Will "rm -rf /" delete everything from Windows if run from Cygwin?

Answers

EDIT: The command completed and then I rebooted the VM, so I added more photos. Also changed my answer to include the fact that the machine wasn't totally clobbered.

EDIT 2: I still have the VM. Let me know in the comments if you have anything you want me to try on it out of curiosity.

EDIT 3: I decided to experiment a little more. I restored to a snapshot I took right before I ran the command, I put one folder above C:\cygwin and one folder below. I then ran the command and did ctrl-c very quickly. The cygwin folder still existed (inside it was mostly empty) but the folder above it was erased. The user generated folder below it was intact as well. Then I restored the state and ran the command again, this time for a little longer before ctrl-c. Now it erased both the folder above cygwin, cygwin itself, and the folder below.

When I ran this on my computer in real life the C:\cygwin64 folder was intact, implying that everything below it alphabetically was safe. This gives me some peace of mind now knowing for certain that the only folders that were blown out were those above C:\cygwin64, which usually are just temp folders or some other non-essential folders anyways.

TLDR: Don't run rm -rf /* or rm -rf / EVER.

TLDR2: I created a Windows 10 VM, installed Cygwin, and ran rm -rf /*. VM got pretty messed up. To answer my own question: Yes, it would delete everything that it has permission to access on your hard drive. If I hadn't cancelled the command as fast as I did when this happened on my real machine it would have deleted all of my personal files. The general OS would still be intact though.

So, I decided to create a Windows 10 VM and try this from scratch. Here's what happened. Cygwin doesn't let you do rm -rf / for safety reasons (there's an override option)...but rm -rf /* is perfectly fine apparently with no warning.

I realized that in my original script I was deleting all of the files in a provided directory, so I used rm -rf $1/*, so if $1 is empty...the dreaded destroy your hard-drive command is executed, and Cygwin doesn't even warn you!

About to hit enter...

cygwin64 is the first to get clobbered

Windows Explorer link is gone

Start Menu is still here

There goes the desktop image!

Notification center is still fine

Cortana Too!

Recycling bin is broken, but now I can access Windows Explorer!

C: Drive Contents, not much has changed here

General UI is still working fine

Start Menu no longer responds

Music lives! It's the only library left standing

The command has completed!

Not much new here in C:

Applications still work if launched from the executable, app data is still intact

I rebooted the machine. No problems booting up and logging in. Programs still work if you click on their direct executable. Still have internet access. It's hard to assess the permanent damage. Start still doesn't open.

JDN

Posted 2015-10-05T05:25:12.860

Reputation: 161

The reported results aren't surprising in the least. Cygwin might've been deleted first due to alphabetical order. Stuff that is being actively used is less likely to be deleted as easily, because of protections that protect files that are actively being used. However, a lot of software is likely to use data temporarily, and so the files that store that data will be easily deleted, and then the software will encounter problems. You may find that some programs run okay, but cannot do certain things (like saving a file, or restarting). Rebooting will likely expose more catastrophe. – TOOGAM – 2015-10-05T23:11:01.150

On rebooting, do you wind up with a "Your PC/Device needs to be repaired" screen? – bwDraco – 2015-10-05T23:16:45.743

Nope, reboot went fine! Updated with more pictures describing reboot. – JDN – 2015-10-05T23:23:14.570

My guess would be it only clobbered user stuff - if you created a new user, it might be fine. – Journeyman Geek – 2015-10-05T23:24:13.920

@JourneymanGeek that's what it seems like. The core OS is generally stable. Not sure what it means for the OS that you can't open the start menu though... – JDN – 2015-10-05T23:25:36.500

@JDN were you running Cygwin as Administrator? I wonder what the difference would be... – rubynorails – 2015-10-18T01:44:28.713

I don't think it was admin. That would have been an interesting comparison, but I deleted the VM a couple of days ago. – JDN – 2015-10-18T01:57:21.663

So you're asking whether rm -rf crosses mount points? – Ben Voigt – 2015-10-05T05:38:09.063

2On linux, the answer would be, "Yes, it crosses mount points unless you pass --one-file-system" Cygwin appears to support the same option. – Ben Voigt – 2015-10-05T05:39:39.243

Tried an "NTFS Undelete" type of program? – Ben Voigt – 2015-10-05T05:41:11.017

I have an SSD. Is NTFS Undelete still worth a shot? – JDN – 2015-10-05T05:44:50.603

That may depend on whether you have TRIM support :( – Ben Voigt – 2015-10-05T05:45:53.607

It's a modern SSD on a brand new Windows 10 computer. I'm pretty sure it has TRIM support. I've already tried Recuva and it found nothing with deep scan. – JDN – 2015-10-05T05:51:25.487

On my Windows 7 PC there are only user created folders before `C:\cywin", nothing from a standard installation. – DavidPostill – 2015-10-05T07:05:04.020

Do you have a backup? If not I suggest you start making them in future ;) – DavidPostill – 2015-10-05T07:05:58.513

I actually backed up all of my personal files earlier today. So I'm not too worried about my stuff. Nothing is acting strange so they probably were just non essential folders. – JDN – 2015-10-05T07:40:08.557

Try find what files or dir it will find and you can understand that what it did like this find /* this list all files and dir recursively and you can look for anyfolder or files are relating to windows because you get permission denied and which files are denied you can see. – makgun – 2015-10-05T10:51:33.657

@makgun I tried "find /* | grep denied" and saw that most system files and program files are denied. But many personal files it seems could potentially be deleted. I'm mostly just lucky I stopped the script so quickly I guess. – JDN – 2015-10-05T14:26:51.127

If you deleted your files accidentally you can use testdisk (it is available on windows) it recovers files with their names if you don't overwrite anyfiles – makgun – 2015-10-05T16:26:51.340

This is a fun question. If I still had any Windows around I might try it and see how much havoc cygwin can cause. :) – chicks – 2015-10-05T17:01:02.050

@chicks It would be fun if it was a theoretical question...but it actually happened to me and it wasn't that fun. – JDN – 2015-10-05T18:16:57.480

This is only slightly less scary results than an ISP that had an "rm -rf /home/$1", and then a new staff member ran the script without any parameters to try to see help. (Your case is only potentially less scary only because you didn't mention if anything important is on the system.) If Windows desktop was deleted, who knows what other important stuff was too? Note that some undelete programs may overwrite data when undeleting; it is highly recommended that you make a bit-for-bit "forensic" image of the entire drive before making any other changes, if recoverability is of serious interest. – TOOGAM – 2015-10-05T23:03:25.423

@TOOGAM I'm pretty sure it's fine. I stopped the script quickly and it operates alphabetically. It's been over 24 hours and zero issues have presented themselves so far. – JDN – 2015-10-05T23:29:06.773