We cover our tracks. How to make Windows forget everything

Date: 04/06/2025

Lists of open files and USB devices, browser history, DNS cache – all this helps to find out what the user was doing. We have compiled step-by-step instructions on how to remove traces of your activity in different versions of Windows, Office and popular browsers. At the end of the article you will find several scripts that will help you automatically keep your machine clean.

1. Clearing lists of recent places and programs

Lets start cleaning up with lists of recent places and programs. The list of recent (in Windows 10 – frequently used) programs is in the main menu, and the list of recent places is in the explorer.

List of frequently used programs in Windows 7 and 10
List of frequently used programs in Windows 7 and 10
List of frequently used folders and recent files
List of frequently used folders and recent files

How to turn off this disgrace? In Windows 7, right-click on the Start button, select Properties, and in the window that appears, uncheck both boxes in the Privacy section.

Disable storage of the list of recent programs in Windows 7
Disable storage of the list of recent programs in Windows 7

To clear the list of recent places and documents, you need to delete the contents of the directory %appdata%\Microsoft\Windows\Recent. To do this, open the command line and run two commands:

cd %appdata%\Microsoft\Windows\Recent
echo y | del *.*

It also would not hurt to delete the contents of the directory %appdata%\microsoft\windows\recent\automaticdestinations\. It stores the latest files that appear in the jump list:

cd %appdata%\microsoft\windows\recent\automaticdestinations\
echo y | del *.*

These lines will be useful to us later when we write our own script to clean the system from traces of our presence in it.

To ensure that recent files are cleared automatically when you exit, you need to enable the “Clear recently opened documents history on exit” policy, which is located in the “User Configuration\Administrative Templates\Start Menu and Taskbar” section.

Now lets move on to Windows 10. You can disable the list of recently added and frequently used applications through the Settings window. Open it and go to the “Personalization” section, “Start” item. Turn off everything there.

Disable storing program list in Windows 10
Disable storing program list in Windows 10

It seems that the problem is solved, but, alas, this is not entirely true. If you enable these options again, all lists in the same composition will appear again. Therefore, you will have to disable this feature via group policy. Open gpedit.msc and go to User ConfigurationAdministrative TemplatesStart Menu and Taskbar. Enable the following policies:

  • “Clearing the list of recently used programs for new users”;
  • “Clear recently opened documents history on exit”;
  • “Clear tile notification history on exit”;
  • “Remove the list of programs pinned to the Start menu.”
Group Policy
Group Policy

Clearing recent places in Windows 10 is easier than in “seven”. Open Explorer, go to the View tab and click the Options button. In the window that appears, disable the options “Show recently used files in the Quick Access Toolbar” and “Show frequently used folders in the Quick Access Toolbar”. Do not forget to click the “Clear” button.

Windows 10 Folder Options
Windows 10 Folder Options

As you can see, such a simple task as cleaning up the last objects has a rather complicated solution. You can not get anywhere without editing group policies.

2. Clearing the USB storage list

At some restricted areas, only flash drives registered in the log are allowed to be connected to the computer. Moreover, as usual, the magazine is the most ordinary one – paper. That is, the computer itself does not in any way restrict the connection of unregistered storage devices. It does not limit, but it does record! And if during the check they find that the user has connected unregistered drives, he will have problems.

We are not advising you to try to steal military secrets, but the ability to clear the list of recently connected drives can come in handy in other life situations. To do this, look in the following registry sections:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSB

Here they are – all the storage devices that you connected to your computer.

Registry section with drive connection history
Registry section with drive connection history

It would seem that you just need to take and clean everything. But it was not to be! Firstly, the permissions on these registry branches are set in such a way that you won’t be able to delete anything even in Windows 7, let alone Windows 10.

Oops...
Oops…

Secondly, assigning rights and permissions manually takes a long time, especially if there are a lot of drives. Thirdly, admin rights will not help. The screenshot above was created when I performed the delete operation with admin rights. Fourth, in addition to these two sections, there is a long list of sections that need to be cleaned. Moreover, they need to be not just deleted, but edited correctly.

If for some reason you need to do everything manually, then search for the keywords MountPoints, MountedDevices DeviceClasses and RemovableMedia. But it’s much easier to use a ready-made program that will do everything for you. Some forums recommend USBDeview for this. However, I tested it and I can say that it does not clean information from all the necessary sections. USBSTOR and USB continue to contain information about connected media.

I can recommend the program USB Oblivion. Launch it, check the box “Perform a real cleaning”. You can enable or disable the “Save Undo .reg file” option, but if the goal is not to test the program, but to prepare for the upcoming computer inspection, then it is better to disable it.

USB Oblivion
USB Oblivion

The program not only cleans the registry, but also displays a detailed log of its actions (see below). Once its finished, there will be no mention of any drives being connected to the computer.

USB Oblivion in action
USB Oblivion in action

3. Clearing cache and browser history

The third point in our to-do list is clearing the cache and browser history. There are no difficulties here – each browser allows you to reset the list of recently visited sites.

Edge. You can clear the list of downloaded files and all logs using the “Hub”. Just click on the appropriate links. When clearing the log, you need to select all the checkboxes and click the “Clear” button.

"Concentrator"
“Concentrator”
General cleaning at Edge
General cleaning at Edge

Firefox. Open the settings, go to the “Privacy” section, click the “Delete your recent history” link, select “All”, click the “Delete now” button.

Cleaning Firefox
Cleaning Firefox

Chrome. Press Ctrl + Shift + Del, on the page that appears, select clear for all time, check all the checkboxes and click the “Clear history” button.

Cleaning Chrome
Cleaning Chrome

Opera. Select “Menu (Opera) → Settings → Clear private data”. The principle is the same – select everything, click the “Delete” button.

IE. Who uses it? If anything, you can find recommendations on the Microsoft website.

As a result, you will not only erase the traces, but also free up the disk a little. To avoid clearing everything again, you can continue using the browser in incognito mode. Of course, the admin will notice the log on the gateway if he wants, but on your computer everything will be clean. The optimal solution is to use Tor. In this case, even the admin will not see what sites you visit (provided that there is no surveillance camera behind you).

If you use more than one browser and need to clean them periodically, you can use one of the specialized utilities. I tested Free History Eraser and the result was average: some things were cleared, some were not (the Edge log, for example, remained intact). So in important cases, do not forget to check manually.

Free History Eraser
Free History Eraser

4. Removing DNS records

You can find out which sites you visited not only from the browser log, but also from the DNS cache. When you type a website address into your browser, your computer contacts DNS to turn the website name into an IP address. The cache of previously received names is stored locally. You can view it using the command ipconfig /displaydns. I will not show the conclusion, its too long. To clear this cache, use another command – ipconfig /flushdns.

5. Clear Flash Cookies

Everyone and their dog is watching you. Even Flash tracks your visits. Flash Cookies are collected in the %appdata%\Macromedia\Flash Player#SharedObjects directory. You have already guessed what to do with him – send him away to hell. To script this process, these two lines will come in handy:

cd %appdata%\Macromedia\Flash Player\#SharedObjects
echo y | del *.*

6. Delete Microsoft Office Recent Documents List

For the convenience of users, all office suite programs store a list of recent documents. To stop this mess, in new versions of Office you need to go to the “Advanced” section in the settings, set the number of recent documents to one (note that in the screenshot there are two parameters that need to be changed to one). The program will not allow you to set the value to 0, so the latter will need to open some harmless file.

Word 2016 Options
Word 2016 Options

In older versions, on the General tab of the Options window, you can either also set the value to 1, or disable the Remember list of N files option altogether.

Word 2003
Word 2003

7. We automate cleaning with the help of special software

Please note that we need the CCleaner Desktop version, not CCleaner Cloud. The latter costs money and has a much wider range of functions than we need. Follow the link and select the Free version.

What I like about CCleaner is that it:

  • supports the latest versions of Windows, the latest versions of browsers, including Edge (unlike Free History Eraser);
  • can clean not only the system, but also applications;
  • can work in batch processing mode – I will show you how this is implemented below.
Cleaning the system with CCleaner
Cleaning the system with CCleaner
Cleaning Applications in CCleaner
Cleaning Applications in CCleaner

Using the program is easy – select the items you want to clear and click the “Clean” button.

There is another program for cleaning the entire system – Windows Cleaner. However, its website states that it only supports systems up to and including Windows 8. Indeed, in Windows 10 the program did not work as it should (at least it did not cope with clearing the Edge history). But on older “Windows” it has every right to exist.

Windows Cleaner
Windows Cleaner

8. Real file deletion

We all know that when you delete a file, it is not actually erased. Only the record about it is deleted, but the data itself still continues to exist somewhere on the disk. Therefore, to completely delete information, you need to use special utilities that erase the free space of the disk with zeros or random data. After this, it will not be possible to restore files. We have already deleted a lot of things in the previous steps, so now is the time to wipe the free space so that nothing can be recovered at all.

There are many utilities for erasing information. But we will use what we already have, namely CCleaner. Go to “Service → Disk erasing”, select the disk you want to clear from unfinished files, select “Only free space” to erase and set the erasing method. The application supports several erasing standards – from the simplest, which implies one rewrite, to the Gutmann method (35 passes).

Erasing free space
Erasing free space

Among competitors of CCleaner, the BCWipe program is interesting, for example – it can not only erase free space, but also delete the swap file, which may also contain confidential information. BCWipe costs money, but the trial version is suitable for a one-time wipe.

9. Create a bat file to clean everything

Now lets try to automate some of the operations described earlier. Lets start by deleting files from the Recent directory. You can delete using the del command, as shown above, but it is better to immediately use CCleaner for safe deletion.

\path\CCleaner.exe /delete "%appdata%\Microsoft\Windows\Recent\*" 1
\path\CCleaner.exe /delete %appdata%\microsoft\windows\recent\automaticdestinations\*" 1
\path\CCleaner.exe /delete "%appdata%\Macromedia\Flash Player\#SharedObjects" 1

Unfortunately, CCleaner cannot be called to clean all free space in command line mode, so you will have to delete files through it instead of using the del command, or use the del command and then manually run it and call it to clean free space. The last parameter (1) means three-pass deletion. This is the optimal mode, since one pass (0) is too easy, and all the others are too long. A full list of CCleaner command line parameters can be found on [the developers website].(http://myccleaner.net/ccleaner-ndash-parametryi-komandnoy-stroki/).

You can also clean the list of USB drives from the command line using USB Oblivion:

\path\USBOblivion.exe -enable -auto -nosave -silent

The first parameter starts the actual cleaning, not a simulation. The second one is to work in automatic mode (you don’t have to press a button), .reg files won’t be saved (-nosave), and the -silent parameter means to work in silent mode – just right for the command line.

Next, you need to run CCleaner with the /AUTO parameter for automatic cleaning by default. This will not clear the DNS cache, so you will have to do it manually:

\path\CCleaner.exe /AUTO
ipconfig /flushdns

As a result, we got the following scenario:

\path\CCleaner.exe /delete "%appdata%\Microsoft\Windows\Recent\*" 1
\path\CCleaner.exe /delete %appdata%\microsoft\windows\recent\automaticdestinations\*" 1
\path\CCleaner.exe /delete "%appdata%\Macromedia\Flash Player\#SharedObjects" 1
\path\USBOblivion.exe -enable -auto -nosave -silent
\path\CCleaner.exe /AUTO
ipconfig /flushdns

10. Create an AutoHotkey Script to Clean Everything

Now lets write another script. It will open the Chrome browser in incognito mode, and after the session ends (WinWaitClose will be set) it will launch CCleaner for automatic cleaning – the browser cache and temporary files will be deleted. After this, we will also clear the DNS cache.

Run, C:\path\to\chrome.exe incognito
WinWait, Google Chrome
WinWaitClose
Run, C:\path\ccleaner.exe /AUTO
Run, cmd /c "ipconfig /flushdns"
MsgBox, Browsing Session is Cleaned.

If you use Firefox, change the first line to include the path to Firefox and the -private parameter instead of –incognito. You can use AutoHotkey to run the script.

Related posts:
2022.06.03 — Playful Xamarin. Researching and hacking a C# mobile app

Java or Kotlin are not the only languages you can use to create apps for Android. C# programmers can develop mobile apps using the Xamarin open-source…

Full article →
2023.02.13 — Ethernet Abyss. Network pentesting at the data link layer

When you attack a network at the data link layer, you can 'leapfrog' over all protection mechanisms set at higher levels. This article will walk…

Full article →
2023.04.20 — Sad Guard. Identifying and exploiting vulnerability in AdGuard driver for Windows

Last year, I discovered a binary bug in the AdGuard driver. Its ID in the National Vulnerability Database is CVE-2022-45770. I was disassembling the ad blocker and found…

Full article →
2022.06.01 — Quarrel on the heap. Heap exploitation on a vulnerable SOAP server in Linux

This paper discusses a challenging CTF-like task. Your goal is to get remote code execution on a SOAP server. All exploitation primitives are involved with…

Full article →
2023.07.07 — VERY bad flash drive. BadUSB attack in detail

BadUSB attacks are efficient and deadly. This article explains how to deliver such an attack, describes in detail the preparation of a malicious flash drive required for it,…

Full article →
2022.01.12 — First contact. Attacks against contactless cards

Contactless payment cards are very convenient: you just tap the terminal with your card, and a few seconds later, your phone rings indicating that…

Full article →
2022.06.01 — F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows

Is the phrase "This script contains malicious content and has been blocked by your antivirus software" familiar to you? It's generated by Antimalware Scan Interface…

Full article →
2022.01.12 — Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats

Quantum computers have been widely discussed since the 1980s. Even though very few people have dealt with them by now, such devices steadily…

Full article →
2023.01.22 — Top 5 Ways to Use a VPN for Enhanced Online Privacy and Security

This is an external third-party advertising publication. In this period when technology is at its highest level, the importance of privacy and security has grown like never…

Full article →
2022.02.09 — Dangerous developments: An overview of vulnerabilities in coding services

Development and workflow management tools represent an entire class of programs whose vulnerabilities and misconfigs can turn into a real trouble for a company using such software. For…

Full article →