Give Your Windows a Security Spring Cleaning: 2020 Edition
Updated: Apr 14, 2020
It’s time to give your Windows PC a security spring cleaning!
I’m sure you’re doing all the basics, like updating Windows and running anti-virus, but once a year you should give your Windows PC a deep cleaning. I follow the steps below on all my Windows machines. They not only improve security, they’ll help your machine run better.
Items labeled for expert users aren't super difficult for those with some technical skills, but any that sound challenging or that make you uncomfortable you can skip.
Bookmark this page and set a reminder to follow these steps every year. It’s also a good idea to do them anytime your PC starts acting strangely or you suspect it may have become infected.
The process usually takes less than an hour, about as long as you’d spend at an annual checkup with your doctor. Following these steps can pay big dividends down the road.
Note to Windows 7 users: Microsoft no longer support Windows 7. Not even security patches. Your Windows 7 computer is now insecure, so replace it or upgrade it to Windows 10. If you have to keep it a while longer, take these precautions. Starting in 2021 I will no longer include Windows 7 specific instructions in this Spring Cleaning article.
1. Empty recycle bin
Double click recycle bin, look through the list to make sure there are no files you actually need, then click Empty Recycle Bin.
2. Check HOSTS file (expert users)
Malware can tamper with this file to redirect your browser to fake web sites. You’ll find it in your Windows directory, typically in C:\Windows\System32\drivers\etc\. Open it with Notepad. For a typical user, every line you see should begin with a hashmark (#). If not, it may have been tampered with.
3. Check Office (Microsoft Office users)
Malware often exploits bugs or weak settings in Microsoft Office. It can be easy to miss automatic updates, especially if you don’t use Office very often, or don’t pay attention to the update alert on the ribbon toolbar. If you have any Office programs (Word, Excel, PowerPoint, Outlook, OneNote, Project, Visio) then open any Office document or start a new one.
Go to the File tab and navigate to Account > Product Info > Office Updates > Update Options > Update Now. (If that doesn’t work for your version of Office, check Microsoft’s help page.)
Return to the File tab and select Options > Trust Center and click the Trust Center Settings button. In the Trust Center window, select Macro Settings and choose “Disable all macros with notification”. (If you have an older Office version without Trust Center, find another way to disable macros in your settings.)
If Protected View is displayed on the left (it may not be) then select it and check all the checkboxes.
4. Check Acrobat Reader
Malware also frequently uses PDF files to infect PCs, typically by exploiting a bug or weak setting in Adobe Acrobat Reader. If you have the Acrobat Reader program installed, then launch it:
Click the Help menu and choose “Check for updates”. Apply any updates as needed.
Go to the Edit menu and choose Preferences. In the “General” category, make sure the “Use only certified plug-ins” checkbox is checked.
Select the “Security (Enhanced)” category, and make sure checkboxes for “Enable Protected Mode at Startup” and “Enable Enhanced Security” are checked. For the Protected View radio buttons, select “Files from potentially unsafe locations”.
5. Check Windows updates
Windows should update itself automatically, but this can fail sometimes. On Windows 8/10, go to Settings > Update & Security > Windows Update to make sure your PC is up to date and Windows is configured to automatically download and install updates. On Windows 7, go to Control Panel > Windows Update > Check for Updates. If you use Defender as your antivirus program, this is also a good time to make sure its automatic updates are working too.
6. Check hardware devices
Its important all your connected devices are working and have the latest drivers. Search for Device Manager (or access it via Control Panel) and run it. Click View > Show hidden devices. Look through the hardware list. If you see a warning flag or exclamation mark somewhere, expand that entry to determine which specific device is in distress and take steps to fix it.
7. Clean up Facebook
If you use Facebook on any devices (not just this one) then this is a good time to review your list of installed apps, delete apps you don’t need, and tighten privacy settings for the rest. Go to Settings > Apps & Web Sites in Facebook and remove anything that shouldn't be there. Under Settings > Security & Login > Setting Up Extra Security turn everything on. Also visit Settings > Privacy to make settings as restrictive as possible.
8. Clean up browser add-ons
Open each browser on the computer and review the installed add-ons, extensions, and plugins. Remove those you don’t need, and disable those you use only rarely. If one of them is Adobe Flash, disable or remove it. If “ask to activate” is offered as an option for plugins, choose it. Expert users may also wish to clear browser cache at this time. Firefox users should install and enable the Facebook Container extension if you use Facebook.
9. Clean up email add-ons
If you use an email program (other than web browser), open it and review add-ons and plugins. While there, you may want to check the Sent folder. If you find any messages you don’t remember sending, that’s a red flag.
10. Clean up programs
Go to Settings > Apps (or Control Panel > Programs) and review the installed programs. If you see something odd or unexpected, research it and consider uninstalling it. For something you recognize but no longer need, consider uninstalling it.
11. Clean up services (expert users)
Type “services.msc” in Start button search box and run the Services desktop app. On the Extended tab, click each service with status of “running” to learn more about it. If you see something odd or unexpected, research it and consider changing its Startup Type to “manual” by double-clicking it.
12. Check Action Center (Windows 7)
On a Windows 7 computer, open Action Center from the system tray to check for issues or alerts. Expand the Security section: Every item except Network Access Protection should be turned on.
13. Check Defender (Windows 8/10)
Click the Defender shield icon in the system tray if it’s there. This should launch Windows Defender Security Center with row(s) of icons.
The icons should display green check marks with “No action needed”. If not then take corrective steps.
If there’s an icon titled “App & browser control”, click it. None of the settings should be “Off”.
If there's an icon titled "Device performance & health", click it. All bullet items should display green check marks with "No issues". If not then expand the bullet and take corrective steps.
14. Controlled folder access (Windows 10 expert users)
On a Windows 10 computer, keep Windows Defender Security Center open or reopen it (see previous step), click the Virus & Threat Protection icon, then choose Virus & Threat Protection Settings. All sliders should be in the “On” position, but Controlled Folder Access may not be. Switch it on. There’s a good chance you’ll get some unwanted warnings over the next few days, as your programs write to protected folders. For an app you trust, like browser or Office, grant access and alerts will stop for that app. The idea is to stop ransomware from encrypting files.
15. Check firewall status
Launch Control Panel > Windows Defender Firewall. If a warning banner states "These settings are being managed by a vendor application" then skip this step. Otherwise expand the Private Networks and Guest or Pubic Networks panels:
Firewall state should be “On” in both
Incoming Connections should be "Block all connections to apps that are not on the list of allowed apps" in both
If anything needs to be changed, click Turn Windows Defender Firewall On or Off
16. Check firewall log (expert users)
Access the Windows firewall log (pfirewall.log) via Control Panel > Windows Firewall > Advanced Settings > Monitoring > Logging Settings. (On Windows 10 it's called Windows Defender Firewall.) Check the log for intrusion attempts or other suspicious events. In most cases you can ignore events from within your home network (192.168.*.* IP addresses). If the log file’s not present, you may need to enable firewall logging.
17. Safety scan
Download the Microsoft Safety Scanner from https://www.microsoft.com/en-us/wdsi/products/scanner. The program file name is msert.exe. Run it. When prompted, choose either Quick Scan or Full Scan. Full scan is recommended if you don’t have up-to-date antivirus software, or have any reason to suspect the machine may be infected. If you choose Quick Scan and an infection is found, follow up with a full scan.
18. Clean up Windows features (expert users)
In Windows settings, go to Apps > Apps & Features > Optional Features. A list of Windows features will appear. Scroll down and look for "Internet Explorer 11". If it's present, click the Manage button to uninstall it.
Go to Control Panel > Programs & Features and select “Turn Windows features on or off”:
Again look for "Internet Explorer 11" and uncheck it. This may trigger a warning message but don't worry.
Scroll down to “Telnet Client”. Its checkbox should not be checked (uncheck if it is).
On Windows 10 you’ll see an entry called “SMB 1.0/CIFS File Sharing Support”. Expand it. The first checkbox Automatic Removal should be checked. The two checkboxes for Client and Server should not be checked, unless you have an older network storage device that only supports insecure SMBv1 legacy protocol. You may be asked to restart.
19. Clean up background programs (Windows 10)
Go to Settings > Privacy > Background Apps to see a list of apps that runs constantly in the background even when you're not using them. Disable Microsoft Edge. Expert users: Look over the other apps and disable any that don't need to run in background. Don't disable Windows Security.
20. Check Windows event log (expert users)
Windows records security events in its event log. Use Start button search to find and run the Event Viewer app. Expand Windows Logs on the left side and select Security. Then click “Filter Current Log” on the right side. Under Event Level, check the checkboxes Critical, Warning, and Error. There should now be zero events in the middle pane. If not, click each event to learn what happened and when.
21. Check network connections (expert users)
Search for “command prompt” at Start button, right-click the app, and choose Run as Administrator. On the command line prompt, enter “netstat -fban” (without the quotes). Scroll through the results, looking for connections whose status is ESTABLISHED. For each established connection, examine the Foreign Address column:
If it’s 127.0.0.1 or 0.0.0.0 then ignore it (your PC is talking to itself).
If it’s 192.168.*.* then you can ignore it (your PC is talking to another device on your home network).
If it’s a MAC address instead of an IP address, you can ignore it.
If the program shown in square brackets is your browser (e.g., “[firefox.exe]”) or iTunes, onedrive, Outlook, SearchUI, smartscreen, spoolsv, svchost, skype, WpnUserService, or other program that legitimately connects to the Internet, then you can ignore it.
Any established connection that doesn’t meet these criteria should be investigated.
Enter “exit” on the command line when finished.
22. Halt antivirus
Temporarily stop your antivirus before performing the next few steps. This usually involves clicking the AV icon in the system tray and changing a setting. For Microsoft Defender, for example, disable Real-time Protection in the Virus & Threat Protection Settings. (Some AV programs let you turn off real-time scanning for a temporary time. Choose one hour.) The tray icon may turn red or display a security alert. This is normal.
23. Close programs
It’s recommended to close all programs before carrying out the next steps, especially programs containing any unsaved work. However it's typically OK to leave your browser open so you can continue reading these instructions. (If you want to close the browser, then print this web page or open it on a mobile device.) You may also wish to backup important files before continuing.
24. Check hard drive
Open My Computer or This PC on your desktop. Right click the drive labeled “OS” or “C:” and choose Properties > Tools:
Error Checking and Optimize (or Defragment) buttons will appear.
Click the Optimize/Defragment button first. It should show the C: drive 0% fragmented. If it shows more than 20% fragmentation, click Optimize, else close this window.
Next click the Error Checking button. It may display “You don’t need to scan this drive” in which case you may click Cancel. If it responds with “Check disk options” then click both checkboxes and then the Start button.
If it responds “Windows can’t check the disk while it’s in use” then click the Schedule Disk Check button. Next time you restart Windows, it will perform a disk check. (It will take a while.)
25. Remove adware / spyware
Unless you already have one, download and install a third-party adware scanner from a reputable web site, such as Malwarebytes AdwCleaner or EnigmaSoft SpyHunter. Perform a scan, then Skip Basic Repair if no threats are detected. If threats are found, choose Clean & Repair. You may be asked to reboot.
26. Run alternate antivirus (expert users)
No antivirus program is perfect. Yours may miss things, so it’s wise to periodically scan the system with a different AV tool. It may detect an infection your regular AV missed. I recommend Malwarebytes Anti-Malware or Sophos Hitman Pro to get a “second opinion”. Each has its strengths; I use Malwarebytes in even years and Hitman in odd years, You can download a trial version and run it once for free.
Run: Make sure your regular AV is still turned off. Download and install the new AV and perform a scan. If any threats are found, remove or quarantine them.
Remove: When finished, close the AV program and uninstall it before proceeding to the next step. Your regular AV program can get cranky if it encounters a competing product on the machine.
27. Reactivate regular antivirus
Windows may automatically reenable your regular AV (or prompt you to do so) at the end of the previous step. Find its icon in the system tray, open it, and make sure real-time virus protection is on. On Windows 10, you can also reenable it by rebooting the machine.
28. Vaccinate against NotPetya (expert users)
Use File Explorer to view the C:\Windows directory. Look for a file (or files) called PERFC. If present, your PC has been vaccinated against the NotPetya malware. If not present, create a file there called PERFC (no extension) and make it read-only. More info here.
29. Defender offline scan (Windows 10)
If you use Defender as your antivirus program on Windows 10, you can ask it to do a deeper scan of the system than normal. Open Defender by clicking its icon in the system tray. Under Virus & Threat Protection click the “Scan Options” link. Choose “Windows Defender Offline scan” and click the “Scan now” button. Your PC will restart and take about ten minutes to reboot.
Restart Windows if you didn't already do so on the previous step.
Congratulations, your PC is more secure and reliable than it was yesterday!
Got any additional tips or tricks for securing Windows PCs? Send them to me at firstname.lastname@example.org and I might add them to this list.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.