How to Check Your Refurbished Laptop for Pre-Installed Malware (Free 5-Minute Forensic Test)

If you bought a refurbished, off-lease, or used Windows laptop, you are trusting the seller to ship you a clean machine. Most refurbishers do that honestly. A growing number do not.

A small but troubling segment of the refurbisher market has figured out that they can sell the same laptop twice — once to you for the price of the hardware, and again to advertising networks and residential-proxy operators by pre-installing software that monetizes your machine after you take possession of it. Adware that pops up scareware ads. “Optimizers” that funnel you toward affiliate links. And in the worst cases, residential-proxy software that sells your home internet connection as a commercial exit node for someone else’s web scraping.

You can find out in five minutes whether your seller did this to you. The tools are already built into Windows. You don’t have to install anything. You don’t have to be technical. If you can copy and paste, you can run this test.

This is the exact test I used to document an Amazon Renewed seller’s pre-installed adware on a Dell Latitude 7420 I bought in May 2026 — work that’s now part of an active consumer-protection lawsuit. The methodology is below.

What you’re going to look at

Three things, in order:

The operating system’s install date. When was Windows last installed on this machine? On a legitimately refurbished laptop, this is the day the refurbisher wiped it and reinstalled Windows. That date should be sometime between when the laptop was returned to the refurbisher and when they shipped it to you.

The Prefetch directory — every program ever run on this machine, with timestamps. Windows automatically logs every executable that runs, in chronological order, in a folder called C:\Windows\Prefetch. This is the goldmine. You can read your laptop’s history like a story.

Installed programs, sorted by install date. What software is on this laptop, and when did it get installed? Anything dated before you took possession was put there by someone else.

You don’t need to know any specific dates ahead of time. Windows itself logs an event called FIRSTLOGONANIM.EXE the very first time a user logs into a fresh Windows install. Whatever date that program ran on your laptop is the moment you powered it on for the first time. Anything in the Prefetch list above that line, you didn’t do. The seller did.

What you’ll need

A Windows 10 or Windows 11 laptop. The instructions below are written for both — they’re identical. Five minutes. The ability to right-click and copy/paste. That’s it.

If your laptop is a Mac or runs Linux, this specific test won’t work because Prefetch is a Windows feature. The general principle (look at filesystem timestamps and installation logs to reconstruct what the seller did) still applies, but the commands are different and not covered here.

Step 1. Open PowerShell as Administrator

Right-click the Start button in the bottom-left corner of your screen.

In the menu that appears, click Terminal (Admin). On older versions of Windows 11, this might say Windows PowerShell (Admin) instead. Either is fine.

Windows will ask “Do you want to allow this app to make changes to your device?” Click Yes.

A blue or black window will open with text in it and a prompt that ends in >. Look at the very top of the window — the title bar should say Administrator somewhere in it. If it doesn’t, close the window and try again. You need the Administrator version, or the Prefetch step won’t work.

Step 2. Paste this one block of commands

Copy everything in the dark box below. The whole block. Then right-click in the PowerShell window to paste. Press Enter.

The commands run for about thirty seconds. When they finish, Notepad opens automatically with the full report, and a copy is saved to your desktop as laptop-forensic-check.txt. Keep that file. If anything in it looks wrong, that text file is your evidence.

Step 3. Read the report

The report has three sections. You’re going to read each section and ask one specific question.

Section 1 — Windows install date

Compare the install date Windows reports to the date you received the laptop. If Windows was installed weeks or months before you got the machine, that’s expected — the refurbisher had to install Windows to refurbish the laptop. The install date itself isn’t the smoking gun. What matters is what happened between the install date and the day you powered it on. That’s what Section 2 shows you.

Section 2 — Every program ever run on this machine (the goldmine)

This is the most important section. Scroll down the list — the dates run from oldest at the top to newest at the bottom — and look for an entry called FIRSTLOGONANIM or FIRSTLOGONANIM.EXE. That program runs the very first time anyone logs into Windows after the operating system is installed. The date next to it is the moment you powered the laptop on for the first time.

Now look at everything above that line. Every program. Every timestamp. You did not run any of it. You didn’t own the laptop yet. Whoever ran those programs is whoever was on the seller’s bench.

Some of what’s above that line is normal and expected. Refurbishers run hardware tests. If you see programs like BURNINTEST, KEYBOARDTEST, LCDTEST, WINDOWSCAMERA, BIOENROLLMENT, MSINFO32, or DISM, those are routine quality-assurance tools. Seeing them is a good sign — it means the seller actually tested the keyboard, the screen, the camera, and the fingerprint reader before shipping the machine to you.

What’s not normal: software installers, browser executables, registry editors, command-line tools, and any program you’ve never heard of. Specifically, watch for these names appearing in the list above the FIRSTLOGONANIM line:

• REGEDIT.EXE — manual edits to the Windows registry
• MPCMDRUN.EXE — command-line control of Windows Defender, often used to add exclusions so adware can hide from the antivirus
• CMD.EXE and POWERSHELL.EXE — manual command sessions
• MSIEXEC.EXE followed by an unfamiliar product name — software being installed from a .msi package
• Any executable name that looks like a product, especially products that match popups, ads, or “antivirus” prompts you’ve already seen on the laptop

In the case I documented in May 2026, the seller’s bench session showed REGEDIT.EXE, MPCMDRUN.EXE, and CMD.EXE running in a 21-minute window that bracketed the installation of two unwanted programs — an adware package called PC App Store and a residential-proxy product called Bright VPN. That sequence — registry editor, Defender command-line, command shell, all clustered around a software install — is the fingerprint of intentional tampering, not refurbisher quality assurance.

Section 3 — Installed programs, sorted by install date

Read this list from top to bottom. The top entries are the oldest. Anything dated before you bought the laptop was put there by someone else.

If you see software you didn’t install — VPN clients, “PC optimizers,” “app stores,” antivirus products you didn’t choose, browser extensions you didn’t add — the seller installed them. Highlight or note those entries. They are evidence of pre-installation.

What to do if you found something

If your report shows software you didn’t install, programs in Prefetch above the FIRSTLOGONANIM line that aren’t refurbisher hardware tests, or any of the suspicious patterns above, here is what to do in this order.

Do not uninstall the suspicious software yet. Uninstalling it removes the evidence. You may need that evidence to file a refund claim with the seller, an A-to-z claim with Amazon (or your marketplace’s equivalent), a complaint with the Better Business Bureau, or in extreme cases a small-claims action.

Take screenshots of the relevant sections of the report. Save the laptop-forensic-check.txt file from your desktop somewhere safe — email it to yourself, copy it to a USB drive, upload it to cloud storage. Multiple copies. The file’s modification timestamp is part of the evidence.

If a popup or scareware ad appears on the laptop, photograph the screen. Don’t dismiss the popup until you’ve captured it. The popup itself is part of the evidence chain.

Run a Malwarebytes scan. Download Malwarebytes Free from malwarebytes.com — it’s free, doesn’t require an account, and is the industry-standard tool for identifying adware and potentially-unwanted programs (PUPs). Malwarebytes will name the suspicious software with its industry classification (Adware.PCAppStore, PUP.Optional.BrightVPN, etc.). That classification strengthens your evidence considerably because it confirms that an independent third party has identified the software as malicious or unwanted.

Run a Windows Defender offline scan. Open Settings → Privacy & Security → Windows Security → Virus & threat protection → Scan options → Microsoft Defender Antivirus (offline scan). The offline scan reboots the laptop and runs Defender outside the normal Windows environment, where adware that hides from regular Defender scans can’t hide. This catches things the in-OS scan misses.

Then file your complaints. In rough order: contact the seller through the marketplace and request a refund citing the pre-installed software; file an A-to-z claim with Amazon or the equivalent buyer-protection mechanism on your marketplace; file a complaint with the Better Business Bureau against the seller; depending on the severity and the dollar amount, consider your state attorney general’s consumer protection division and small claims court.

The forensic report you generated and the Malwarebytes scan results together make a strong package. Most consumer complaints about refurbished laptops fail because the buyer can only say “the laptop seems weird” — vague, not actionable. A specific timeline showing the seller’s bench installing specific named adware on a specific date is concrete, dated, and hard to wave away.

What if Prefetch is empty or returns nothing?

Stop. Don’t log in, don’t enter passwords, don’t connect the laptop to your home Wi-Fi.

The Prefetch directory exists by default on every Windows 10 and Windows 11 installation. Refurbishers’ hardware quality-assurance tools always leave entries there — there’s no way to test a laptop’s keyboard, screen, camera, and fingerprint reader without leaving Prefetch entries from those tools. An empty Prefetch on a refurbished laptop is a serious red flag. The most likely explanation is that someone deliberately cleared it after running software they didn’t want a buyer to see.

In this case, your best move is to skip Sections 2 and 3 of the report (which are now useless) and go straight to scanning. Run the Malwarebytes scan from a wired ethernet connection, not your home Wi-Fi. Run the Windows Defender offline scan. If either turns up adware or PUPs, you have a return-the-laptop-and-get-your-money-back situation regardless of what the seller’s listing claimed.

If both scans come back clean despite the empty Prefetch, the safe move is still to wipe and reinstall Windows yourself before you trust the laptop with your accounts and your home network. A clean Windows reinstall costs you a few hours; cleaning up after a residential-proxy infection that’s been on your home Wi-Fi for six months costs you much more.

Frequently asked questions

Will running this test break anything on my laptop? No. Every command in the script is read-only. It looks at files and registry entries that already exist and writes the results to a text file on your desktop. It does not modify any system settings, install anything, or change any files outside your desktop.

Does this work on Windows 10? Yes. Windows 10 and Windows 11 both have Prefetch and the registry uninstall keys. The commands above work identically on both.

Does this work on a Mac? No. Macs do not use Prefetch. The general idea — look at filesystem timestamps to figure out what the seller did before they shipped the laptop — still applies, but the specific commands are different.

What if I bought my laptop new from the manufacturer or a major retailer (not refurbished)? This test still works, but the expected output is different. On a brand-new laptop, the only entries you should see in Prefetch above your FIRSTLOGONANIM line are Windows setup programs and possibly the manufacturer’s own pre-installation tools. You generally should not see third-party software installs.

The seller said the laptop was “factory refurbished” or “manufacturer renewed.” Doesn’t that mean it’s safe? Programs like Amazon Renewed and similar marketplace refurbishment certifications set rules for what sellers are supposed to do. Whether individual sellers actually follow those rules is a different question. The forensic test on this page tells you what the seller actually did, not what the seller said they did.

Should I run this test before I do anything else with a new refurbished laptop? Yes. The whole point is to verify the laptop is clean before you trust it with your accounts, passwords, and home network. Five minutes of caution before logging in is worth a great deal more than any cleanup after the fact.

What if I find something but it’s months later and I’ve already been using the laptop? The forensic test still works — Prefetch entries persist for hundreds of programs by default. You’ll see your own usage in the list alongside the seller’s bench session, but the FIRSTLOGONANIM marker still tells you exactly where the seller’s activity ended and yours began. Run the test, save the report, and follow the same complaint process. The dollar-recovery odds are lower months later, but a documented seller pattern is still actionable through marketplace dispute and BBB channels.

If you found this guide useful and you want to support consumer-protection journalism that names sellers, marketplaces, and the specific patterns they use to monetize buyers, the original Amazon Renewed case file is the live example. The lawsuit is filed. The methodology is open. Share both pages with anyone you know who’s about to buy a refurbished laptop.

Tommy Bowman runs Bowman Web Services LLC out of Daytona Beach, Florida. The forensic methodology on this page is being used as evidence in Volusia County Court Case 2026 17782 COCI against an Amazon Renewed third-party seller.