I decided to go digging to see if I could find a proper source to back me up here. I swear torrentfreak had done an article about an investigation into a lot of the most seeded windows isos and finding keyloggers and rootkits. Unfortunately my search there is coming up empty.

However, you will find this advice on the /fwt/ thread on /g/, and as shit a place as 4chan is they do have a good piracy guide. If you download any windows iso that's pre-activated, there's no way to make sure it doesn't have a rootkit or similar in it because it now has a bad hash value. You can't guarantee it's clean. However, if you get a clean iso, even from a torrent, you know it's good as long as the hash is correct. And the thread links to a full archives of official hashes and a database of isos with good hashes you can compare them too.

Here's the fwt guides.

https://rentry.org/fwt https://rentry.org/ltsc

Personally, I genuinely believe some analysis lab or university is going to do a proper investigation of common windows iso torrents, and we're going to find a lot of compromised stuff. But it's really just not worth the risk. Pirated or not, always get a clean iso and verify the hash, then use debloat tools or an svf from m$