System Restore

About System Restore

Coffee & Chat has stimulated considerable discussion in certain circles over the System Restore function in XP, and Lars Hederer's ERUNT (Emergency Recovery Utility NT) for backing-up/restoring the registry and associated files.

Baillie McKenny quoted an excellent article on System Restore from Woody's Windows Watch that I cannot find in the archives. So here are a few facts from other sources. I'll keep them brief and pertinent.

System Restore is a feature of Windows ME and XP - Home and Professional. It enables users to restore their computers to a previously safe state in the event of a disaster, by monitoring file changes and creating restore points. This can be done at any time while Windows is running, and XP will handle the change and restart as necessary.
The System Restore function is enabled by default and makes restore points on significant system events, provided that a minimum of 200 MB of free space is available on the system partition. If 200 MB is not available, System Restore will be disabled. Users can create restore points at any time.
By default it only uses a maximum of 12% of disk capacity, but that is easily changed by the administrator. And it purges the oldest restore points to make room for new ones, so restore points older than 90 days are deleted by default.
It is not possible to make a permanent restore point. System Restore is a change-base tracking tool, not a backup tool. Each restore point only stores changes to the system since the creation of the previous restore point, and all restore points are associated. For example, if a user wants to restore the computer from point D to point A, System Restore will have to use points C and B as well along the way.

Significant system events are:

System checkpoints, created automatically every 24 hours (during times of inactivity).
Program installation checkpoints, created every time you install or uninstall a program that is Windows XP restore point compliant, or whenever you install an unsigned driver (a software program that controls a hardware device) that has not been certified as being Windows XP compliant.
Windows automatic update checkpoints, created immediately before installing an update to Windows.
Performing a System Restore operation itself, so the user can undo that restore operation if needed.

System Restore is also made available to users in safe mode, making it easier for them to restore their computers to a state before problems occurred.

System Restore monitors only a core set of specified system and application file types, including:

Registry. The Windows XP Registry is found in C:\WINDOWS\system32\config\ with the six files that carry no extension and are named Default, Sam, Security, Software, System, and Userdiff. There are five primary Keys in XP, also called hives, which accounts for the H in their names:
- HKEY_CLASSES_ROOT - file types and OLE information.
- HKEY_CURRENT_USER - configuration information for the current user account.
- HKEY_LOCAL_MACHINE - configuration information about the computer for all users.
- HKEY_USERS - configuration information for certain preferences (such as colours and control panel settings) for each of the users of the computer.
- HKEY_CURRENT_CONFIG - current hardware configuration.
Local Profiles. User profile information is stored in Ntuser.dat in C:\Documents and Settings\{username} folders.
COM+ DB. The COM+ Class Registration Database.
WFP.dll cache
WMI DB
IIS Metabase
Drivers
Auto/Windows update installed bits
File types as specified in the SDK document Monitored File Extensions

When you revert to a restore point you lose all changes since that point, except for changes to files in the My Documents folder and documents you've created with applications such as Microsoft Word and Microsoft Excel, and e-mail, browsing history, or favourites.

Woody is very specific about the security of the folder where the restore files are kept, and I quote him below:

Restore-point data gets stored in folders named:

C:\System Volume Information\_restore {7AC41853-D197-43DD-A331-D376ADD98AC2}\RPXXX

The XXX at the end of that string is a sequential number incremented with each new restore point. Don't bother trying to look for the files, by the way: Windows goes to great lengths to hide them from you; you can't even get into the \System Volume Information folder.

This is for good reason. There's absolutely nothing in there that you should ever change by hand. Moreover, by blocking those files from your prying eyes, Microsoft is also keeping Trojans (and worms and viruses) from using your privileged security level to clobber your system restore points.

If you really want to see a list of files that contain your restore points, navigate to C:\Windows\system32\Restore and run the program Srdiag.exe. You can then look at the SR-RP.log file to see a list of all available restore points, and SR-RstrLog.txt to see details about the files.

Unfortunately he is uninformed in this case, and I quote from an article I wrote in July 2004:

The System Volume Information folder will not be visible by default, and it will be necessary to open My Computer> Tools> Folder Options> and click on the View tab. Scroll down to Hidden files and folders and ensure that the option to Show hidden files and folders is selected. Scroll down further and ensure that Hide protected operating system files (Recommended) is unchecked. Click OK to save these settings. You should now be able to go to the System Volume Information folder on drive C: and double click it to reveal the '_restore' directory.

If you cannot open the System Volume Information folder then it is because you do not have user access, but this is not insurmountable. Right click this folder and click the Properties option. Click on the Sharing tab> tick the box Share this folder on the network> enter a user name in the Share name: box (I use admin) and click OK to exit.

These images, created only moments ago, prove the point.

As a matter of interest, with 12% allocated, I had 49 restore points covering the past 30 days. They totalled 2.35 GB in file space, but occupied only 1.18 GB on disk because of compression.
By reducing allocated space to 5%, my restore points were reduced to 32 covering 12 days and occupying 1.53 GB of file space and 803 MB of disk space.
I can't see myself wanting to restore to a point a month old, so I'll leave it at that. I make disk images with Acronis far more frequently than that, anyway.

About ERUNT

ERUNT is undoubtedly a valuable utility that offers an easy and reliable way of creating and restoring registry backups without the overhead of System Restore. But it is not a replacement.
In the days of Windows 98 and flowing on to Windows ME, registry backups were made automatically on the first start of the PC each day. By default, five copies were kept in Win98 and provided a basic recovery method if a corrupt registry prevented rebooting. XP does not have this automatic backup facility built-in, and Lars Hederer decided to write a program that provided this, and full details are available on his homepage. His ERUNT will create registry backups for 30 days, with each backup having its own folder, and the oldest dropping off the list as a new one is added. The folders are stored in Windows\ERDNT\xxxx-xx-xx and identified by their date labels. Each folder contains an executable file that restores the registry to that date's state. On my PC these folders average around 27.5 MB, so a month's worth could approach a gigabyte of file space.
Fortunately this is configurable and I have cut mine back to 7 days.

From ERUNT 1.1j documentation:
"The command line tool AUTOBACK.EXE uses the same syntax as ERUNT but performs the additional task of deleting old restore folders after the new backup has been created."
In my Startup folder I execute:
C:\Program Files\ERUNT\AUTOBACK.EXE" %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /days:7

Mike Boesen has written a very good article that explains how to configure ERUNT so that the number of days is 7 or whatever else you prefer.  His article also explains options for reinstating any registry that has been created using ERUNT.  His article (and others - e.g. one on Backup strategies) can be accessed from here:  http://www.pcug.org.au/~boesen/

ERUNT has the advantage over System restore in that it can readily be run immediately before installing software you might only want to preview - such as offerings on magazine CDs.
Don't like it? Delete it, and restore the registry from the ERDNT file. Fast and effective. This can be done at any time from within Windows Explorer or equivalent.
This is not possible in Windows XP because it encrypts some registry keys. The Export Registry File function of Regedit will not work in this simple mode. You would need to use the Backup utility software to effectively backup an XP registry.

ERUNT backup options include:

System registry: The current system registry, usually consisting of the files DEFAULT, SAM, SECURITY, SOFTWARE, and SYSTEM.
Current user registry: The registry files for the currently logged-on user, usually NTUSER.DAT and USRCLASS.DAT.
Other open user registries: Sometimes Windows has a few other user registries in memory. Examples for this are "generic" registries, e.g. for user "EVERYONE", or registries of other users if you use Fast Task Switching in Windows XP.

For the computer literati Lars Hederer makes this proviso:
(Technical information: ERUNT saves only registry files which are in use by the system. It obtains information about these files from
registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ hivelist. Registry hives not listed there, for example those
of other users of the computer, cannot be saved by ERUNT.)

Judicious use of ERUNT might save you from having to do a System Restore if the problem lies in the registry, and this is probably most often the case. Certainly it is a wise approach to try restoring the registry initially, as that preserves any Windows Updates you might have done, or programs you might have installed since creating a restore point. But, since ERUNT does not monitor these other complex changes made to your system, it cannot be a replacement for System Restore. Use both of them wisely.

Terry Bibo March 2006

INDEX NEXT