YES or DomainJoined: YES. If either shows YES and you’re NOT part of any organization — that’s your problem.
Fix it:
- Open Command Prompt as Admin
- Run
dsregcmd /leaveto disconnect from the phantom organization - Check the registry at
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork— if that key exists and you’re not on a work device, delete it - Delete the NGC folder (Method 2 above)
- Restart → set up new PIN
- https://learn.microsoft.com/en-us/answers/questions/1807273/how-to-remove-your-organization-requires-that-you — the exact phantom policy problem and registry fix
- https://patchmypc.com/blog/windows-hello-pin-stops-working-after-the-windows-11-24h2-upgrade/ — covers how 24H2 made this issue way more visible
Try these in order. Method 2 (NGC delete) fixes the majority of cases. Method 3 (certutil) catches most 24H2 victims. If you’re still stuck after all six methods, keep reading — the next sections cover malware removal in case this is actually a compromise.
Clean the Infection (If It’s Actually Malware)
So your PIN is fixed (or you’re still suspicious despite the fix working). Time to scan for actual malware. The trick: layers. No single scanner catches everything. You need to stack them.
🛡️ Step 1: Run the Free Scanner Stack (Do All Three)
Think of this like a three-pass car wash. Each scanner catches different stuff. Run them all in this order.
Pass 1: Malwarebytes (catches the obvious stuff)
Download the free version. Run a full scan, not a quick scan. Quarantine everything it finds. This catches the majority of common malware — adware, trojans, PUPs, most ransomware.
Pass 2: AdwCleaner (catches the sneaky browser/adware junk)
Same company (Malwarebytes), different engine. This specifically targets adware, toolbars, browser hijackers, and PUPs that the main scanner sometimes misses. Free, portable, no install needed.
Pass 3: HitmanPro (the second-opinion scanner)
This one uses multiple engines (cloud-based). It’s the “what did the other two miss” scanner. Free 30-day trial, and one scan is all you need.
Run all three in Safe Mode if possible. Some malware actively blocks scanners in normal mode.
- https://malwaretips.com/blogs/remove-malware-windows-11/ — step-by-step walkthrough of this exact three-scanner stack with Safe Mode instructions
🔍 Step 2: Microsoft's Own Scanners (Already On Your Machine)
Windows Defender isn’t useless — it’s actually decent when you use it right. The trick is using the offline version.
Microsoft Defender Offline Scan
This boots into a special recovery environment BEFORE Windows loads — so malware can’t hide from it. It’s the only way Defender can catch rootkits and bootkits.
How to run it:
Windows Security → Virus & Threat Protection → Scan Options → Microsoft Defender Offline Scan → Scan Now
Your laptop will restart into the recovery environment, scan everything, and boot back to Windows with results.
Microsoft Safety Scanner (MSERT)
Portable, no install needed, downloads fresh signatures every time. Good for a second opinion when you don’t trust the built-in Defender.
- https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-offline — Defender Offline scan: boots into WinRE, detects rootkits/bootkits before the OS loads
- https://learn.microsoft.com/en-us/defender-endpoint/safety-scanner-download — Safety Scanner: portable, no install, fresh signatures, expires after 10 days
- https://support.microsoft.com/en-us/topic/remove-specific-prevalent-malware-with-windows-malicious-software-removal-tool-kb890830-ba51b71f-39cd-cdec-73eb-61979b0661e0 — MSRT: the monthly malware removal tool from Windows Update you probably never knew existed
🐛 Step 3: Rootkit Hunting (The Deep Scan)
Regular antivirus doesn’t catch rootkits. Rootkits hide at the kernel level — they literally modify how your operating system reports information, making malware invisible to normal scanners. You need specialized tools.
The recommended combo for Windows 11:
Malwarebytes Anti-Rootkit (MBAR) + Kaspersky TDSSKiller — run both. MBAR catches kernel-mode rootkits, TDSSKiller specializes in the TDSS/TDL4 family and bootsector infections.
GMER was the gold standard for years, but it has compatibility issues with Windows 11. MBAR + TDSSKiller is the modern replacement combo.
What rootkit scanners actually check:
- Hidden processes (running but invisible to Task Manager)
- Hidden registry keys (configurations that normal tools can’t see)
- Hidden drivers (kernel modules loaded without appearing in device manager)
- Modified system calls (the OS has been taught to lie about what’s running)
- Boot sector modifications (something changed the boot chain)
The layered approach (from a real technician’s field guide):
RKill (to stop active malware) → MBAR scan → TDSSKiller scan → Malwarebytes full scan → ComboFix if needed
This ordering matters. RKill terminates known malware processes first so the scanners can actually do their job.
- http://www.gmer.net/ — GMER: kernel-oriented rootkit detector, portable, but limited Win11 support
- https://www.comparitech.com/antivirus/best-free-rootkit-removal-scanner/ — roundup: GMER, TDSSKiller, chkrootkit, rkhunter, Trend Micro RootkitBuster
- https://www.thewindowsclub.com/free-rootkit-remover-scanner-reaveler — master list: TDSSKiller, Bitdefender rootkit tool, McAfee CLI tool, Sophos, GMER, aswMBR
- https://www.technibble.com/rootkit-detection-and-removal-tools/ — real technician field guide: GMER as first-go-to, TDSSKiller finding what others miss, the RKill→MBAR→ComboFix layered approach
- https://malwaretips.com/threads/what-are-the-best-rootkit-scanners.79698/ — community debate: TDSSKiller vs Norton Power Eraser vs aswMBR vs MBAR vs PCHunter
- https://en.actualidadgadget.com/How-to-detect-rootkits-and-hidden-processes-in-Windows-11/ — Win11-specific: MBAR + TDSSKiller preferred over GMER, Sysinternals combo, netstat -ano, bootrec MBR repair
🔗 Step 4: Persistence Mechanism Cleanup (Why Malware Keeps Coming Back)
Deleted the malware but it came back after reboot? That’s persistence. Malware hides startup commands in dozens of places across Windows. A rootkit scanner won’t find all of them. You need to hunt the persistence mechanisms directly.
The 11 places malware hides to survive reboots:
- Registry Run/RunOnce keys —
HKLM\Software\Microsoft\Windows\CurrentVersion\Run(and the HKCU version) - Startup folders —
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup - Scheduled Tasks — can run at boot, at login, on a timer, or triggered by events
- Services — registers as a Windows service that starts automatically
- DLL hijacking — places a malicious DLL where a legit program will load it
- COM hijacking — registers as a COM object that other programs call
- Image File Execution Options (IFEO) — tells Windows to run malware as the “debugger” for a legit program
- AppInit_DLLs — injects into every process that loads user32.dll
- WMI Event Subscriptions — invisible triggers that run commands based on system events
- Time Provider DLLs — registers as a time synchronization provider
- Bootkits — modifies the boot chain itself (covered in the firmware section below)
Your best tool: Autoruns (Microsoft Sysinternals)
Autoruns shows EVERY autostart location on your machine — all of them, in one window. Malware that hides from Task Manager cannot hide from Autoruns.
Pro workflow:
- Download Autoruns from Microsoft Sysinternals (free, portable)
- Run as Administrator
- Click Options → Hide Microsoft Entries (shows only third-party stuff)
- Right-click → Check VirusTotal (sends hashes to 70+ antivirus engines)
- Anything flagged → research it → uncheck or delete
For extra credit: Create a baseline BEFORE you think you’re infected. Then compare.
autorunsc.exe -a * -c -h -s > baseline.csv
After cleanup, run it again and diff the two files to see what changed.
- https://www.varonis.com/blog/how-to-use-autoruns — Autoruns for malware persistence: Logon tab, Services, Drivers, Scheduled Tasks, Image Hijacks, AppInit DLLs, VirusTotal integration
- https://www.sans.org/blog/offline-autoruns-revisited-auditing-malware-persistence/ — Chad Tilbury’s definitive SANS guide: using Autoruns against forensic images, not just running systems
- https://dfirmadness.com/case-001-autoruns-analysis/ — hands-on walkthrough with step-by-step checklist for first-timers
- https://github.com/Karneades/awesome-malware-persistence — awesome-malware-persistence repo: PersistenceSniper PowerShell module, RegRipper, KAPE, Atomic Red Team testing
- https://hadess.io/the-art-of-windows-persistence/ — encyclopedia of persistence techniques with actual registry paths for every method
- https://cofense.com/blog/windows-persistence-explained-techniques,-risks,-and-what-defenders-should-know — practitioner report with real malware examples and specific IOCs
- https://medium.com/@tahirbalarabe2/️5-common-windows-persistence-techniques-and-how-to-stop-them-5d6f3b98682d — top 5 with Sysmon detection: Event IDs 12/13 (registry), 19-21 (WMI)
- https://tech-zealots.com/malware-analysis/malware-persistence-mechanisms/ — 11 critical mechanisms with detection guidance
- https://www.securityblue.team/blog/posts/persistence-mechanisms-windows-scheduled-tasks — scheduled task deep dive: SYSTEM privilege, Security Descriptor manipulation, TaskCache forensics
- https://iritt.medium.com/registry-persistence-detection-tryhackme-walkthrough-insights-6cbd4246a25b — AutoRuns PowerShell module: Get-PSAutorun, New-AutoRunsBaseLine, Compare-AutoRunsBaseLine for before/after diff
- https://faresbltagy.gitbook.io/footprintinglabs/practical-windows-forensics/finding-evidence-of-persistence-mechanisms — forensics cookbook: HKLM/HKCU Run keys, startup folders, RegRipper extraction, NTUSER.DAT analysis
🔧 Step 5: Repair System Files (DISM + SFC)
After removing malware, your system files might be damaged. Windows has built-in repair tools — but the order matters. Get this wrong and it doesn’t actually fix anything.
The correct order (this is important):
# Step 1: Check if the component store is healthy
DISM /Online /Cleanup-Image /CheckHealth
# Step 2: Deep scan for corruption
DISM /Online /Cleanup-Image /ScanHealth
# Step 3: Repair the component store (needs internet)
DISM /Online /Cleanup-Image /RestoreHealth
# Step 4: NOW repair system files using the fixed store
sfc /scannow
# Step 5: If it found violations, run sfc again
sfc /scannow
Why this order: SFC repairs files by pulling fresh copies from the component store. If the component store is ALSO corrupted (which malware often does), SFC just replaces broken files with other broken files. DISM fixes the store first.
If DISM can’t repair online (no internet or the store is too damaged):
- Download a Windows 11 ISO from Microsoft
- Mount it (right-click → Mount)
- Use the offline source:
DISM /Online /Cleanup-Image /RestoreHealth /Source:E:\Sources\install.wim
(Replace E: with whatever drive letter the mounted ISO gets)
You might need 2-3 runs of SFC before it comes back clean. That’s normal.
- https://pureinfotech.com/windows-11-repair-installation-dism-sfc/ — DISM + SFC workflow with offline ISO source option, 24H2 improved DISM logging
- https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e — official SFC guide: CBS.log analysis, manual file replacement, offline SFC from recovery media
- https://www.howtogeek.com/222532/how-to-repair-corrupted-windows-system-files-with-the-sfc-and-dism-commands/ — beginner-friendly: run order explained, Safe Mode fallback
- https://winaero.com/how-to-repair-windows-11-with-sfc-and-dism/ — Win11-specific: Repair-WindowsImage PowerShell alternative, offline install.wim source
- https://support.microsoft.com/en-us/topic/troubleshoot-problems-with-detecting-and-removing-malware-f4c07095-c45a-6a2e-e7e9-2c8f3085ae81 — official troubleshooting when Defender can’t remove: Safe Mode scan, SFC, offline scan, secondary scanners
Nuclear Options (When Nothing Else Worked)
You’ve tried the PIN fixes. You’ve scanned for malware. You’ve cleaned persistence mechanisms. And the laptop is STILL acting possessed. Time to burn it down and start fresh.
🔄 Option 1: Factory Reset from WinRE (No Password Needed)
You don’t need to be logged in to reset. Windows Recovery Environment can do it from the login screen.
From the login screen:
- Click the Power icon (bottom-right corner)
- Hold Shift and click Restart
- Choose an Option → Troubleshoot
- Reset this PC → Remove everything
- Choose Cloud Download (recommended — pulls a fresh copy from Microsoft, more reliable than local reinstall)
- If selling/donating the laptop: select “Fully clean the drive” (takes longer but securely wipes)
Can’t even reach the login screen?
Force your way into WinRE:
- Press and hold the power button for 5-10 seconds until the laptop shuts off
- Turn it back on. When you see the manufacturer logo, hold the power button again to force shutdown
- Repeat one more time. On the third boot, Windows will automatically enter recovery mode
- From there: Troubleshoot → Reset this PC → Remove everything
BitLocker warning: If BitLocker is enabled (increasingly common — 24H2 auto-enables it on many devices), you’ll need your recovery key before resetting. Check aka.ms/myrecoverykey from your phone BEFORE you start.
- https://support.microsoft.com/en-us/windows/reset-your-pc-0ef73740-b927-549b-b7c9-e6f2b48d275e — official Microsoft “Reset your PC” guide with all options explained
- https://www.makeuseof.com/windows-11-factory-reset-without-admin-password/ — factory reset without password: WinRE method + USB alternative
- https://pureinfotech.com/clean-install-windows-11/ — covers Cloud Download vs Local Reinstall, the Clean Data toggle, and 24H2/25H2 specifics
- https://www.guidingtech.com/how-to-reset-windows-11-to-factory-settings/ — three methods: Settings, WinRE, and forced hard shutdown (power button 3x)
- https://learn.microsoft.com/en-us/answers/questions/2337356/how-to-reset-windows-11-article — Microsoft Q&A: forced WinRE entry via hard shutdown, Cloud Download recommendation
💀 Option 2: Full Clean Install (The Real Nuclear Option)
A reset keeps your old Windows installation’s skeleton. A clean install wipes EVERYTHING and puts a fresh copy of Windows on your drive. This is what you do when you suspect deep compromise or the reset itself keeps failing.
What you need:
- A USB drive (8GB+)
- Another computer to create the installer
- Your Microsoft account password (your Windows license is linked to your account)
Steps:
- Create installation media: Download the Media Creation Tool on another PC → create a bootable USB
- Boot from USB: Restart the target laptop → enter BIOS (F2/F10/Del/Esc) → set USB as first boot device → save and restart
- Delete ALL partitions: During install, click “Custom” → select each partition → Delete → repeat until you see only “Unallocated Space”
- Install Windows onto the unallocated space → follow OOBE setup
Why delete all partitions? Some malware hides in the recovery partition or EFI system partition. Deleting everything and letting the installer create fresh partitions eliminates those hiding spots.
- https://www.windowscentral.com/how-do-clean-install-windows-11 — step-by-step with screenshots: boot order, partition deletion, OOBE, license activation
- https://forums.tomshardware.com/threads/windows-11-clean-install-tutorial.3831442/ — Tom’s Hardware: partition isolation, Rufus if MCT fails, license via MS account
- https://www.addictivetips.com/windows-tips/how-to-clean-install-windows-11/ — 2026 guide: no Wi-Fi driver workaround, TPM/Secure Boot BIOS check
🗑️ Option 3: Secure Wipe (If You're Selling or It's Deeply Infected)
A factory reset doesn’t actually erase your data — it just marks the space as available. For actual security (or if you suspect firmware-level infection), you need a proper wipe.
For SSDs:
Use your drive manufacturer’s Secure Erase feature. This tells the SSD’s controller to wipe all cells at the hardware level. Most manufacturers provide a free tool:
- Samsung: Samsung Magician
- Intel: Intel Memory and Storage Tool
- WD/SanDisk: WD Dashboard
- Crucial: Crucial Storage Executive
You can also trigger Secure Erase from BIOS on many laptops.
For HDDs:
Multi-pass wipe. DBAN (Darik’s Boot and Nuke) is the classic — boots from USB, overwrites every sector. For government-grade paranoia, use DoD 5220.22-M or Gutmann method.
Windows-based alternatives:
Eraser — GUI-based, supports Gutmann/DoD methods, runs from Windows
Parted Magic — Linux-based live USB with ATA Secure Erase support
| Method | Best For | Speed | Security Level |
|---|---|---|---|
| Quick format during install | Casual personal use | Fast | Basic — data recoverable |
| Full format during install | Personal use, not selling | Slow | Moderate — overwrites once |
| SSD Secure Erase (BIOS/manufacturer) | SSDs, selling device | Fast | High — hardware-level wipe |
| DBAN multi-pass | HDDs, compliance/paranoia | Very slow | Maximum — military spec |
- https://forums.tomshardware.com/threads/is-clean-install-the-same-as-secure-erase.3767041/ — DBAN vs clean install vs Secure Erase: when to use which
- https://h30434.www3.hp.com/t5/Desktop-Operating-Systems-and-Recovery/Does-Windows-Installation-Media-Wipe-a-Disk-Clean/td-p/8881398 — Eraser, Parted Magic, HDDErase, SSD vs HDD considerations
- https://www.diskpart.com/windows-11/how-to-wipe-hard-drive-and-reinstall-windows-11-1503.html — AOMEI wipe + reinstall pipeline with SSD Secure Erase
- https://www.ubackup.com/windows-11/wipe-hard-drive-for-clean-install-windows-11.html — three wipe methods: Disk Management, install media, third-party tools
- https://www.appgeeker.com/recovery/factory-reset-windows-11-without-password.html — WinRE reset without password, “Fully clean the drive” option, BitLocker warning
Lock It Down After Fixing (Don’t Get Hit Again)
Congrats, your laptop works again. Now make sure this doesn’t happen twice. These are quick wins — stuff you can do in under an hour that massively reduces your attack surface.
⚡ The 10-Minute Hardening Checklist
Do these today. Right now. Before you install anything else.
1. Turn on Attack Surface Reduction (ASR) rules
This is the single highest-impact thing you can do. ASR blocks the most common malware entry points: Office macros launching child processes, executable email attachments, credential theft from LSASS.
How: Windows Security → Virus & Threat Protection → Manage Settings → scroll to Attack Surface Reduction → enable all rules
2. Enable Controlled Folder Access
Stops ransomware from encrypting your documents. Windows blocks any unrecognized program from writing to your Documents, Desktop, Pictures, etc.
How: Windows Security → Virus & Threat Protection → Manage Ransomware Protection → turn on Controlled Folder Access
3. Turn on BitLocker
If your laptop gets stolen or someone boots from USB, your drive is encrypted and unreadable without your credentials.
How: Settings → Privacy & Security → Device Encryption → turn it on. Back up your recovery key to your Microsoft account (this is critical).
4. Use a standard user account for daily use
Stop using an admin account for everyday stuff. Create a standard user account and only elevate to admin when you need to install something. This alone stops 90% of malware from doing anything permanent.
5. Don’t disable SmartScreen
Seriously. It catches more garbage than most people realize.
6. Keep Windows Update on auto
Yes, updates break stuff sometimes. But every month’s updates patch actively exploited vulnerabilities. The math is simple: patched > unpatched.
7. Turn off Remote Desktop if you don’t use it
42% of ransomware gets in through RDP. If you’re not using it — kill it. Settings → System → Remote Desktop → Off.
8. Review your startup programs
Settings → Apps → Startup → disable everything you don’t need starting at boot. Less stuff running = less stuff to exploit.
9. Enable Enhanced Phishing Protection
Win11 22H2+ has a built-in phishing detector that watches for when you type your Windows password into websites or apps.
10. Back up your recovery key NOW
Go to aka.ms/myrecoverykey and save your BitLocker recovery key somewhere safe. You’ll need it if things go sideways again.
- https://www.onlinehashcrack.com/guides/tutorials/howto-windows-11-hardening-2025-10-quick-tweaks.php — 10 quick tweaks: Defender optimization, Controlled Folder Access, privacy telemetry, app permissions, Edge hardening
- https://github.com/beerisgood/Windows11_Hardening — community-maintained Win11 hardening collection: BAFS, Controlled Folder Access, ASR rules, PUA blocking
🏢 The Deeper Hardening (Group Policy / Enterprise-Grade)
If you want to go further — or you’re helping set up security for a small business — here’s where the serious baselines live.
Security Baselines (pre-built policy packages)
Microsoft publishes official security baselines — pre-configured sets of 3,000+ Group Policy settings boiled down to the critical ones. Download and apply them.
20 Must-Have GPO Settings:
- BitLocker XTS-AES encryption (128-bit is fine for most — 256 only if regulations require it)
- Attack Surface Reduction rules enabled
- SMBv1 disabled (ancient, exploitable, don’t need it)
- LLMNR disabled (prevents credential relay attacks)
- NTLMv2 enforced (blocks legacy authentication downgrades)
- Credential Guard enabled (isolates credentials in a separate vault)
- SMB signing required (prevents man-in-the-middle on file shares — may break older NAS devices, test first)
- LAPS enabled (randomizes the local admin password — massive win for minimal effort)
- PowerShell Constrained Language Mode (limits what scripts can do)
- Network-level authentication for RDP
- https://securitypulse.tech/2025/11/06/windows-11-hardening-20-gpos/ — 20 must-have GPO settings with quick test for each one
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines — official Microsoft Security Baselines: GPO backups, Intune MDM baselines, Security Compliance Toolkit
- https://ncp.nist.gov/checklist/1028 — DISA STIG for Windows 11: SCAP content, GPO + Intune packages, updated January 2026
- https://www.cyber.gov.au/sites/default/files/2024-07/PROTECT%20-%20Hardening%20Microsoft%20Windows%2010%20and%20Windows%2011%20Workstations%20(July%202024).pdf — Australian Signals Directorate hardening guide: application control, ASR, credential protection, cached credential limits
- https://oneconsult.com/en/blog/cybersecurity/windows-11-hardening-with-intune-methods-and-recommendations-for-a-secure-environment/ — Intune-based hardening: Security Baselines, LAPS config, CIS Benchmark alignment, BitLocker silent enablement
- https://support.microsoft.com/en-us/topic/latest-windows-hardening-guidance-and-key-dates-eb1bd411-f68c-4d74-a4e1-456721a6551b — Microsoft hardening timeline: certificate auth enforcement, PAC validation, Secure Boot enforcement dates
- https://netwrix.com/en/resources/guides/windows-server-hardening-checklist/ — server checklist applicable to workstations: disable removable media, legal notice, endpoint security, FIM
- https://blog.scalefusion.com/windows-hardening/ — UEM-focused: 42% of ransomware via RDP, centralized policy enforcement, continuous drift monitoring
Is Your Laptop Actually Hacked? (The Deep Investigation)
Everything above was about fixing the problem. This section is about answering the question — are you actually compromised, or was Windows just being Windows? If you’re the curious type (or the paranoid type — no judgment), keep reading.
🧬 What Compromise Actually Looks Like on Windows 11
Forget Task Manager — that tells you almost nothing
Nobody who does this for a living opens Task Manager and goes “hmm, CPU high, must be hacked.” Real signs of compromise hide in places most people don’t know exist.
Windows 11 has new forensic artifacts that didn’t exist in Windows 10. Kaspersky’s emergency response team found new ones — the Recall database (the AI screenshot feature), app launch logs, Notepad’s tab recovery files, and changes to how Windows tracks file modifications:
The process family tree trick
Every program has a “parent” — the program that started it. Windows has a specific family tree that’s supposed to look a certain way. svchost.exe should always be started by services.exe. If it was started by your web browser? Something is pretending to be a system process.
This chart maps the entire normal family tree so you can spot imposters:
Same concept using Volatility (reads RAM directly — catches things that hide from disk tools):
“I can still boot into Windows” — run these commands
Copy-paste PowerShell/CMD commands that check running processes, network connections, and auto-start locations:
How attackers hide in plain sight: Process hollowing, DLL sideloading, PowerShell abuse. Detection guide:
Let tools do the heavy lifting
| Tool | What It Does In Plain English | Link |
|---|---|---|
| KAPE | Grabs everything important off your machine in one sweep — login history, app logs, recent files, browser data | https://github.com/EricZimmerman/KapeFiles |
| ThreatHound | Reads your event logs and flags suspicious patterns using community detection rules | https://github.com/MazX0p/ThreatHound |
| DFIRTriage | Portable USB — collects processes, services, scheduled tasks without installing anything | https://github.com/travisfoley/dfirtriage |
Autoruns — the “what’s starting when my PC boots” detector
The definitive guide on using Autoruns — against running systems AND forensic images:
Step-by-step checklist walkthrough:
The deeper toolbox
Microsoft’s IR team published updated guidance on which forensic artifacts to trust. Some popular ones (like AmCache) are less reliable than people think:
SANS poster — every important Windows artifact from XP through 11:
The full kitchen sink of forensic tools — Volatility, plaso, FastIR, Arsenal Image Mounter:
Did Someone Steal Your Login, or Is Windows Hello Just Broken?
Your PIN won’t change. Scary? Sure. But credential theft and Windows glitches look identical from the outside. Here’s how the pros tell them apart.
🕵️ Credential Theft vs Windows Being Windows
What credential theft looks like under the hood
When attackers steal Windows credentials, they almost always target LSASS — Local Security Authority Subsystem Service. Think of it as the bouncer holding everyone’s ID cards. Steal from the bouncer → you have everyone’s credentials.
The access patterns that give it away. Malware uses specific permission codes (0x1010, 0x1410) that legitimate Windows processes basically never use. Like a burglar using a window instead of the front door.
| What It Detects | Who Made It | Link |
|---|---|---|
| LSASS memory dumps via suspicious DLL calls | Elastic Security | https://github.com/elastic/detection-rules/blob/main/rules/windows/credential_access_suspicious_lsass_access_memdump.toml |
| LSASS access via Sysmon event monitoring | Splunk | https://research.splunk.com/endpoint/2c365e57-4414-4540-8dc0-73ab10729996/ |
| Credential dumps through Task Manager | MITRE | https://car.mitre.org/analytics/CAR-2019-08-001/ |
Guide covering all major credential dump techniques:
Microsoft’s guide on protecting LSASS — Protected Process Light, Credential Guard:
The SAM database — your password hashes live here
HiveNightmare (aka SeriousSAM) — a vulnerability that let anyone read the SAM backup copies Windows secretly makes:
Velociraptor’s SAM parser — pulls login dates, password reset dates, and account flags:
Work laptop? Kerberos attacks are real.
Golden Ticket detection — Sean Metcalf’s guide on finding forged authentication tickets via event logs:
Physical access? Windows Hello has been bypassed.
CyberArk found a way to trick facial recognition using modified USB camera with fake IR frames:
MITRE technique mapping for Windows Credential Manager attacks:
Malware That Laughs at Factory Reset
Some malware lives below your operating system — in the firmware, in the boot chain, in places factory reset literally cannot reach. If your laptop refuses to reset properly, this might be why.
👻 UEFI Bootkits — The Thing Under the Bed Is Real
BlackLotus — the one that changed everything
A bootkit sold for ~$5,000 on dark web forums. Bypasses Secure Boot on fully-patched Windows 11, disables Defender and BitLocker, and survives a complete OS reinstall.
ESET’s analysis confirming it exists in the wild:
Binarly’s code deep-dive plus detection rules:
Microsoft IR’s investigation steps — what logs and artifacts to check:
NSA’s full detection and recovery guide:
Other firmware nasties that survive reinstalls
| Threat | Where It Hides | What Makes It Special |
|---|---|---|
| MosaicRegressor | SPI flash chip (firmware storage itself) | APT-grade. Factory reset doesn’t touch it. |
| ESPecter | EFI System Partition (boot drive’s hidden area) | Bypasses Windows driver signature enforcement |
| LoJax / TrickBoot | UEFI firmware modules | First known firmware-level persistent malware in the wild |
- https://securelist.com/mosaicregressor/98849/ — MosaicRegressor: SPI flash persistence in the actual hardware chip
- https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/ — ESPecter: EFI partition hiding, driver signature bypass
- https://binarydefense.com/resources/blog/running-malware-below-the-os-the-state-of-uefi-firmware-exploitation — DreamBoot, FinSpy, and the evolution of the entire threat class
- https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html — LoJax, MosaicRegressor, TrickBoot with detection rules
How to actually scan your firmware
Binarly’s hunting method that found 6 previously unknown bootkit samples:
| Tool | What It Does | Skill Level | Link |
|---|---|---|---|
| CHIPSEC | Intel’s firmware security framework — extracts firmware, compares against known-good | Advanced | https://github.com/chipsec/chipsec |
| FwHunt Scanner | Community firmware scanner with BlackLotus-specific rules | Intermediate | https://github.com/binarly-io/fwhunt-scan |
| Defender UEFI Scanner | Built into Defender — scans firmware at runtime. Already on your machine. | Beginner | https://learn.microsoft.com/en-us/defender-endpoint/uefi-scanning-in-defender-for-endpoint |
CHIPSEC detecting the HackingTeam UEFI rootkit (yes, a company was selling rootkits to governments):
Real people dealing with this
BleepingComputer thread — malware survived a clean Windows 11 install, with diagnostic logs:
Research collections
- https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development — curated bootkit/rootkit resource list
- https://github.com/river-li/awesome-uefi-security — UEFI vulnerability research and tools
Your PIN Under the Microscope (Deep Technical View)
For the people who want to understand exactly what’s happening inside their machine at the crypto level. Not required reading for the fix — but satisfying if you want to know why.
🧩 PIN Forensics — What's Actually Happening Inside Your Machine
How your PIN actually works (60-second version)
Your PIN isn’t just a number stored somewhere. It’s cryptographically glued to your laptop’s TPM chip (Trusted Platform Module — a tiny security processor on your motherboard). The actual credential data lives in the NGC folder at:
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Ngc
If that folder gets corrupted, or the bond between your PIN and the TPM breaks, your PIN becomes useless. No hacker required.
Forensic tools that check if your PIN security is intact
WINHELLO2hashcat — extracts Windows Hello PIN hashes. If your TPM is properly protecting the keys, the extraction should fail. If it succeeds… your TPM isn’t doing its job:
How Windows Hello PIN crypto actually works — encryption layers, key protection, where the system breaks:
Deep forensic analysis of the NGC folder structure — what each file means, tampered vs normal:
Windows 11 authentication — the full picture
Elcomsoft’s forensic breakdown of Windows 11’s entire authentication architecture:
The ugly truth: Systems without proper TPM 2.0 can have their PIN brute-forced in minutes. Not hours. Minutes:
The boring causes (ranked by frequency)
#1: The 24H2 update broke it. Microsoft’s own update trashed PINs for tons of people:
#2: TPM lockout. After 32 wrong PIN attempts, TPM locks to 1 attempt every 2 hours:
#3: Phantom organization policies. Ghost PassportForWork registry keys:
#4: Corrupted NGC folder. Sometimes it just breaks:
#5: BIOS update cleared TPM. Intel PTT is especially prone to this:
- https://www.bleepingcomputer.com/forums/t/758532/every-bios-update-requires-a-pin-reset-is-this-bad/
MITRE technique mapping for how real attackers target Credential Manager:
Ghost Accounts: Did Someone Add a Hidden Admin?
One of the oldest tricks. An attacker creates an admin account, hides it from the login screen. You’d never see it. But it’s there — fully functional, full access.
🥷 Hunting Hidden Accounts — Sneakier Than You Think
The “SpecialAccounts” registry trick
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Set any username’s value to 0 — poof. Gone from the login screen. Account still fully works.
Detection rules used by real security teams:
- https://detection.fyi/sigmahq/sigma/windows/registry/registry_set/registry_set_special_accounts/ — production Sigma rule for this exact registry change
- https://research.splunk.com/endpoint/834ba832-ad89-11eb-937d-acde48001122/ — Splunk detection query
Digging into the user database directly
- https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/sam-hive.md — SAM hive: every account, hidden or not, enumerated by RID
- https://github.com/Psmths/windows-forensic-artifacts/blob/main/account/profile-list-key.md — ProfileList registry: catches accounts that were deleted to cover tracks
Full forensic workflow
- https://nothingcyber.medium.com/blue-team-system-live-analysis-part-7-windows-user-account-forensics-categorization-and-87f94d131c1e — SAM parsing with RegRipper, SpecialAccounts detection, live analysis
- https://www.checksomebytes.com/posts/hidingwindowsusers/ — the attacker’s view: where hidden accounts are still visible (knowing blind spots = how you find them)
Registry forensics toolkit
| Tool | What It Does | Link |
|---|---|---|
| RegRipper 3.0 | Parses registry files — user accounts, IDs, creation timestamps | https://github.com/keydet89/RegRipper3.0 |
| Cyber Triage Cheat Sheet | 2025 registry forensics reference — null-character hiding trick | https://www.cybertriage.com/blog/windows-registry-forensics-cheat-sheet-2025/ |
- https://www.praetorian.com/blog/how-to-detect-and-dump-credentials-from-the-windows-registry/ — SAM auditing: Event ID 4656 fires when someone accesses SAM
- https://www.hackingarticles.in/forensic-investigation-windows-registry-analysis/ — RegRipper walkthrough: extracting every user with creation dates
- https://cheatsheet.haax.fr/windows-systems/local-and-physical/local_recon_enumeration/ — offensive recon commands you flip for defensive use
Shadow admins — the scariest kind
Accounts that don’t appear in the Administrators group but still have admin-level permissions through indirect delegation.
- https://www.cyberark.com/resources/threat-research-blog/shadow-admins-the-stealthy-accounts-that-you-should-fear-the-most — CyberArk research + ACLight tool
- https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab — SpecterOps: msDS-KeyCredentialLink abuse
- https://www.semperis.com/blog/find-hidden-active-directory-objects/ — Semperis Hidden Object Detector
Event log hunting
- https://github.com/sans-blue-team/DeepBlueCLI — PowerShell script that reads event logs and flags suspicious patterns
- https://www.sans.org/blog/defense-spotlight-finding-hidden-windows-services — finding hidden Windows services (same methodology works for accounts)
BitLocker & TPM Edge Cases (The Gotchas Nobody Warns You About)
BitLocker is the #1 blocker for every recovery method in this guide. If it’s active, most bypass techniques (utilman, sethc, NGC delete, offline SAM edit) are stopped cold because the drive is encrypted.
🔒 BitLocker + TPM Complications
The 24H2 auto-encryption problem
Windows 11 24H2 auto-enables device encryption on way more devices than before. Microsoft removed the DMA/HSTI prerequisites — meaning machines that were never encrypted before suddenly are. People don’t even know BitLocker is on until they try recovery and get asked for a key they never saved.
Check if you’re encrypted: Settings → Privacy & Security → Device Encryption. Or run manage-bde -status in an admin CMD.
Get your recovery key: aka.ms/myrecoverykey — sign in with your Microsoft account. The key should be backed up there automatically.
When TPM causes problems
- Motherboard or CPU replacement invalidates TPM keys → BitLocker demands recovery key
- Dual-TPM systems (firmware + discrete chip) confuse BitLocker
- Non-Microsoft TPM drivers cause initialization failures
- BIOS updates reset TPM → triggers BitLocker recovery
Enhanced PINs
If your organization enabled Enhanced PINs (alphanumeric instead of numbers-only), firmware updates or TPM resets trigger recovery more often.
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/ — BitLocker overview: TPM + PIN protector, 24H2 auto-enablement changes
- https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures — countermeasures: TPM+PIN for advanced attacks, sleep vs hibernate, DMA mitigation
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues — known issues: Entra hybrid join failures, recovery mode triggers
- https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm — TPM troubleshooting: clear to factory defaults, dual-TPM systems
- https://www.ninjaone.com/blog/enhanced-pins-for-bitlocker/ — Enhanced PINs: enable via gpedit, recovery key prompts after firmware changes
- https://windowsforum.com/threads/device-tpm-problem.382241/ — school/lab TPM issues: motherboard changes, Entra re-registration workflow
- https://learn.microsoft.com/en-us/intune/intune-service/protect/encrypt-devices — Intune BitLocker deployment: silent enablement prerequisites, conflicting policies
- https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues — encryption failures: TPM-related, drive layout issues
The Full Arsenal
Every tool from this guide in one table. Bookmark this.
⚡ Your Forensic Swiss Army Knife
| Tool | What It Actually Does | Difficulty | Link |
|---|---|---|---|
| KAPE | Grabs all forensic data off a machine in one sweep | https://github.com/EricZimmerman/KapeFiles | |
| CHIPSEC | Checks firmware for bootkit modifications | https://github.com/chipsec/chipsec | |
| FwHunt Scanner | Scans firmware with BlackLotus-specific rules | https://github.com/binarly-io/fwhunt-scan | |
| DeepBlueCLI | Reads event logs, flags suspicious activity | https://github.com/sans-blue-team/DeepBlueCLI | |
| Forensic Exam Commands | Copy-paste PowerShell/CMD for live threat hunting | https://github.com/McL0vinn/Windows-Forensic-Examination-and-Threat-Hunting | |
| WINHELLO2hashcat | Tests if your PIN/TPM security actually works | https://github.com/Banaanhangwagen/WINHELLO2hashcat | |
| RegRipper 3.0 | Parses registry to find hidden accounts and history | https://github.com/keydet89/RegRipper3.0 | |
| Windows Forensic Artifacts | Documentation of every artifact and where to find it | https://github.com/Psmths/windows-forensic-artifacts | |
| ThreatHound | Hunts event logs using community detection rules | https://github.com/MazX0p/ThreatHound | |
| DFIRTriage | Portable USB collection — no installation needed | https://github.com/travisfoley/dfirtriage | |
| Awesome Forensics | Curated master list of forensic tools | https://github.com/cugu/awesome-forensics | |
| Awesome Bootkits | Bootkit/rootkit research compilation | https://github.com/TheMalwareGuardian/Awesome-Bootkits-Rootkits-Development | |
| Awesome UEFI Security | UEFI vulnerability research and tools | https://github.com/river-li/awesome-uefi-security | |
| Awesome Malware Persistence | Persistence mechanism research + tools | https://github.com/Karneades/awesome-malware-persistence | |
| Autoruns | Shows EVERY autostart location on your machine | https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns | |
| chntpw | Offline password reset from Linux USB | http://www.chntpw.com/guide/ |
Your laptop isn’t haunted. It’s either broken or breached — and now you know how to handle both. Start from the top (PIN fix), work your way down. Most people won’t even need to get past Method 2. If you find firmware-level stuff in the bootkit section… yeah, new hard drive time. ![]()
Full Format is the solution…Just put Win10 DVD and format hard drive , reinstall fresh win10
!