It’s time to give your Windows PC a security spring cleaning!
I’m sure you’re doing all the basics, like updating Windows and running anti-virus, but once a year you should give your Windows PC a deep cleaning. I follow the steps below on all my Windows machines. They not only improve security and privacy, they’ll help your machine run better.
Items labeled for first time users are one-time tasks that can generally be skipped if you've done this spring cleaning on a PC before.
Items labeled for expert users aren't super difficult for those with some technical skills, but you can skip any that sound challenging or make you uncomfortable.
The process usually takes less than an hour, about as long as you’d spend at an annual checkup with your doctor. Following these steps can pay big dividends down the road.
Note to Windows 7 users: Microsoft no longer support Windows 7. Not even security patches. Your Windows 7 computer is now insecure, so replace it or upgrade it to Windows 10/11.
Note about Windows 11: Microsoft has begun offering a Windows 11 upgrade to many Windows 10 users. If you want to upgrade and your PC can support Windows 11, feel free to do so. For now there is no compelling security reason to move to Windows 11.
1. Empty recycle bin
Double click recycle bin, look through the list to make sure there are no files you actually need, then click Empty Recycle Bin.
2. Check HOSTS file (expert users)
Malware can tamper with this file to redirect your browser to fake web sites. You’ll find it in your Windows directory, typically in C:\Windows\System32\drivers\etc\. Open it with Notepad. For a typical user, every line you see should begin with a hashmark (#). If not, it may have been tampered with.
3. Check Office (Microsoft Office users)
Malware often exploits bugs or weak settings in Microsoft Office. It can be easy to miss automatic updates, especially if you don’t use Office very often, or don’t pay attention to the update alert on the ribbon toolbar. If you have any Office programs (Word, Excel, PowerPoint, Outlook, OneNote, Project, Visio) then open any Office document or start a new one.
Go to the File tab and navigate to Account > Product Info > Office Updates > Update Options > Update Now. (If that doesn’t work for your version of Office, check Microsoft’s help page.)
First time users: Return to the File tab and select Options > Trust Center and click the Trust Center Settings button. In the Trust Center window, select Macro Settings and choose “Disable all macros with notification”. (If you have an older Office version without Trust Center, find another way to disable macros in your settings.)
If Protected View is displayed on the left (it may not be) then select it and check all the checkboxes.
4. Check Acrobat Reader (first time users)
Malware also frequently uses PDF files to infect PCs, typically by exploiting a bug or weak setting in Adobe Acrobat Reader. If you have the Acrobat Reader program installed, then launch it:
Click the Help menu and choose “Check for updates”. Apply any updates as needed.
Go to the Edit menu and choose Preferences. In the “General” category, make sure the “Use only certified plug-ins” checkbox is checked.
Select the “JavaScript” preferences category and uncheck the “Enable Acrobat JavaScript” checkbox.
Select the “Security (Enhanced)” category, and make sure checkboxes for “Enable Protected Mode at Startup” and “Enable Enhanced Security” are checked. For the Protected View radio buttons, select “Files from potentially unsafe locations”.
5. Check Windows updates
Windows should update itself automatically, but this can fail sometimes. Go to Settings > Update & Security > Windows Update to make sure your PC is up to date and Windows is configured to automatically download and install updates. If you use Defender as your antivirus program, this is also a good time to make sure its automatic updates are working too.
6. Check app updates
Apps purchased through the Microsoft app store can also be updated easily through the app store. Press Start button and choose Microsoft Store. Click Library on the left and then Get Updates. If the Update All button appears, click it.
7. Check hardware devices
Its important all your connected devices are working and have the latest drivers. Search for Device Manager (or access it via Control Panel) and run it. Click View > Show hidden devices. Look through the hardware list. If you see a warning flag or exclamation mark somewhere, expand that entry to determine which specific device is in distress and take steps to fix it.
8. Clean up browser add-ons
Open each browser on the computer and review the installed add-ons, extensions, and plugins. Remove those you don’t need, and disable those you use only rarely. If one of them is Adobe Flash, disable or remove it. If “ask to activate” is offered as an option for plugins, choose it. Expert users may also wish to clear browser cache at this time. Firefox users should install and enable the Facebook Container extension if you use Facebook.
9. Clean up programs
Go to Settings > Apps (or Control Panel > Programs) and review the installed programs. If you see something odd or unexpected, research it and consider uninstalling it. For something you recognize but no longer need, consider uninstalling it.
10. Clean up services (expert users)
Type “services.msc” in Start button search box and run the Services desktop app. On the Extended tab, click each service with status of “running” to learn more about it. If you see something odd or unexpected, research it and consider changing its Startup Type to “manual” by double-clicking it.
11. Disable NetBIOS (expert first time users)
NetBIOS is a legacy Microsoft network protocol that can weaken security. You can disable it without losing functionality. Go to Settings > Network & Internet > Change Adapter Options and a control panel window will appear. Right-click on Ethernet or Wi-Fi (whichever your computer typically uses) and click Properties. Select Internet Protocol Version 4 then click the Properties button below. On the next window, click the Advanced button. On the final window, choose the WINS tab then select the radio button labeled Disable NetBIOS over TCP/IP. Click OK or close on every open window.
12. Check Defender
Click the Defender shield icon in the system tray if it’s there. This should launch Windows Defender Security Center with row(s) of icons.
The icons should display green check marks with “No action needed”. If not then take corrective steps.
If there’s an icon titled “App & browser control”, click it. None of the settings should be “Off”.
If there's an icon titled "Device performance & health", click it. All bullet items should display green check marks with "No issues". If not then expand the bullet and take corrective steps.
13. Check firewall status (expert users)
Launch Control Panel > Windows Defender Firewall. If a warning banner states "These settings are being managed by a vendor application" then skip this step. Otherwise expand the Private Networks and Guest or Pubic Networks panels:
Firewall state should be “On” in both
Incoming Connections should be "Block all connections to apps that are not on the list of allowed apps" in both
If anything needs to be changed, click Turn Windows Defender Firewall On or Off
14. Safety scan
Download the Microsoft Safety Scanner from https://www.microsoft.com/en-us/wdsi/products/scanner. The program file name is msert.exe. Run it. When prompted, choose either Quick Scan or Full Scan. (Full scan is recommended if you don’t have up-to-date antivirus software, or have any reason to suspect the machine may be infected.) If you choose Quick Scan and an infection is found, follow up with a full scan. Note: If "Files Infected" rises above zero during the scan, but the final report says no infections were found, then the infected files were false positives and not cause for concern.
15. Clean up Windows features (expert users)
Go to Control Panel > Programs & Features and select “Turn Windows features on or off”:
Scroll down to “Telnet Client”. Its checkbox should not be checked (uncheck if it is).
If you see an entry called “SMB 1.0/CIFS File Sharing Support”, expand it. The first checkbox Automatic Removal should be checked. The two checkboxes for Client and Server should not be checked, unless you have an older network storage device that only supports insecure SMBv1 legacy protocol. You may be asked to restart.
16. Clean up background programs
Go to Settings > Privacy > Background Apps to see a list of apps that runs constantly in the background even when you're not using them:
First time users: Disable Microsoft Edge if it appears on the list.
Expert users: Look over the other apps and disable any that don't need to run in background. Don't disable Windows Security.
17. Halt antivirus
Temporarily stop your antivirus before performing the next few steps. This usually involves clicking the AV icon in the system tray and changing a setting. For Microsoft Defender, for example, disable Real-time Protection in the Virus & Threat Protection Settings. (Some AV programs let you turn off real-time scanning for a temporary time. Choose one hour.) The tray icon may turn red or display a security alert. This is normal.
18. Close programs
It’s recommended to close all programs before carrying out the next steps, especially programs containing any unsaved work. However it's typically OK to leave your browser open so you can continue reading these instructions. (If you want to close the browser, then print this web page or open it on a mobile device.) You may also wish to backup important files before continuing.
19. Check hard drive
Open My Computer or This PC on your desktop. Right click the drive labeled “OS” or “C:” and choose Properties > Tools:
Error Checking and Optimize (or Defragment) buttons will appear.
Click the Optimize/Defragment button first. It should show the C: drive 0% fragmented. If it shows more than 20% fragmentation, click Optimize, else close this window.
Next click the Error Checking button. It may display “You don’t need to scan this drive” in which case you may click Cancel. If it responds with “Check disk options” then click both checkboxes and then the Start button.
If it responds “Windows can’t check the disk while it’s in use” then click the Schedule Disk Check button. Next time you restart Windows, it will perform a disk check. (It will take a while.)
20. Remove adware / spyware (optional)
Unless you already have one, download and install a third-party adware scanner from a reputable web site, such as Malwarebytes AdwCleaner or EnigmaSoft SpyHunter:
If Microsoft Store complains before installation, click Install Anyway.
Perform a scan, then Skip Basic Repair if no threats are detected.
If threats are found, choose Clean & Repair. You may be asked to reboot.
21. Disable advertising ID (first time users)
Windows helps advertisers track you through the use of a unique advertising ID, but you can disable it. Go to Settings > Privacy > General and disable "Let apps use advertising ID...". While you're there you can optionally disable other items in that group too.
22. Run alternate antivirus scan (expert users)
No antivirus program is perfect. Yours may miss things, so it’s wise to periodically scan the system with a different AV tool. It may detect an infection your regular AV missed. I recommend Malwarebytes Anti-Malware or Sophos Hitman Pro to get a “second opinion”. Each has its strengths; I use Malwarebytes in even years and Hitman in odd years, You can download a trial version and run it once for free.
Install: Download and install the new AV. If Microsoft store complains, click Install Anyway.
Run: Make sure your regular AV is still turned off, then perform a scan. If any threats are found, remove or quarantine them.
Remove: When finished, close the AV program and uninstall it before proceeding to the next step. Your regular AV program can get cranky if it encounters a competing product on the machine.
23. Reactivate regular antivirus
Windows may automatically reenable your regular AV (or prompt you to do so) at the end of the previous step. Find its icon in the system tray, open it, and make sure real-time virus protection is on. You can also reenable it by rebooting the machine.
24. Full scan (optional)
If you normally only do Quick Scans, this would be a good time to perform a Full Scan with your regular antivirus program. To check whether your most recent Defender scan was Quick or Full, go to Settings > Update & Security > Windows Security > Virus & threat protection and look at "Last scan" under Current Threats. To perform a Full Scan, click Scan Options, select the Full Scan radio button, and press the Scan Now button.
25. Vaccinate against NotPetya (expert first time users)
Use File Explorer to view the C:\Windows directory. Look for a file (or files) called PERFC. If present, your PC has been vaccinated against the NotPetya malware. If not present, create a file there called PERFC (no extension) and make it read-only. More info here.
26. Vaccinate against other Russian malware (expert first time users)
A little known trick to keep some Russian malware from attacking your PC is to enable the Russian language in Windows. Russian cyber-criminals check for Russian language because Russian computers are off-limits to them. Go to Settings > Time & Language > Language > Add a Language and choose Russian. Leave your preferred language (e.g., English) first on the list. It's unlikely, but if your PC ever switches to Russian accidentally, just press the Space bar while holding down the Windows key to switch back.
27. Defender offline scan (optional)
If you use Defender as your antivirus program, you can ask it to do a deeper scan of the system than normal. Open Defender by clicking its icon in the system tray. Under Virus & Threat Protection click the “Scan Options” link. Choose “Windows Defender Offline scan” and click the “Scan now” button. Your PC will restart and take about ten minutes to reboot. Note: If you are asked for a Bitlocker recovery key after the computer restarts, and you don't know your Bitlocker key, choose "Skip this drive."
28. Reboot
Restart Windows if you didn't already do so on the previous step.
Congratulations, your PC is more secure and reliable than it was yesterday!
Got any additional tips or tricks for securing Windows PCs? Send them to me at mike@taprootsecurity.com and I might add them to this list.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.