Despite significant advancements in proactive malware detection and prevention, complete prevention of malware infiltration remains unattainable. Once malware is present on a system, it can make persistent changes that affect its stability, making user-specific recovery post-infection an important problem to address. Current solutions involve extensive monitoring to precisely pinpoint the changes that malware has made, which are impractical for home environments due to their high resource demands. This paper introduces a prototype for automatically generating user-specific malware recovery procedures that fully operates post-mortem. By leveraging forensic data collected on Windows by default, we replicate the original conditions under which the malware executed in a sandbox and automatically infer the exact system resources that the malware changed without imposing additional performance burdens on the user’s machine. We test a prototype against 894 real-world malware samples and three real-world, environment-sensitive malware campaigns, and achieve a full recovery rate of 51.3% even with no additional monitoring enabled. We conclude by sharing insights on the importance of machine replication and sandbox configurability in future malware research.