How to set up a new Windows laptop: Nuke it from orbit

Microsoft Windows is actually pretty solid these days, notwithstanding the occasional hopelessly bone-headed interface design decision (Win8 Metro, anyone?). The NT 6 kernel family that underpins Vista, Win7 and Win8 is, now that Vista's teething pains are overcome, pretty slick and reliable.

The same can't be said for the heaps of shovelware that just about every single OEM ships on their new Windows machines.

I cannot understand why a company whose only product is a useless piece of buggy software would pay hardware makers to give away said piece of useless software for free with their machines. And I cannot understand why OEMs have their own programmers write bloated, trouble-prone configuration tools to do things that the operating system, if left to its own devices, will handle just fine. More often than not, when a friend complains "My Windows machine is being wonky", the culprit turns out to be some piece of broken pre-installed software that should never have been written in the first place.

When setting up a new Windows computer, then, the first thing I used to do was go to town on "Control Panel > Programs and Features". Anything that wasn't an important system component or driver got wiped. The 7-part DVD management suites, the 55 MB graphical interface for the network card, the proprietary backup image tools that never worked, the "CD acoustic silencer" that shaved three decibels of drive noise by cutting transfer speeds by 80%.... all of it got purged.

Then, after cleaning out any remaining spyware (thanks Spybot), registry errors (thanks CCleaner), autoruns and hidden memory-resident cruft (thanks Sysinternals), I'd save a clean system image to DVDs using Win7's built in backup tools, and the machine would be ready to go.

I recently discovered that all of that is not enough.

A user turned on another user's laptop, and by some odd chance, bumped an F-key that triggered a "special feature" somewhere in the boot loader. Instead of starting Windows 7, the machine booted to a proprietary recovery tool running in a stripped-down environment on a hidden partition. (I could have sworn I got rid of all this stuff, but this one was sneaky enough to evade everything I had done within Windows itself.

The recovery tool produced lots of dire and official-looking warnings with the OEM's and Microsoft's logos, and advised "Click here to repair your system". The user, quite naturally, complied. The computer promptly wiped its own C: drive clean, replacing the entire OS (and the entire Users folder) with a fresh-from-the-factory image it had been hiding on the secret partition. At no point did it ask for any user credentials at all, let alone the admin / root password.

Well, that was fun.

Thanks to the wonders of Linux Live CDs, it wasn't too hard to boot the thing into Ubuntu and use gparted to find, and wipe, the hidden "recovery" tool. The DVDs I had burned earlier, with the cleaned-up system image, were used to restore the machine to its proper state.

My Windows setup method, though, has now changed. On new machines, I now do the following:

  1. Ensure an OEM system image is available just in case it's needed.
  2. Nuke it from orbit using one pass of DBAN (also found on UBCD), or using gparted on a Linux Live CD, to wipe the hard drive clean.
  3. Install Windows from a Microsoft DVD, never from a hardware vendor's own disk.
  4. Install essential drivers individually, having copied them from the OEM's web site to a flash drive. Skip the graphical config tools; all you usually need are the hardware drivers.
  5. Install essential management tools such as Sysinternals, Spybot, CCleaner, Cobian Backup, SIW, and whatever free antivirus is good this year. I also install a properly locked down Web browser and set the default text editor to something usable like Notepad++, among other tweaks.
  6. Set up a limited account for the machine's owner, who will always run with user-level privileges and will only switch to administrator rights (via UAC) when necessary.
  7. When everything's working correctly, take a system image using Windows Backup. Also make a Windows restore disk using Windows Backup. Having this clean configuration on DVDs will save a lot of time if the system ever needs to be rebuilt.

The user is now free to install whatever they want, and I can be reasonably sure that I won't get a "My Windows is wonky" call from them for quite a while.

I'm sure there will be some Mac fans out there who will say "If you bought Apple, it would just work without any of that!" True. Not everyone can afford a Mac, though, and many of us would have to install dual-boot Windows on it anyway- in which case you still have to run through most of the above. My point is this: If hardware vendors would ship their machines with plain Windows + drivers, without the useless junk, a Windows laptop would "just work" too.





Hi Matt,

Great post full of really useful links, thank you. I thought I was pretty good at stabilizing windows, but you take it up several levels.

We are thinking of going over to Mac now that the new power books are price competitive with high end Windows machines (Windows still wins the low end price wars). (We need a lot of horse power to run Creative Suit for publishing.)


Matthew's picture

Thanks, John.

Apple's hardware of late is pretty slick stuff; the screens in particular on this year's Macbooks are far ahead of any Win-based competitor's. The guts of their systems (CPU, memory) continue to be about a year behind everyone else's, but since just about everything over $500 has been overpowered for three years now, that doesn't matter as much as it used to.

It would be hard for me to switch to Mac, because I rely on CAD software and a lot of finicky research code and specialized hardware that is Windows only. (Plus, I prefer to custom-build my systems, and I couldn't afford a Mac anyway.) They have their own, very different set of problems, but if your software can run on a Mac, comparison shopping is certainly worthwhile.

Add new comment