System Restore is a component of
MicrosoftMicrosoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
's
Windows MeWindows Millennium Edition, or Windows Me , is a graphical operating system released on September 14, 2000 by Microsoft, and was the last operating system released in the Windows 9x series. Support for Windows Me ended on July 11, 2006....
,
Windows XPWindows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
,
Windows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and Windows 7, but not
Windows 2000Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
,
operating systemAn operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of system malfunction or failure.
The
Windows ServerWindows Server is a brand name for a group of server operating systems released by Microsoft Corporation. All are part of Microsoft Servers.- Members :This brand includes the following software:* Windows 2000 Server* Windows Server 2003...
operating system family does not include System Restore. The System Restore built into Windows XP can be installed on a
Windows Server 2003Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
machine, although this is not supported by Microsoft.
In
Windows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and later versions, System Restore has an improved interface and is based on Shadow Copy technology. In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten. Shadow Copy has the advantage that block-level changes in files located in any directory on the volume can be monitored and backed up regardless of their location.
Overview
In System Restore, the
userA user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
may create a new
restore point manually, roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.
System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use. It also backs up the registry and most drivers.
Resources monitored
The following resources are backed up:
- Registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
- Files in the Windows File Protection
Windows File Protection , a sub-system included in Microsoft Windows operating systems of the Windows 2000 and Windows XP era, aims to prevent programs from replacing critical Windows system files. Protecting core system files mitigates problems such as DLL hell with programs and the operating system...
(Dllcache) folder
- Local user profile
- COM+ and WMI Databases
- IIS Metabase
- Specific file types monitored
The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing
%windir%\system32\restore\Filelist.xml.
Restore points
Restore points are created:
- When software is installed using the Windows Installer
The Windows Installer is a software component used for the installation, maintenance, and removal of software on modern Microsoft Windows systems...
, Package Installer or other installers which are aware of System Restore.
- When Windows Update
Windows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
installs new updates to Windows.
- When the user installs a driver that is not digitally signed by Windows Hardware Quality Labs
Windows Hardware Quality Labs testing or WHQL Testing is Microsoft's testing process which involves running a series of tests on third-party hardware or software, and then submitting the log files from these tests to Microsoft for review...
.
- Every 24 hours of computer use (10 hours in Windows Me), or every 24 hours of calendar time, whichever happens first. This setting is configurable through the registry
The Windows Registry is a hierarchical database that stores configuration settings and options on Microsoft Windows operating systems. It contains settings for low-level operating system components as well as the applications running on the platform: the kernel, device drivers, services, SAM, user...
or using the deployment tools. Such a restore point is known as a system checkpoint. System Restore requires Task SchedulerTask Scheduler is a component of Microsoft Windows that provides the ability to schedule the launch of programs or scripts at pre-defined times or after specified time intervals. It was first introduced in the Windows 95 Plus! pack as System Agent but was renamed to Task Scheduler in Windows 98...
to create system checkpoints. Moreover, system checkpoints are only created if the system is idle for a certain amount of time.
- When the operating system starts after being off for more than 24 hours.
- When the user requests it. On Windows Vista, shadow copies created during File Backup and Complete PC Backup
Backup and Restore is a component of Microsoft Windows introduced in Windows Vista and included in later versions that allows users to create backup. It is a replacement of NTBackup, which was included in previous Windows versions.-Features:There are two different types of backup supported: File...
can also be used as restore points.
In Windows XP, restore point files are stored in a hidden folder named System Volume Information on the root of every drive, partition or volume, including most external drives, and some USB flash drives. On drives or partitions that are not monitored by System Restore this folder will be very small in size or completely empty, unless Encrypting File System is in use or the Indexing Service is turned on. Note: If the System Volume Information folder is deleted, it will be recreated automatically.
Older restore points are deleted as per the configured space constraint on a
First In, First OutFIFO is an acronym for First In, First Out, an abstraction related to ways of organizing and manipulation of data relative to time and prioritization...
basis.
Implementation
There are considerable differences between how System Restore works under Windows XP and Windows Vista.
- Maximum space - In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volume
In the context of computer operating systems, volume is the term used to describe a single accessible storage area with a single file system, typically resident on a single partition of a hard disk. Similarly, it refers to the logical interface used by an operating system to access data stored on...
's space for most disk sizes; however, this may be less depending on the volume's size. Restore points over 90 days old are automatically deleted, as specified by the registry value RPLifeInterval (Time to Live - TTL) default value of 7776000 seconds.
In Windows Vista, System Restore is designed for larger volumes and cannot be enabled on volumes smaller than 1 GB. By default, it uses 15% of the volume's space. Using the command-line tool Vssadmin.exe or by editing the appropriate registry key, the space reserved can be adjusted.
- File types - Up to Windows XP, files are backed up only from certain directories.
On Windows Vista, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder.
- My documents folder - Up to Windows XP, it excludes any file types used for users' personal data files, such as documents, digital photographs, media files, e-mail
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
, etc. It also excludes the monitored set of file types (.DLL, .EXE etc.) from folders such as My DocumentsOn Microsoft Windows computer operating systems , My Documents is the name of a special folder on the computer's hard drive that the system commonly uses to store a user's documents, music, pictures, downloads, and other files.- Overview :Microsoft first introduced the "My Documents" folder in...
. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under My Documents. When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed.
However, on Windows Vista, it excludes only document file types; it does not exclude any monitored file type whatsoever its location and operates on the entire volume.
In Windows XP only, several System Restore settings can be configured via the Registry.
Restoring the system
Up to Windows XP, the system can be restored as long as Windows boots normally or from
Safe modeSafe mode is a diagnostic mode of a computer operating system . It can also refer to a mode of operation by application software. Safe mode is intended to fix most, if not all problems within an operating system...
. It is not possible to restore the system if Windows is unbootable. Under
Windows VistaWindows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, the Windows Recovery Environment can be used to launch System Restore and restore the system, in case the Windows installation is unbootable. For all operating systems including Windows XP, the Diagnostics and Recovery Toolset (DaRT) tools from the
Microsoft Desktop Optimization PackMicrosoft Desktop Optimization Pack is a suite of utilities for Microsoft Windows customers who have subscribed to Microsoft Software Assurance program...
can be used to create a bootable recovery disc that can log on to the unbootable Windows installation and start System Restore.
Limitations & complications
A limitation which applies to System Restore in Windows versions prior to Windows Vista is that only certain file types and files in certain locations on the volume are monitored, therefore unwanted software installations and especially in-place software upgrades may be incompletely reverted by System Restore. Consequently, there may be little or no practical beneficial impact. Certain issues may also arise when attempting to run or remove that application. In contrast, various other utilities have been designed to provide much more complete reversal of system changes including software upgrades. For example, by tracking all changes, Norton's
GoBackNorton GoBack is a Microsoft Windows based disk utility that can record up to 8 GB of disk changes. When the filesystem is idle for a few seconds, it marks these as "safe points". The product allows the disk drive to be reverted to any point within the available history...
or Horizon DataSys's
Rollback RxRollBack Rx is a third party disk utility for Microsoft Windows, that uses a sector mapping algorithm and incremental sector redirection to capture and manage its snapshots...
allows complete restoration of the file system's state to any of hundreds of available restore points per day. Another example would be
Faronics- Company Profile :Faronics Corporation is a privately held software company with offices in Vancouver, BC, Canada, San Ramon, CA, USA, and Bracknell, UK. Faronics develops computer software for multi-user IT environments...
Deep FreezeDeep Freeze may refer to:* Operation Deep Freeze, a series of American expeditions to Antarctica beginning in 1955* Deep Freeze Range, a mountain range in Antarctica* Deep Freeze , a protective program...
which restores the entire disk volume to its original configuration upon restart, eradicating unwanted changes of any type. Frequent or continuous monitoring may also adversely affect system performance, whereas System Restore's restore points are generally created quickly and sparingly.
If there is no adequate free space, System Restore will fail to create a restore point. In this case, the user may discover that there is not a single restore point available with which to restore the system.
It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or earlier if allotted disk space is insufficient. Even if no user or software triggered restore points are generated allotted disk space is consumed by automatic restore points. Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.
In Windows Me and FAT32 drives, for data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. Since its method of backup is fairly simplistic, it may end up archiving
malwareMalware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
such as
virusesA computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, for example in a restore point created before using antivirus software to clean an infection. Antivirus software is usually unable to remove infected files from System Restore; the only way actually to delete the infected files is to disable System Restore, which will result in losing all saved restore points; otherwise they will remain until Windows deletes the affected restore points. However stored infected files in themselves are harmless unless executed; they will only pose a threat if the affected restore point is reinstated.
In Windows XP and after using NTFS drives, System or Administrator rights are required to modify or delete files in the restore point folders.
On Windows Vista, System Restore does not work on FAT32 disks and cannot be enabled on disks smaller than 1 GB.
Changes made to a volume from another OS (in case of dual-boot OS scenarios) cannot be monitored. Also, a compatibility issue exists with System Restore when dual-booting Windows XP/Windows Server 2003 and Windows Vista or later operating systems. Specifically, the shadow copies on the volume are deleted when the older operating system accesses (and therefore mounts) that NTFS volume. This happens because the older operating system does not recognize the newer format of persistent shadow copies.
System Restore in Windows Vista and later versions no longer supports configuring its settings through the registry. File types and directories can also no longer be included or excluded from monitoring by System Restore by editing
%windir%\system32\restore\Filelist.xml as was possible in Windows XP. This file no longer exists in Windows Vista.
External links