ASC WikiTec :: ASC Consultants Free Wiki Computer Knowledgebase

System Restore is a component of Microsoft's Windows Me, Windows XP and Windows Vista operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of a failure. Vista has been improved interface relying on Shadow Copy

Overview

System Restore is can be accessed via Start -> All Programs -> Accessories -> System Tools -> System Restore. From there, the user may either create a new restore point manually, roll back to an existing restore point, or change the System Restore configuration.

New Restore Points are created when:

when a piece of software is installed
when Windows Update installs new updates to Windows
when the user installs a driver that is not digitally signed by Windows Hardware Quality Labs
every 24 hours of computer use (10 hours in Windows Me), or every 24 hours of calendar time, whichever happens first
when the computer boots after being off for more than 24 hours
when the user requests it.

System Restore can be configured to use up to 15% of hard drive space. Old restore points are discarded in order to keep drive usage within the specified amount. This can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on partitions not monitored by System Restore are never backed up or restored.

System Restore backs up system files of certain extensions (.exe, .dll, etc.), with the exception of files in My Documents folders, and saves them in a large compressed block for later recovery and use. It backs up the registry and most drivers. It does not back up or restore user data. System restore will not monitor changes to users' personal data. Nor will it restore windows logins. Thus, users will not lose personal data, emails, etc., when performing a system restore.

When a rollback to a previous restore point is performed, the files that were being monitored by System Restore are restored and newly created folders are removed. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, that they keep those files under My Documents which is not effected by the system rollback.

System Restore

System Restore protects your computer by creating backups of vital system configurations and files. These backups are known as restore points. These restore points are created before certain events take place in order to give you a recourse in case something bad happens during that event. These events are as follows:

These restore points contain configuration and settings and files that are necessary for your computer to run correctly. The following are some of the settings and files that are saved in a Restore Point:

Registry (Contains Configuration information for application, user, and operating system settings)
Windows File Protection files in the dllscache folder. (Used for protecting system files)
COM+ Database
Windows Management Instrumentation Database
IIS Metabase (Contains configuration for Internet Information Server)
Files with extensions listed in the Monitored File Extensions list in the System Restore section of the Platform SDK
Local Profiles

What System Restore does not store in a Restore Point include:

Windows XP passwords and hints are not restored. This is done so that you do not by accident restore an old password and then lock yourself out of the computer.
Microsoft Internet Explorer and Content Advisor passwords and hints are not restored.
Any file types not monitored by System Restore like personal data files e.g. .doc, .jpg, .txt etc.
Items listed in both Filesnottobackup and KeysnottoRestore (More on that later)
User-created data stored in the user profile
Contents of redirected folders

The amount of space a System Restore will allocate towards its use is, by default, 12 percent of your total usable space on the particular partition being monitored if the partition is greater than 4GB, otherwise it will use up to 400 MB. This amount can be adjusted per partition in the System Restore tab in your System control panel. If you have less than 200 MB, system restore will be disabled until the amount of available space rises above 200 MB. If system restore attempts to make a new restore point, and that restore point would put you past the allocated amount of storage that system restore can use, system restore will delete the oldest restore point automatically to create more room for the new one.

Disabling System Restore

Figure 1 Disabling System Restore

NOTE: You need to be logged in as an Administrator to administer System Restore. WARNING: By disabling system restore you will delete all stored restore points.

You should first go into the Control Panel and then double click on the System icon. If you are in the control panel and do not see the System icon, click on the link that says "Switch to classic view" in the upper left hand side of the window. Now you should be able to see the System icon. After you double click on it you should then click on the System Restore tab. If system restore is enabled you will see an image like Figure 1 below.

If you see in the Status section, designated by the green box, that it is Turned off , then system restore is already disabled and you do not have to do anything further. If it is showing that it is monitoring as seen in Figure 1 above, then you should check the checkbox labeled "Turn off System Restore", designated by the red box. You should then click on the Apply button to disable system restore.

Enabling System Restore

Figure 2. Enabling System Restore

By default system restore is enabled, right click on My Computer go to Properties. If you are in the control panel and do not see the System icon, then click on the link that says "Switch to classic view" in the upper left hand side of the window. Now you should be able to see the System icon. After you double click on it you should then click on the System Restore tab. If system restore is turned off you will see an image like Figure 2 below.

If you see in the Status section, designated by the green box, that it is Monitoring a partition, then system restore is already enabled and you do not have to do anything further. If it is showing that it is turned off as seen in Figure 2 above, then you should uncheck the checkbox labeled "Turn off System Restore", designated by the red box, and then adjust how much disk space you want to allow system restore to use, which is by default 12 percent of your entire disk space.
When you are done with making your settings, you should click on the apply button. Since you are turning system restore back on, a new restore point will automatically be made. After the new restore point is made, you should see in the status section that system restore is monitoring the partition; which means it is enabled.

Manually Creating Restore Points

Figure 3. System Restore Utility

It is possible to manually make restore points when you wish by using the System Restore utility. Common reasons to do this are because you feel have your computer set up perfectly and would like to save that state in case something goes wrong in the future. To open the utility, go to your System Tools group under Accessories in your Programs menu. Then click on the System Restore icon. You will be presented with a screen similar to Figure 3 below.To create a manual restore point select the radio dial labeled "Create a restore point", designated by the blue box, and press the Next button. You will then be presented with a screen similar to Figure 4 below.

Test

Figure 4. Name your Restore Point

Test2

Figure 5 Disabling System Restore

At this point you should type the name you would like this restore point to be referred as in the field designated by the red box. The current date and time will automatically be appended to the name you choose. When you are done, press the Create button designated by the blue box. System restore will create the restore point and give you a confirmation screen with information like Figure 5 below. At this point you can press the Close button to close the System Restore utility.

Restoring Windows XP to a previous State

Figure 1 Disabling System Restore

To restore Windows XP to a previous restore point you need to open the System Restore Utility. To open the utility, go to your System Tools group under Accessories in your Programs menu. Then click on the System Restore icon. You will be presented with a screen similar to Figure 3 above.

You should select the radio button that is labeled "Restore my computer to an earlier time", which is designated by the red box. When that is selected press the Next button. You will then be presented with a screen similar to Figure 6 below.

At this point you should select a restore point that you would like to restore. If a particular day has any restore points created on it the date will be in bold. You can then select the restore point by clicking once on its name, as designated by the red box in Figure 6 and then pressing the Next button.

At this point you will prompted with a confirmation as to whether or not you want to continue. If you do want to continue, you should press the Next button again, otherwise press cancel. System restore will then shut down all open applications and reboot the computer.

After the computer is rebooted you will see a screen that contains information as shown Figure 7 below confirming that the restoration to the restore point is complete.

If there are any problems with your computer since you restored to this restore point, you can revert back to your previous settings by going back into the System Restore Utility and selecting the "Undo my last restoration" radio button and pressing the Next button as show in Figure 8 below.

Deleting Restore Points

here are three known safe ways to delete restore points stored on your computer. These ways are described below:

Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Turn off System Restore - Just by turning off System Restore all your restore points will be deleted. Unless you want this to happen, be careful that you don't mistakenly delete all your restore points by disabling system restore.

System Restore runs out of storage space - If system restore runs out of the storage space that has been allocated towards its use, it will delete the oldest restore point in order to create space for the new restore point.

Problems with System Restore

There are some problems associated with System Restore when it comes to viruses. When restore points are created they are stored in a directory that is accessible only to the System account and not to a user. This keeps the restore points safe from misuse and tampering. Unfortunately this also means that any virus scan software you may have installed can not scan the files located there as well. This causes a problem if a file that is infected with a virus gets backed up into a restore point because now the anti-virus software can not clean it. Now if you ever restore from a restore point, that file that is infected will be introduced back into your system.

With this in mind, if you find that you are infected with a virus, hijacker, or spyware and want to make sure you do not get reinfected if you restore a restore point, you should turn System Restore off and then back on again to clear all the restore points. This will guarantee that their are no infected files that could be restored.

Advanced Info

WARNING: Information found in this section is for advanced users only. If you use this information without advanced knowledge of your operating system you can cause serious damage to your Windows installation.

All restore points are stored in a folder that starts with _restore in the System Volume Information folder found in the root of your individual partitions. This folder is used to store copies of your registry, files, configs, etc. The system volume information folder is only accessible to the System account by default. You can access this folder, though, by adding yourself to the security permissions of this account. Though its advised that you do not do so, I am sure that some of you will poke around in there anyway. Remember, doing this is at your own risk.

Most of the configuration options for System Restore can be found at the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

One interesting key you can change here is the interval Windows uses to make an automatic restore point. By changing the value, which is the total seconds between automatic restore point creation, you can make Windows create restore points more often or less frequent. The default value is 86400, which in seconds corresponds to 24 hours between each automatic restore point creation.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\RPGlobalInterval

For more information on the registry keys used by System Restore read this Microsoft Knowledgebase article:

http://support.microsoft.com/default.aspx?kbid=295659

You can also specify what registry keys should not be restored and what files should not be backed up by System Restore.

These registry keys are:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\KeysNotToRestore

The values contained in the FilesNotToBackup key are files or directories, in which you can specify wildcards as well to exclude all files in a particular directory. Any files listed in this way will not be added to a restore point when one is created.

The values contained in the KeysNotToRestore key are registry keys that should not be restored if you ever restore your computer to a previous restore point.

Conclusion

The System Restore application is a powerful tool for keeping your Windows Installation running smoothly and safely. If you use this feature you will be guaranteed to have a valid restore point to revert to if any issues arise in the future. Care must be taken, though, when using this application so that damaged or infected files are not restored to your computer and cause you to be reinfected. With caution in mind when using System Restore you should not have these problems.

MSSystemRestore

Table of Contents