WARNING: This is for educational and research purposes only. Modifying recovery/install images can brick recovery partitions, trigger AV/EDR, void warranties, or cause system instability. Always test in isolated VMs. Do not use on production systems or for any illegal activity.
This tool attempts to achieve persistence through "Reset this PC" by:
- Auto-generating a tiny loader EXE (simple calc pop for testing; replace with your research stub)
- Mounting the install.wim/esd from the recovery partition
- Injecting the loader into
\Windows\System32\ - Dropping a
SetupComplete.cmdscript that adds a Run key for auto-start - Handles ESD → WIM conversion if needed
- Uses FodHelper UAC bypass for elevation
Goal: Make the payload survive Remove everything reset and run on first boot in the new OS.
| Reset Type | Loader survives in final OS? | Auto-runs after reset? | Probability | Notes / Why |
|---|---|---|---|---|
| Keep my files (local) | Yes | Yes | 80–90% | Preserves Setup scripts + registry |
| Cloud download + Keep my files | Yes | Yes | 70–85% | Cloud image often still runs local SetupComplete |
| Remove everything (local reinstall) | Yes | Yes | 60–80% | Uses modified local install.wim/esd |
| Remove everything (cloud download) | No / Very unlikely | No | <10% | Fresh signed image from MS servers – ignores local mods |
| Fresh USB/ISO install | No | No | 0% | Different source image entirely |
| Windows Update / Feature update | No | No | 0% | Doesn't touch recovery partition install image |
Key factor: Cloud download became default/recommended in recent Windows versions → significantly lowers success rate for full wipes.
Best real-world chance: ~30–50% across random users doing "Remove everything", depending on internet speed / user choice of local vs cloud.
- Run in a VM (Hyper-V / VirtualBox / VMware)
- Disconnect internet → forces local reinstall (higher success)
- After tool runs:
reagentc /infoto confirm recovery path - Trigger Reset this PC → Remove everything → observe if
ntdllhelper.exeappears in C:\Windows\System32 and runs (calc pops) - Check registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Cloud download bypasses all local image mods
- Defender / third-party AV may scan mounted images or block SetupComplete.cmd
- Windows integrity checks may detect tampered install.wim (rare but possible)
- ESD images require conversion → adds time/risk