System Restore
Encyclopedia
System Restore is a component of Microsoft
's Windows Me
, Windows XP
, Windows Vista
and Windows 7, but not Windows 2000
, operating system
s that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of system malfunction or failure.
The Windows Server
operating system family does not include System Restore. The System Restore built into Windows XP can be installed on a Windows Server 2003
machine, although this is not supported by Microsoft.
In Windows Vista
and later versions, System Restore has an improved interface and is based on Shadow Copy technology. In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten. Shadow Copy has the advantage that block-level changes in files located in any directory on the volume can be monitored and backed up regardless of their location.
may create a new restore point manually, roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.
System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use. It also backs up the registry and most drivers.
The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing %windir%\system32\restore\Filelist.xml.
In Windows XP, restore point files are stored in a hidden folder named System Volume Information on the root of every drive, partition or volume, including most external drives, and some USB flash drives. On drives or partitions that are not monitored by System Restore this folder will be very small in size or completely empty, unless Encrypting File System is in use or the Indexing Service is turned on. Note: If the System Volume Information folder is deleted, it will be recreated automatically.
Older restore points are deleted as per the configured space constraint on a First In, First Out
basis.
In Windows XP only, several System Restore settings can be configured via the Registry.
. It is not possible to restore the system if Windows is unbootable. Under Windows Vista
, the Windows Recovery Environment can be used to launch System Restore and restore the system, in case the Windows installation is unbootable. For all operating systems including Windows XP, the Diagnostics and Recovery Toolset (DaRT) tools from the Microsoft Desktop Optimization Pack
can be used to create a bootable recovery disc that can log on to the unbootable Windows installation and start System Restore.
or Horizon DataSys's Rollback Rx
allows complete restoration of the file system's state to any of hundreds of available restore points per day. Another example would be Faronics
Deep Freeze
which restores the entire disk volume to its original configuration upon restart, eradicating unwanted changes of any type. Frequent or continuous monitoring may also adversely affect system performance, whereas System Restore's restore points are generally created quickly and sparingly.
If there is no adequate free space, System Restore will fail to create a restore point. In this case, the user may discover that there is not a single restore point available with which to restore the system.
It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or earlier if allotted disk space is insufficient. Even if no user or software triggered restore points are generated allotted disk space is consumed by automatic restore points. Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.
In Windows Me and FAT32 drives, for data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. Since its method of backup is fairly simplistic, it may end up archiving malware
such as viruses
, for example in a restore point created before using antivirus software to clean an infection. Antivirus software is usually unable to remove infected files from System Restore; the only way actually to delete the infected files is to disable System Restore, which will result in losing all saved restore points; otherwise they will remain until Windows deletes the affected restore points. However stored infected files in themselves are harmless unless executed; they will only pose a threat if the affected restore point is reinstated.
In Windows XP and after using NTFS drives, System or Administrator rights are required to modify or delete files in the restore point folders.
On Windows Vista, System Restore does not work on FAT32 disks and cannot be enabled on disks smaller than 1 GB.
Changes made to a volume from another OS (in case of dual-boot OS scenarios) cannot be monitored. Also, a compatibility issue exists with System Restore when dual-booting Windows XP/Windows Server 2003 and Windows Vista or later operating systems. Specifically, the shadow copies on the volume are deleted when the older operating system accesses (and therefore mounts) that NTFS volume. This happens because the older operating system does not recognize the newer format of persistent shadow copies.
System Restore in Windows Vista and later versions no longer supports configuring its settings through the registry. File types and directories can also no longer be included or excluded from monitoring by System Restore by editing %windir%\system32\restore\Filelist.xml as was possible in Windows XP. This file no longer exists in Windows Vista.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's Windows Me
Windows Me
Windows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....
, Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows 7, but not Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of system malfunction or failure.
The Windows Server
Windows Server
Windows Server is a brand name for a group of server operating systems released by Microsoft Corporation. All are part of Microsoft Servers.- Members :This brand includes the following software:* Windows 2000 Server* Windows Server 2003...
operating system family does not include System Restore. The System Restore built into Windows XP can be installed on a Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
machine, although this is not supported by Microsoft.
In Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and later versions, System Restore has an improved interface and is based on Shadow Copy technology. In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten. Shadow Copy has the advantage that block-level changes in files located in any directory on the volume can be monitored and backed up regardless of their location.
Overview
In System Restore, the userUser (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
may create a new restore point manually, roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.
System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use. It also backs up the registry and most drivers.
Resources monitored
The following resources are backed up:- RegistryWindows registryThe Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
- Files in the Windows File ProtectionWindows File ProtectionWindows File Protection , a sub-system included in Microsoft Windows operating systems of the Windows 2000 and Windows XP era, aims to prevent programs from replacing critical Windows system files. Protecting core system files mitigates problems such as DLL hell with programs and the operating system...
(Dllcache) folder - Local user profile
- COM+ and WMI Databases
- IIS Metabase
- Specific file types monitored
The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing %windir%\system32\restore\Filelist.xml.
Restore points
Restore points are created:- When software is installed using the Windows InstallerWindows InstallerThe Windows Installer is a software component used for the installation, maintenance, and removal of software on modern Microsoft Windows systems...
, Package Installer or other installers which are aware of System Restore. - When Windows UpdateWindows UpdateWindows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
installs new updates to Windows. - When the user installs a driver that is not digitally signed by Windows Hardware Quality LabsWHQL TestingWindows Hardware Quality Labs testing or WHQL Testing is Microsoft's testing process which involves running a series of tests on third-party hardware or software, and then submitting the log files from these tests to Microsoft for review...
. - Every 24 hours of computer use (10 hours in Windows Me), or every 24 hours of calendar time, whichever happens first. This setting is configurable through the registryWindows registryThe Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
or using the deployment tools. Such a restore point is known as a system checkpoint. System Restore requires Task SchedulerTask SchedulerTask Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals. It was first introduced in the Windows 95 Plus! pack as System Agent but was renamed to Task Scheduler in Windows 98...
to create system checkpoints. Moreover, system checkpoints are only created if the system is idle for a certain amount of time. - When the operating system starts after being off for more than 24 hours.
- When the user requests it. On Windows Vista, shadow copies created during File Backup and Complete PC BackupBackup and Restore CenterBackup and Restore is a component of Microsoft Windows introduced in Windows Vista and included in later versions that allows users to create backup. It is a replacement of NTBackup, which was included in previous Windows versions.-Features:There are two different types of backup supported: File...
can also be used as restore points.
In Windows XP, restore point files are stored in a hidden folder named System Volume Information on the root of every drive, partition or volume, including most external drives, and some USB flash drives. On drives or partitions that are not monitored by System Restore this folder will be very small in size or completely empty, unless Encrypting File System is in use or the Indexing Service is turned on. Note: If the System Volume Information folder is deleted, it will be recreated automatically.
Older restore points are deleted as per the configured space constraint on a First In, First Out
FIFO
FIFO is an acronym for First In, First Out, an abstraction related to ways of organizing and manipulation of data relative to time and prioritization...
basis.
Implementation
There are considerable differences between how System Restore works under Windows XP and Windows Vista.- Maximum space - In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volumeVolume (computing)In the context of computer operating systems, volume is the term used to describe a single accessible storage area with a single file system, typically resident on a single partition of a hard disk. Similarly, it refers to the logical interface used by an operating system to access data stored on...
's space for most disk sizes; however, this may be less depending on the volume's size. Restore points over 90 days old are automatically deleted, as specified by the registry value RPLifeInterval (Time to Live - TTL) default value of 7776000 seconds.
In Windows Vista, System Restore is designed for larger volumes and cannot be enabled on volumes smaller than 1 GB. By default, it uses 15% of the volume's space. Using the command-line tool Vssadmin.exe or by editing the appropriate registry key, the space reserved can be adjusted.
- File types - Up to Windows XP, files are backed up only from certain directories.
On Windows Vista, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder.
- My documents folder - Up to Windows XP, it excludes any file types used for users' personal data files, such as documents, digital photographs, media files, e-mailE-mailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, etc. It also excludes the monitored set of file types (.DLL, .EXE etc.) from folders such as My DocumentsMy DocumentsOn Microsoft Windows computer operating systems , My Documents is the name of a special folder on the computer's hard drive that the system commonly uses to store a user's documents, music, pictures, downloads, and other files.- Overview :Microsoft first introduced the "My Documents" folder in...
. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under My Documents. When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed.
However, on Windows Vista, it excludes only document file types; it does not exclude any monitored file type whatsoever its location and operates on the entire volume.
In Windows XP only, several System Restore settings can be configured via the Registry.
Restoring the system
Up to Windows XP, the system can be restored as long as Windows boots normally or from Safe modeSafe Mode
Safe mode is a diagnostic mode of a computer operating system . It can also refer to a mode of operation by application software. Safe mode is intended to fix most, if not all problems within an operating system...
. It is not possible to restore the system if Windows is unbootable. Under Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, the Windows Recovery Environment can be used to launch System Restore and restore the system, in case the Windows installation is unbootable. For all operating systems including Windows XP, the Diagnostics and Recovery Toolset (DaRT) tools from the Microsoft Desktop Optimization Pack
Microsoft Desktop Optimization Pack
Microsoft Desktop Optimization Pack is a suite of utilities for Microsoft Windows customers who have subscribed to Microsoft Software Assurance program...
can be used to create a bootable recovery disc that can log on to the unbootable Windows installation and start System Restore.
Limitations & complications
A limitation which applies to System Restore in Windows versions prior to Windows Vista is that only certain file types and files in certain locations on the volume are monitored, therefore unwanted software installations and especially in-place software upgrades may be incompletely reverted by System Restore. Consequently, there may be little or no practical beneficial impact. Certain issues may also arise when attempting to run or remove that application. In contrast, various other utilities have been designed to provide much more complete reversal of system changes including software upgrades. For example, by tracking all changes, Norton's GoBackGoBack
Norton GoBack is a Microsoft Windows based disk utility that can record up to 8 GB of disk changes. When the filesystem is idle for a few seconds, it marks these as "safe points". The product allows the disk drive to be reverted to any point within the available history...
or Horizon DataSys's Rollback Rx
Rollback Rx
RollBack Rx is a third party disk utility for Microsoft Windows, that uses a sector mapping algorithm and incremental sector redirection to capture and manage its snapshots...
allows complete restoration of the file system's state to any of hundreds of available restore points per day. Another example would be Faronics
Faronics
- Company Profile :Faronics Corporation is a privately held software company with offices in Vancouver, BC, Canada, San Ramon, CA, USA, and Bracknell, UK. Faronics develops computer software for multi-user IT environments...
Deep Freeze
Deep Freeze
Deep Freeze may refer to:* Operation Deep Freeze, a series of American expeditions to Antarctica beginning in 1955* Deep Freeze Range, a mountain range in Antarctica* Deep Freeze , a protective program...
which restores the entire disk volume to its original configuration upon restart, eradicating unwanted changes of any type. Frequent or continuous monitoring may also adversely affect system performance, whereas System Restore's restore points are generally created quickly and sparingly.
If there is no adequate free space, System Restore will fail to create a restore point. In this case, the user may discover that there is not a single restore point available with which to restore the system.
It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or earlier if allotted disk space is insufficient. Even if no user or software triggered restore points are generated allotted disk space is consumed by automatic restore points. Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.
In Windows Me and FAT32 drives, for data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. Since its method of backup is fairly simplistic, it may end up archiving malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
such as viruses
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, for example in a restore point created before using antivirus software to clean an infection. Antivirus software is usually unable to remove infected files from System Restore; the only way actually to delete the infected files is to disable System Restore, which will result in losing all saved restore points; otherwise they will remain until Windows deletes the affected restore points. However stored infected files in themselves are harmless unless executed; they will only pose a threat if the affected restore point is reinstated.
In Windows XP and after using NTFS drives, System or Administrator rights are required to modify or delete files in the restore point folders.
On Windows Vista, System Restore does not work on FAT32 disks and cannot be enabled on disks smaller than 1 GB.
Changes made to a volume from another OS (in case of dual-boot OS scenarios) cannot be monitored. Also, a compatibility issue exists with System Restore when dual-booting Windows XP/Windows Server 2003 and Windows Vista or later operating systems. Specifically, the shadow copies on the volume are deleted when the older operating system accesses (and therefore mounts) that NTFS volume. This happens because the older operating system does not recognize the newer format of persistent shadow copies.
System Restore in Windows Vista and later versions no longer supports configuring its settings through the registry. File types and directories can also no longer be included or excluded from monitoring by System Restore by editing %windir%\system32\restore\Filelist.xml as was possible in Windows XP. This file no longer exists in Windows Vista.
External links
- Important update that fixes a problem with Windows Me's version of System Restore when restoring a checkpoint after September 8, 2001.
- System Restore: Limitations and Complications
- Microsoft article KB295659