How and why to disable Windows 10 Recovery

The Windows 10 Recovery system allows you to "recover" your PCin case it suddenly stops working. Sometimes, however, it's better to turn it off

Windows Recovery, the so-called Windows Recovery Environment (WinRE), is an extremely powerful feature that lets you repair your Microsoft operating system installation in case something goes wrong after installing an application or a device driver.

Thanks to a system based on Restore Points, in fact, you can restore Windows to the state it was before installing the problematic software. However, the Windows Recovery Environment also has significant security vulnerabilities, so large that in some specific cases it would be safer to disable it. The biggest vulnerability of WinRE is that some of its tools can be used even without user authentication. This means that an attacker, if he managed to get control of our PC, could restore it to its factory default state by deleting all the applications we have installed (antivirus included) and all the data stored on the Windows partition.

This is a serious problem, especially if the PC is located in busy places like offices, libraries and schools. That's why, in such cases, it would be better to disable Windows Restore. Here's how to do it.

How to disable Windows Restore

In order to disable all WinRE's functionalities, it is necessary, first of all, to enter Windows with the credentials of system administrator. In this way we will have access to all settings, even the security ones. After logging in we'll have to launch the command line, choosing "Run as administrator". The command to launch will be "reagentc.exe /disable". After executing this command Windows will warn us that the Restore has been disabled and will remain so until we, again with administrator credentials, reactivate it by launching the command "reagentc.exe /enable".

How to avoid the risks of Windows Restore

Those who do not want to give up the functionality of WinRE, but is forced to share access to the computer with other people they do not trust, however, has a possibility to do so while maintaining a good degree of security. Just create different user accounts, with different roles. Theoretically, you only need two: an administrator (protected by a strong password) and a "Guest" user who has limited functionality.

Whoever logs into Windows with a Guest account, in fact, cannot use the system tools, nor make changes to the operating system and cannot even install new applications. Finally, they can't access the data saved by other accounts. It is a very limited type of account, therefore, but for users of a library or similar activities it is more than sufficient and, above all, much more secure.