About System Restore
Coffee & Chat has stimulated
considerable discussion in certain circles over the System Restore
function in XP, and Lars Hederer's ERUNT (Emergency Recovery
Utility NT) for backing-up/restoring the registry and associated
files.
Baillie McKenny quoted an excellent
article on System Restore from Woody's Windows Watch that I cannot
find in the archives. So here are a few facts from other sources.
I'll keep them brief and pertinent.
System Restore is a feature of
Windows ME and XP - Home and Professional. It enables users to
restore their computers to a previously safe state in the
event of a disaster, by monitoring file changes and creating
restore points. This can be done at any time while
Windows is running, and XP will handle the change and restart as
necessary.
The System Restore function is enabled by default and makes restore
points on significant system events, provided that a minimum of 200
MB of free space is available on the system partition. If 200 MB is
not available, System Restore will be disabled. Users can create
restore points at any time.
By default it only uses a maximum of 12% of disk
capacity, but that is easily changed by the
administrator. And it purges the oldest
restore points to make room for new ones, so restore points older
than 90 days are deleted by default.
It is not possible to make a permanent restore point. System
Restore is a change-base tracking tool, not a backup tool. Each
restore point only stores changes to the system since the creation
of the previous restore point, and all restore points are
associated. For example, if a user wants to restore the computer
from point D to point A, System Restore will have to use points C
and B as well along the way.
Significant system events are:
- System checkpoints, created automatically every 24 hours
(during times of inactivity).
- Program installation checkpoints, created every time you
install or uninstall a program that is Windows XP restore point
compliant, or whenever you install an unsigned driver (a software
program that controls a hardware device) that has not been
certified as being Windows XP compliant.
- Windows automatic update checkpoints, created immediately
before installing an update to Windows.
- Performing a System Restore operation itself, so the user can
undo that restore operation if needed.
System Restore is also made
available to users in safe mode, making it easier for them to
restore their computers to a state before problems occurred.
System Restore monitors only a core
set of specified system and application file types, including:
- Registry. The Windows XP Registry is found in
C:\WINDOWS\system32\config\ with the six files that carry no
extension and are named Default, Sam, Security, Software, System,
and Userdiff. There are five primary Keys in XP, also
called hives, which accounts for the H in their names:
-
- HKEY_CLASSES_ROOT - file types and OLE information.
- HKEY_CURRENT_USER - configuration information for the current
user account.
- HKEY_LOCAL_MACHINE - configuration information about the
computer for all users.
- HKEY_USERS - configuration information for certain preferences
(such as colours and control panel settings) for each of the users
of the computer.
- HKEY_CURRENT_CONFIG - current hardware configuration.
- Local Profiles. User profile information is stored in
Ntuser.dat in C:\Documents and Settings\{username} folders.
- COM+ DB. The COM+ Class Registration Database.
- WFP.dll cache
- WMI DB
- IIS Metabase
- Drivers
- Auto/Windows update installed bits
- File types as specified in the SDK document
Monitored File Extensions
When you revert to
a restore point you lose all changes since that point, except for
changes to files in the My Documents folder and documents you've
created with applications such as Microsoft Word and Microsoft
Excel, and e-mail, browsing history, or favourites.
Woody is very specific about the
security of the folder where the restore files are kept, and I
quote him below:
Restore-point data gets stored in folders
named:
C:\System Volume Information\_restore
{7AC41853-D197-43DD-A331-D376ADD98AC2}\RPXXX
The XXX at the end of that string is a sequential
number incremented with each new restore point. Don't bother trying
to look for the files, by the way: Windows goes to great lengths to
hide them from you; you can't even get into the \System Volume
Information folder.
This is for good reason. There's absolutely nothing
in there that you should ever change by hand. Moreover, by blocking
those files from your prying eyes, Microsoft is also keeping
Trojans (and worms and viruses) from using your privileged security
level to clobber your system restore points.
If you really want to see a list of files that
contain your restore points, navigate to
C:\Windows\system32\Restore and run the program Srdiag.exe. You can
then look at the SR-RP.log file to see a list of all available
restore points, and SR-RstrLog.txt to see details about the
files.
Unfortunately he is uninformed in
this case, and I quote from an article I wrote in July 2004:
The System Volume Information folder will not be
visible by default, and it will be necessary to open My Computer> Tools> Folder Options> and click
on the View tab.
Scroll down to Hidden
files and folders and ensure that the option to Show hidden files and folders
is selected. Scroll down further and ensure that Hide protected operating system files
(Recommended) is unchecked. Click OK to save these settings. You
should now be able to go to the System Volume Information folder on
drive C: and double click it to reveal the '_restore'
directory.
If you cannot open the System Volume
Information folder then it is because you do not have user access,
but this is not insurmountable. Right click this folder and click
the Properties
option. Click on the Sharing tab> tick the box
Share this folder on the
network> enter a user name in the Share name: box (I use admin)
and click OK to
exit.
These images, created only
moments ago, prove the point.
As a matter of interest, with 12%
allocated, I had 49 restore points covering the past 30 days.
They totalled 2.35 GB in file space, but occupied only 1.18 GB on
disk because of compression.
By reducing allocated space to
5%, my restore points were reduced to 32 covering 12 days and
occupying 1.53 GB of file space and 803 MB of disk
space.
I can't see myself wanting to
restore to a point a month old, so I'll leave it at that. I make
disk images with Acronis far more frequently than that,
anyway.
About ERUNT
ERUNT is
undoubtedly a valuable utility that offers an easy and reliable way
of creating and restoring registry backups without the overhead of
System Restore. But it is not a replacement.
In the days of Windows 98 and flowing on to Windows ME, registry
backups were made automatically on the first start of the PC each
day. By default, five copies were kept in Win98 and provided a
basic recovery method if a corrupt registry prevented rebooting. XP
does not have this automatic backup facility built-in, and Lars
Hederer decided to write a program that provided this, and full
details are available on his homepage.
His ERUNT will create registry backups for 30 days, with each
backup having its own folder, and the oldest dropping off the list
as a new one is added. The folders are stored in
Windows\ERDNT\xxxx-xx-xx and identified by their date labels. Each
folder contains an executable file that restores the registry to
that date's state. On my PC these folders average around 27.5 MB,
so a month's worth could approach a gigabyte of file space.
Fortunately this is configurable and I have cut mine back to 7
days.
From ERUNT 1.1j
documentation:
"The command
line tool AUTOBACK.EXE uses the same syntax as ERUNT but performs
the additional task of deleting old restore folders after the new
backup has been created."
In my Startup
folder I execute:
C:\Program
Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date#
/noconfirmdelete /days:7
Mike Boesen has written a very good article that explains how to configure ERUNT so that the number of days is 7 or whatever else you prefer. His article also explains options for reinstating any registry that has been created using ERUNT. His article (and others - e.g. one on Backup strategies) can be accessed from here: http://www.pcug.org.au/~boesen/
ERUNT has the advantage over System restore in
that it can readily be run immediately before installing software
you might only want to preview - such as offerings on magazine
CDs.
Don't like it? Delete it, and restore the registry from the ERDNT
file. Fast and effective. This can be done at any time from within
Windows Explorer or equivalent.
This is not possible in Windows XP because it encrypts some
registry keys. The Export
Registry File function of Regedit will not work in this
simple mode. You would need to use the Backup utility software to
effectively backup an XP registry.
ERUNT backup options include:
- System registry: The current system registry, usually
consisting of the files DEFAULT, SAM, SECURITY, SOFTWARE, and
SYSTEM.
- Current user registry: The registry files for the currently
logged-on user, usually NTUSER.DAT and USRCLASS.DAT.
- Other open user registries: Sometimes Windows has a few other
user registries in memory. Examples for this are "generic"
registries, e.g. for user "EVERYONE", or registries of other
users if you use Fast Task Switching in Windows XP.
For the computer literati Lars Hederer makes this proviso:
(Technical information: ERUNT saves only registry files which are
in use by the system. It obtains information about these files
from
registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
hivelist. Registry hives not listed there, for example those
of other users of the computer, cannot be saved by ERUNT.)
Judicious use of ERUNT might save you from having to do a System
Restore if the problem lies in the
registry, and this is probably most often the case.
Certainly it is a wise approach to try restoring the registry
initially, as that preserves any Windows Updates you might have
done, or programs you might have installed since creating a
restore point. But, since ERUNT does not monitor these other
complex changes made to your system, it cannot be a replacement for
System Restore. Use both of them wisely.
Terry
Bibo March 2006
INDEX NEXT