Following a recent Trojan/rootkit etc attack, I have been forced to reinstall Windows XP. Because of the effectiveness of the attack I had to install Windows on a different SATA HDD, while the damaged drive was physically disconnected. The drive housing the new installation was fully reformatted before the installation, but was part of the original setup. Fortunately my data was on a third, larger drive. After exercising a certain amount of ingenuity, I was eventually able to reformat the damaged drive.
Afterwards, reflecting on this exercise, I realized that the logon procedure that has been setup in the new installation, (WHICH IS ON A DIFFERENT, REFORMATTED HDD) is identical to the personally tailored one that I had for the previous installation ie the pc logs on without my needing to enter a password and on closing down offers me three separate icons for Standby, Shut Down or Restart. The implication seems to be that these details are recorded somewhere on the motherboard, or on the CPU or RAM or on the data drive which was not reformatted. If Microsoft can record details in a way that circumvents a reinstallation, surely a skilled hacker do the same, leaving traces that can cause damage to the new installation?
I'd be very interested to hear your comments on this. Where does MS store this data, and how is it protected?