Cleaning and optimizing a Windows computer safely

I do my best to make this all as easy as possible, but there are a lot of advanced operations in this guide compared to the rest of the site.

[Page last updated 2019-07-28]

This is a guide to problem resolution and maintenance for Windows 7 and higher. It will also remove many viruses and repair their damage. These procedures can help machines that are several years old. If your computer is a business machine, please ask your IT department first.

All these tasks have been performed by me or my scripts across tens, hundreds, or over a thousand computers. You can read my qualifications here.

The order of these steps is purposeful. For example - uninstalling some programs, running a temp file clean, and rebooting can leave them in a broken state.

Do not use registry cleaners or system optimizers. Read why.

Be very careful Windows 10 Telemetry Blockers/Privacy tools. They can edit operating system settings they shouldn't touch and carelessly disable security features, making you vulnerable and breaking Windows functionality. I know it’s tempting to “turbocharge your PC” with strategies from the WindowsXP days, but be aware it’s touching low-level functionality you don’t understand.

If you are updating a Windows 7 computer that's been off for a year, or installing from scratch, there are known issues. This is my guide that will save you hours: Windows 7 Fast Update.

1.) Test hard drive and review errors before starting

  • Hard drives can be the silent cause of unexplainable issues, hanging, and crashing. My preferred diagnostic tool is WinDlg from Western Digital. There's no install needed and it works with any drive from any company.
    Download the file, run windlg.exe, and double-click the drive to do a quick test. This will take 2 to 10 minutes.

  • The built-in Windows Reliability Monitor will show you a history of errors and problems on the machine.

  • [Expert] See if there have been any recent bluescreens (bugchecks) with BlueScreenView.

2.) Junk programs uninstall

This section is for the more technically-minded. If you aren't sure, reboot and skip this.

  • Start > type "Programs and Features" > Enter

From this view, uninstall anything that you know doesn't belong. Read the prompts you get VERY CAREFULLY to make sure you're not agreeing to leave anything behind. If you don't know what doesn't belong or are unsure, don't remove anything. That's okay - we'll address that later.

If the antivirus is out of date or expired or having issues, just uninstall it now. Antivirus that isn't updated within the last day is essentially useless. If the antivirus uninstaller is broken, you can use this tool to manually clear it from the machine: ESET AV Remover.

BREAK 1 - Reboot before doing anything below

3.) Windows files clean with cleanmgr.exe

You can save gigs (often 6GB+) cleaning WinSxS, which no other tool can safely touch. The built-in Windows cleaner was improved via Windows Update in 2013.  Do not do this in Windows XP.

  1. Start > type "cleanmgr" > Hit Ctrl+Shift+Enter to run it as Administrator.

  2. Disk Cleanup tab > Check everything except “Downloads” > Hit OK

Cleanmgr will just disappear when it's done. You do not need to wait for it, proceed to the next step.

4.) Windows Update cache reset

Completely clear the Windows Update cache. This is safe. The folder will be regenerated.

  1. Start > type "services.msc" > hit Enter.

  2. "Background Intelligent Transfer Service" > right click > Stop

  3. "Windows Update" > right click > Stop.

  4. Delete the folder C:\Windows\SoftwareDistribution. If it won't let you, stop the services again.

You do not need to manually start the services.

5.) Temp file clean with Bleachbit

Normally there's no reason to use a utility like Bleachbit. However, this is a fast, easy cleanup to reduce the number of files that antivirus has to scan. I'd rather not describe every location and make you do it manually.

  1. Download and install Bleachbit.

  2. Launch Bleachbit

  3. Check the following:

    1. Flash > Everything

    2. Internet Explorer > Everything

    3. System > Logs

    4. System > Memory dumps

    5. System > Recycle bin

    6. System > Temporary files

  4. Run a clean

When cleanmgr and Bleachbit are done, REBOOT.

BREAK 2 - Reboot before doing anything below

6.) Fast virus scan

Run even if you already have an antivirus. Simple tools to do a quick scan.

At this point, disable your existing antivirus temporarily or just uninstall it until you're finished with this guide.

  1. Microsoft Safety Scanner - This is a no-install antivirus in an EXE from Microsoft. Run a quick scan. Takes ~10 minutes. (~160MB)

  2. Kaspersky Virus Removal Tool

7.) Malware/Junkware checkup

Run if you have any suspicion the computer isn't clean, or if it has ever had an infection in the past.

  1. MalwareBytes AdwCleaner is a little-known but very effective way to get rid of lots of tiny things that hijack a computer. Please manually review all the recommendations before you agree to them. Requires a reboot when done.

  2. MalwareBytes Anti-Malware is my go-to for automated cleanup of a broader range of malicious software and system changes. If the computer's user is prone to installing junkware, you should consider purchasing Premium.

  3. Google Chrome Cleanup Tool is a small utility from Google using the ESET antivirus engine that removes junkware. You don't have to reset Chrome at the end unless you think something is broken.

8.) Check Windows Update and Firewall

A classic sign of infection damage are if the following settings cannot be enabled or do not work. Fix them.

  1. Start > type "Windows Update" > hit Enter
    Check for updates. If it doesn't work, make note of that and continue.

  2. Start > type "Windows Firewall" > hit Enter
    Make sure it's on or that it says it's being managed by another program. If you want it left off, at least make sure you can turn it on.
    If it still doesn't work, make note of that and continue.

If any of the above fixes don't work, you can try the Windows services repair tool by Webroot or the Services repair tool by ESET.

9.) DISM RestoreHealth (Windows 8+)

This command will scan the Windows operating system for corrupted components and repair them. This may take 20 minutes.

  1. Start > type "cmd.exe" > hit Ctl+Shift+Enter

  2. A black box will appear

  3. Type "dism /Online /Cleanup-Image /RestoreHealth"

  4. If any corruption is repaired, reboot the computer

10.) Install Windows updates and configure automatic update

Check for updates and make sure they're set to automatic.

If you run into a problem installing updates, please try all the steps below. Unfortunately, there are situations Windows cannot be reasonably repaired. However, Windows 8 and higher have a much more effective DISM command that can fix most corruption if it comes to that.

If updates fail Step 0 - Microsoft procedure

Microsoft is now maintaining an interactive troubleshooting guide to help fix Windows errors. Since they are the authority, you should follow their instructions first.

If updates fail Step 1 - Microsoft FixIt

Run the Microsoft Windows Update FixIt tool and reboot.

If updates fail Step 2 - System file integrity scans

  1. Start > type "cmd.exe" > hit Ctrl+Shift+Enter to run it as Administrator

  2. A black box will appear.

  3. Type "dism /online /cleanup-image /restorehealth" without the quotes and hit Enter
    (This will fail if you're on Windows 7)

  4. Type "sfc /scannow" without the quotes and hit Enter
    When it finishes, proceed

  5. Reboot when done and check for updates

If updates fail Step 3 - Microsoft Fixit 2 (Windows 7 only)

If updates fail Step 4 - Reset catroot2 and Windows Update Components

  1. Reset catroot2 folder (delete the contents, not the folder!)

  2. Download and extract "Reset Windows Update Tool" to a folder on your desktop

  3. Right click on ResetWUEng.cmd > Run as Administrator

  4. Use options 2, 5, 8, 9, 10, 12, reboot, then check for updates

If updates fail Step 5 - Check Microsoft known issues and solutions

Search this Microsoft Answers page for your error code or symptoms and follow the instructions:

If updates fail Step 6 - Microsoft SUR tool (Windows 7 only)

  1. Download and install the Microsoft System Update Readiness Tool. (Windows 7 only)

  2. Try Section 21 further down the page, "Install Windows 7 hotfix rollup"

If updates fail Step 7 - Chkdsk

Check your hard disk for errors.

  1. Start > type "cmd.exe" > hit Ctl+Shift+Enter

  2. A black box will appear.

  3. Type "chkdsk /r" without the quotes

  4. Type "y" and hit Enter

  5. Restart the computer

  6. Return to Updates Fail Step 1 if the chkdsk scan fixes anything on the disk

If updates fail Step 8 - Remove antivirus and reset network stack

Uninstall your antivirus, reboot, then follow the instructions here. Note that you will need to reinstall any VPN software after doing this. If you don't know what a VPN is, then you don't need to worry.

If updates fail Step 9 - Update Drivers

See section 20 of this guide.

If updates fail Step 10 - CheckSUR.log

This is only for Windows 7, and is extremely rare that you would ever need to do this. Warning: This is highly technical.

  1. First, run a hard drive health scan with WinDlg from Western Digital


If updates fail Step 11 - Edit COMPONENTS hive

  1. Start > type "cmd.exe" > hit Ctl+Shift+Enter

  2. A black box will appear.

  3. Type the following commands and hit Enter after each one:

    1. REG LOAD HKLM\COMPONENTS C:\Windows\System32\config\COMPONENTS

    2. REG DELETE HKLM\COMPONENTS /V PendingRequired

  4. Reboot and check for updates

(Source - Karen Hu)

11.) Quick scan with SecureAnywhere System Analyzer

SecureAnywhere System Analyzer by Webroot will do a very fast scan of running processes and important system locations for things marked bad in the "cloud." It triggers on viruses and junkware, and doesn't clean, so you normally want to run it after you've done the initial cleanout of a computer. It's for information only.

12.) WinSxS cleanup ResetBase (Windows 8+)

This goes further cleaning WinSxS than the command we ran at the start. We needed to make sure everything was functioning well before we cleared up outdated Windows files. Technical information about what this does. 

  1. Start > type "cmd.exe" > Hit Ctrl+Shift+Enter to run it as Administrator

  2. Type: "Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase" without the quotes

  3. Hit Enter

13.) Set UAC to full

Listen to me. Or listen to one of Microsoft's most senior programmers. UAC is a critical security control that has vast impacts you can't see. It is not computer bubblewrap. It exists for very important reasons. You aren't cool for turning it off.

Follow these instructions to set UAC to the highest option, "Always notify me." Anything less allows any malware to instantly elevate to administrator level permissions. UAC isn't magic, but it's a layer you want to use.

14.) Enable SmartScreen (Windows 8+)

This will check with Microsoft and warn users if they download+run any programs not commonly seen. This will prevent most infections downloaded from fake emails unless the user clicks through the stern warnings.

  1. Start > type "SmartScreen" > click "Change SmartScreen Settings"

  2. On the left, click "Change Windows SmartScreen Settings"

  3. Select "Get administrator approval" (Windows 8) or "Warn before running an unrecognized app" (Windows 10) and hit Ok

15.) Windows Search purge and re-initialization 

Windows has a built-in data indexing service named Windows Search and people with lots of data can cause the index storage files to grow to gigabytes of size. Additionally, Windows Search can become corrupted. Although it's largely a self-maintaining service, it may be "reset" if you wish. Can free a gig or more especially if you use Outlook. This goes far beyond the built-in Windows re-indexing command, which I find to be worthless.

Absolutely no tool or procedure does this, and something I learned after hours and hours of research and troubleshooting across many Outlook clients with search issues.

  1. Start > type "cmd.exe" > Hit Ctrl+Shift+Enter to run it as Administrator

  2. Type the following commands and hit Enter:

    1. net stop WSearch

    2. RD /S /Q "C:\ProgramData\Microsoft\Search"

    3. regedit

  3. Inside Regedit, find and delete the following:
    Under Current User:
    HKEY_CURRENT_USER\Software\Microsoft\Windows Search
    Then, under Local Machine:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Search\SetupCompletedSucessfully

16.) Browser upgrade and wipe

Please manually verify to make sure the browser is the latest version.

If the user has any history of computer-hijacking malware or performance issues with browsers, it may be a good idea to completely wipe their cache and settings. Otherwise, this might be overkill. There are simpler reset commands, but this way you know for a fact everything is gone.
NOTE: This wipes saved forms and passwords.

Microsoft Edge

At this time I have no real-world virus experience with this browser and have no advice.

Google Chrome

We are going to 100% reset Chrome.

  1. Export Chrome favorites.

  2. Uninstall Google Chrome.

  3. Start > type "%AppData%" > hit Enter.
    Delete the "Google” folder.

  4. Start > type "%AppDataLocal%" > hit Enter.
    Delete the "Google” folder.

  5. Delete the folder C:\Program Files (x86)\Google\Chrome

  6. Start > type “regedit.exe” > Hit Enter.
    Delete the keys “HKCU\Software\Policies\Google” and “HKLM\Software\Policies\Google”

  7. Install Google Chrome with the 64-bit MSI machine-wide installer (scroll down). You can install it normally, too. I won't go into it.

  8. Import Chrome favorites.

Mozilla Firefox

We are going to 100% reset Firefox.

  1. Export Firefox favorites.

  2. Uninstall Mozilla Firefox.

  3. Start > type "%AppData%\Mozilla" > hit Enter.
    Delete the "Firefox" folder.

  4. Start > type “regedit.exe” > Hit Enter.
    Delete the keys “HKCU\Software\Policies\Mozilla” and “HKLM\Software\Policies\Mozilla”

  5. Delete the folder "Mozilla Firefox" folder under "C:\Program Files" and "C:\Program Files (x86)"

  6. Install Firefox from the Mozilla website.

  7. Import Firefox favorites.

Internet Explorer

We are going to reset Internet Explorer to default settings. It's not a 100% reset, but it's pretty close. Make sure you have IE11 installed. To be safe, we will backup the bookmarks. Long story.

  1. Backup Internet Explorer favorites

  2. Internet Explorer > Press the Alt key > Tools > Internet Options > Advanced > Reset

  3. Check "Delete Personal Settings" > Ok

17.) Browser configuration

IMPORTANT NOTE: There are LOTS of settings in browsers that I am leaving out because I know the rare problems they can cause or that change the browsing experience. Some are also worthless, like enabling certificate revocation or Do Not Track. What I have chosen are carefully selected for the highest reward:risk ratio.

Microsoft Edge

  1. Install the 'Adblock Plus' extension. I will recommend uBlock Origin Edge once it's further in development.

Google Chrome

  1. Install uBlock Origin. Ads deliver malware and lead users to install fake programs. There is a small risk of it breaking sites so make sure the user knows to try Internet Explorer if they run into any problem. The overall reward is greater.

  2. Install Windows Defender Browser Protection by Microsoft.

  3. If it's a laptop, install HTTPS Everywhere. You can also install on desktop.

  4. Menu button > “Help” > "About Google Chrome" to make sure it's the latest version.

Mozilla Firefox

  1. Install uBlock Origin. Ads deliver malware and lead users to install fake programs. There is a small risk of it breaking sites so make sure the user knows to try Internet Explorer if they run into any problem. The overall reward is greater.

  2. If it's a laptop, install HTTPS Everywhere. You can also install on desktop.

  3. Menu button > "?" > "About Firefox" to make sure it's the latest version

Internet Explorer

It's important you did the complete IE reset earlier, as I'm assuming everything's back to defaults. Also, don't use IE.

Turn add-ons back on

Resetting Internet Explorer disables all add-ons, including things like Adobe Reader. There are some websites where they only display PDFs in an embedded object, so you will want to turn it back on.

  1. Press Alt key > Tools > Manage add-ons

  2. Under "Add-on types" > Show all add-ons

  3. Select and re-enable any addons you think are appropriate. Usually the only one is Adobe Reader

Enable protection of search provider

  1. Press Alt key > Tools > Manage Add-ons

  2. Under "Add-on types" select "Search providers"

  3. Check "Prevent programs from making changes to my default search provider"

  4. Review and modify search providers as you see fit

Configure Advanced options

This will turn on an additional layer of protection for Internet Explorer. Do not do this is the user uses any Internet Explorer plugins, like LastPass.

  1. Press Alt key > Tools > Internet Options

  2. Advanced tab

  3. Check:

    1. Enable 64-bit processes for Enhanced Protected Mode

    2. Enable Enhanced Protected Mode

18.) Enroll into cloud protection for Windows Defender

Windows Security Essentials/Windows Defender has a critical "cloud" component to it called MAPS, which used to be called SpyNet. This improves protection considerably. If you have another antivirus installed, skip this section.

Windows 7 & 8

Most users should already be set to MAPS Basic, but while we're in there we're going to set it to MAPS Advanced to assure the highest protection.

  1. Start > Search for Windows Defender or Microsoft Security Essentials

  2. Settings > MAPS > Advanced Membership > Save changes

Windows 10

Microsoft only has On or Off in Win10, which is a good improvement.

  • Start > Search for Windows Defender

  • Settings > Cloud-based protection > On

19.) Update Flash, Adobe Reader, and uninstall Java

Java is not needed for any modern reason other than obscure software and people who install Minecraft mods. It's safe to uninstall.

Windows 7:

Make sure Flash is the latest version for Internet Explorer and Firefox by opening that link in each browser. If the user only uses Chrome, completely uninstall Flash. There's no reason to have it installed.

I recommend Adobe Reader DC as opposed to other PDF readers because it silently updates and is 100% compatible with anything the user will do. The security is just vastly better than it was years ago.

Windows 8:

The only reason to have Flash installed is if the user insists on using Firefox. Otherwise, uninstall it.

I recommend Adobe Reader DC as opposed to other PDF readers because it silently updates and is 100% compatible with anything the user will do. The security is just vastly better than it was years ago.

Windows 10:

The only reason to have Flash installed is if the user insists on using Firefox. Otherwise, uninstall it.

Microsoft Edge reads PDF files, and Chrome has a reader built-in for web documents, so unless the user needs to interact with editable PDF forms, there's no reason to install a dedicated PDF reader.

20.) Update drivers

In order to talk with your computer's hardware, your operating system needs a special piece of software called a "driver" to translate commands. Computer manufacturers often release driver updates for a year or more after a computer is released, to fix issues they uncover. Drivers have low-level access to the operating system and can mess up your computer in exceptional ways if they have bugs. Because of this low-level access, it's sometimes very hard to pinpoint them as the cause of an issue.

Did you know that some graphics drivers have bugs that cause Microsoft Word to crash? Or that a Bluetooth radio driver can hang Outlook? You wouldn't think that would be possible, but I've seen it personally. Unfortunately, most people will suffer through these problems without ever finding a solution. You don't have to.

For these reasons, you should follow the advice of your computer manufacturer on keeping drivers up to date. On, search for your computer model and go to the manufacturer's website to download them directly.

Here's some common updaters:

Note: Do not use the "Intel Driver Update Utility" application on their site, it's bloated.

21.) Install special Windows 7 corporate hotfix rollup from Microsoft

Disclaimer: This is an immensely complicated situation that I'm going to try to simplify for you. I have spent literally a hundred-plus cumulative hours going through manually tracking hundreds of hotfixes and curating packages of Windows fixes for corporate networks. Microsoft has now made most of that manual work irrelevant with the information I'm going to provide below. If you want some of the technical details, see here.

The dirty truth about Windows 7 updates is you're not getting all the fixes and improvements unless you're a corporate customer with a very knowledgeable and exceptionally motivated IT team. Until now.

  • There's the mainline release of every Windows component, called GDR, where they only fix problems they think most people will run into.

  • There's another parallel series called LDR, that has all the fixes and improvements in GDR, but include extra things Microsoft didn't want to test for wide release. It's not a beta, it's just a different assurance level. It's most things only companies run into.

This was a neat idea that gave them flexibility in quickly getting out fixes. In the end, it's turned out to be kind of a disaster where 99% of machines don't have a lot of fixes, and company machines with IT people that actually know about this, only have a mix of updates because they only deploy certain hotfixes. Ever wonder why your computer at work sucks with all these weird bugs they just tell you to reboot to fix? It's because those bugs aren't worth fixing for home users, and your IT team probably isn't deploying hotfixes that include LDR file editions.

This is the motivating reason for why Windows 10 uses cumulative builds, which include every single fix they develop. To get away from this decade-long support nightmare.

Unless you install a special update that opts you into the LDR release for a component, or the file is included in the modern Cumulative Update system, you're stuck on GDR. To address this, Microsoft decided to combine tons of hotfixes into one easy to install package. There's not a huge reason to do this for home users since most of the fixes are for enterprise scenarios, but if you're looking to refresh a desktop, this update is a massive compilation of fixes that can solve tons of little problems.

I recommend you update all your drivers before you install this, because some changes it introduces were not tested on the first editions of older software. I've only run into this one time across tons of computers, but it's a good idea.

This is the update: KB3125574

22.) Defragmentation

Make sure Windows automatic optimization is turned on to run at 1PM every day. It will only launch if the computer is idle. Leaving it at the default can mean never defragging, if the user turns off the PC each night.

If you want to really dig-in for optimizing an HDD, I have been a user of MyDefrag for over a decade. I use it at home and deploy it to certain systems at work. The "system disk" profile is especially powerful. However, I strongly advise you to just get an SSD instead. They're orders of magnitude faster and start at $60.

23.) Physical cleaning

"It's just dust." I used to think that. Heat kills electronic components. Also, computers limit themselves if they aren't being cooled. A literal plug of dust can form behind the heatsink of a laptop. Use canned air - NOT a vacuum. Dust particles rubbing against the plastic nozzle produces static electricity. Additionally, do not spin fans too fast or you'll shred the bearings. If possible, hold the fan with your finger.

24.) Upgrade to Windows 10

Let me tell you a story. At my parents house was a terrible, ancient Lenovo desktop running Windows 7. I spent hours working on it. I made progress, it was a lot better. But it was still just a bad experience. It just dragged.

In the Thanksgiving of 2015, I just gave up and upgraded it to Windows 10. It made an incredible difference. Windows 10 has fundamental differences to Windows 7 on how it's designed performance-wise. Additionally, it has many of the latest drivers built-in, with improvements that will never be backported to Windows 7. You should seriously consider this. Windows 7 will be end-of-life in 2020, the clock is already ticking.

If you have extra time, you could consider doing a bare-metal wipe and optimize the machine from scratch. I have an entire article dedicated to that here.

25.) Other troubleshooting

Send requests or ideas

About this website

Article changelog:

2014: First version
2017-05-08: Changed BitDefender recommendation for Chrome to Netcraft after testing it over months against live sites
2017-05-13: Added Windows Search re-initialization
2017-05-16: Rearranged Windows Update error section, added link to Microsoft solution chart
2017-05-30: Added "Update drivers" to Windows Update issue section
2017-06-07: Changed several instructions to compensate for Windows Search changes in Windows 10

2017-07-31: Added instructions to reset catroot2 folder, fixed link, spelling
2017-08-08: Rearranged Windows Update fix order, included reference to Section 21, the hotfix
2017-09-18: Replaced CCleaner with Bleachbit
2017-11-21: Once again recommending MyDefrag, advise wiping SoftwareDistribution on Win10, wording
2017-12-21: Added step 11 to Windows Update troubleshooting, editing the components hive, renamed 21

2018-05-27: Put dism task before sfc task, per tip from expert that the order matters
2019-05-23: Add Microsoft update troubleshooter, clarify the new Download option in cleanmgr. Added Group Policy cleanup to Firefox and Chrome sections. Removed Netcraft Toolbar and BitDefender Trafficlight extension recommendations. Recommended Windows Defender Browser Protection for Chrome.
2019-07-28: Microsoft has removed Defender FixIt. Removed linked to Intel RST drivers, too complicated to guide users through.