System Restore

Last updated

System Restore
Developer(s) Microsoft
Operating system Microsoft Windows
Type System recovery
Website support.microsoft.com/en-us/help/959063/what-is-system-restore   OOjs UI icon edit-ltr-progressive.svg

System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows Me, it has been included in all following desktop versions of Windows released since, excluding Windows Server. [1] In Windows 10, System Restore is turned off by default and must be enabled by users in order to function. [2] This does not affect personal files such as documents, music, pictures, and videos.

Contents

In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten. [3] [4] An updated version of System Restore introduced by Windows Vista uses the Shadow Copy service as a backend (allowing block-level changes in files located in any directory on the volume to be monitored and backed up regardless of their location) and allows System Restore to be used from the Windows Recovery Environment in case the Windows installation no longer boots at all. [5]

Overview

In System Restore, the user may create a new restore point manually (as opposed to the system creating one automatically), roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.

System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use. [6] It also backs up the registry and most drivers.

Resources monitored

Starting with Windows Vista, System Restore takes a snapshot of all volumes it is monitoring. However, on Windows XP, it only monitors the following: [7] [8]

The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing %windir%\system32\restore\Filelist.xml. [9]

Disk space consumption

The amount of disk space System Restore consumes can be configured. Starting with Windows XP, the disk space allotted is configurable per volume and the data stores are also stored per volume. Files are stored using NTFS compression and a Disk Cleanup handler allows deleting all but the most recent Restore Points. System Restore can be disabled completely to regain disk space. It automatically disables itself if the volume's free space is too low for it to operate.

Restore points

Windows creates restore points:

Windows XP stores restore point files in a hidden folder named "System Volume Information" on the root of every drive, partition or volume, including most external drives and some USB flash drives. [3]

The operating system deletes older restore points per the configured space constraint on a first in, first out basis.

Implementation differences

There are considerable differences between how System Restore works under Windows XP and later Windows versions.

Restoring the system

Up to Windows XP, the system can be restored as long as it is in an online state, that is, as long as Windows boots normally or from Safe mode . It is not possible to restore the system if Windows is unbootable without using 3rd-party bootable recovery media such as ERD Commander. Under Windows Vista and later, the Windows Recovery Environment can be used to launch System Restore and restore a system in an offline state, that is, in case the Windows installation is unbootable. [5] Since the advent of Microsoft Desktop Optimization Pack, Diagnostics and Recovery Toolset from it can be used to create a bootable recovery disc that can log on to an unbootable Windows installation and start System Restore. The toolset includes ERD Commander for Windows XP that was previously a 3rd-party product by Winternals.

Limitations and complications

A limitation which applies to System Restore in Windows versions prior to Windows Vista is that only certain file types and files in certain locations on the volume are monitored, therefore unwanted software installations and especially in-place software upgrades may be incompletely reverted by System Restore. [18] Consequently, there may be little or no practical beneficial impact. Certain issues may also arise when attempting to run or completely uninstall that application. In contrast, various other utilities have been designed to provide much more complete reversal of system changes including software upgrades. However, beginning with Windows Vista, System Restore monitors all system file types on all file paths on a given volume, so there is no issue of incomplete restoration.

It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or earlier if allotted disk space is insufficient. Even if no user or software triggered restore points are generated, allotted disk space is consumed by automatic restore points. [8] Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.

For data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. On NTFS volumes, the restore points are protected using ACLs. Since its method of backup is fairly simplistic, it may end up archiving malware such as viruses, for example in a restore point created before using antivirus software to clean an infection. Antivirus software is usually unable to remove infected files from System Restore; [19] the only way actually to delete the infected files is to disable System Restore, which will result in losing all saved restore points; otherwise they will remain until Windows deletes the affected restore points. However stored infected files in themselves are harmless unless executed; they will only pose a threat if the affected restore point is reinstated. Windows System Restore is not compatible with restore points made by third party applications.

Changes made to a volume from another operating system (in case of multi-booting scenarios) cannot be monitored. In addition, multi-booting different versions of Windows can disrupt the operation of System Restore. Specifically, Windows XP and Windows Server 2003 delete the checkpoints created by Windows Vista and later. [20] Also, checkpoints created by Windows 8 may be destroyed by previous versions of Windows. [21]

See also

Related Research Articles

New Technology File System (NTFS) is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family. It superseded File Allocation Table (FAT) as the preferred filesystem on Windows and is supported in Linux and BSD as well. NTFS reading and writing support is provided using a free and open-source kernel implementation known as NTFS3 in Linux and the NTFS-3G driver in BSD. By using the convert command, Windows can convert FAT32/16/12 into NTFS without the need to rewrite all files. NTFS uses several files typically hidden from the user to store metadata about other files stored on the drive which can help improve speed and performance when reading data. Unlike FAT and High Performance File System (HPFS), NTFS supports access control lists (ACLs), filesystem encryption, transparent compression, sparse files and file system journaling. NTFS also supports shadow copy to allow backups of a system while it is running, but the functionality of the shadow copies varies between different versions of Windows.

In computing, a symbolic link is a file whose purpose is to point to a file or directory by specifying a path thereto.

<span class="mw-page-title-main">File Explorer</span> File manager application that is included with releases of the Microsoft Windows operating system

File Explorer, previously known as Windows Explorer, is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the operating system that presents many user interface items on the screen such as the taskbar and desktop. Controlling the computer is possible without Windows Explorer running.

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

<span class="mw-page-title-main">Shadow Copy</span> Microsoft technology for storage snapshots

Shadow Copy is a technology included in Microsoft Windows that can create backup copies or snapshots of computer files or volumes, even when they are in use. It is implemented as a Windows service called the Volume Shadow Copy service. A software VSS provider service is also included as part of Windows to be used by Windows applications. Shadow Copy technology requires either the Windows NTFS or ReFS filesystems in order to create and store shadow copies. Shadow Copies can be created on local and external volumes by any Windows component that uses this technology, such as when creating a scheduled Windows Backup or automatic System Restore point.

In computing, SUBST is a command on the DOS, IBM OS/2, Microsoft Windows and ReactOS operating systems used for substituting paths on physical and logical drives as virtual drives.

As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.

The booting process of Windows NT includes Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. In Windows Vista and later, this process has changed significantly; see Windows NT 6 startup process for information about what has changed.

Compared with previous versions of Microsoft Windows, features new to Windows Vista are very numerous, covering most aspects of the operating system, including additional management features, new aspects of security and safety, new I/O technologies, new networking features, and new technical features. Windows Vista also removed some others.

The Prefetcher is a component of Microsoft Windows which was introduced in Windows XP. It is a component of the Memory Manager that can speed up the Windows boot process and shorten the amount of time it takes to start up programs. It accomplishes this by caching files that are needed by an application to RAM as the application is launched, thus consolidating disk reads and reducing disk seeks. This feature was covered by US patent 6,633,968.

<span class="mw-page-title-main">Microsoft Management Console</span> Component of Microsoft Windows

Microsoft Management Console (MMC) is a component of Microsoft Windows that provides system administrators and advanced users an interface for configuring and monitoring the system. It was first introduced in 1998 with the Option Pack for Windows NT 4.0 and later came pre-bundled with Windows 2000 and its successors.

Windows Vista introduced a number of new I/O functions to the Microsoft Windows line of operating systems. They are intended to shorten the time taken to boot the system, improve the responsiveness of the system, and improve the reliability of data storage.

The NTFS file system defines various ways to redirect files and folders, e.g., to make a file point to another file or its contents without making a copy of it. The object being pointed to is called the target. Such file is called a hard or symbolic link depending on a way it's stored on the filesystem.

Windows Vista has many significant new features compared with previous Microsoft Windows versions, covering most aspects of the operating system.

NTBackup is the built-in backup application introduced in Windows NT 3.51 and included in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. NTBackup comprises a command-line utility and a set of wizard interfaces that provide multiple options to create, customize, and manage backups, and it is integrated with Shadow Copy and Task Scheduler. NTBackup creates backups in a proprietary BKF file format to external sources including floppy disks, hard drives, tape drives, and ZIP drives.

Windows Vista contains a range of new technologies and features that are intended to help network administrators and power users better manage their systems. Notable changes include a complete replacement of both the Windows Setup and the Windows startup processes, completely rewritten deployment mechanisms, new diagnostic and health monitoring tools such as random access memory diagnostic program, support for per-application Remote Desktop sessions, a completely new Task Scheduler, and a range of new Group Policy settings covering many of the features new to Windows Vista. Subsystem for UNIX Applications, which provides a POSIX-compatible environment is also introduced.

<span class="mw-page-title-main">Trash (computing)</span> Temporary storage for deleted files

In computing, the trash is a graphical user interface desktop metaphor for temporary storage for files set aside by the user for deletion, but not yet permanently erased. The concept and name is part of Mac operating systems, a similar implementation is called the Recycle Bin in Microsoft Windows, and other operating systems use other names.

References

  1. "No Restore Point For You". Cnet. December 28, 2007. Archived from the original on January 19, 2013. Retrieved February 27, 2020.
  2. Jim Tanous, "Why and How to Enable System Restore in Windows 10" Archived December 21, 2017, at the Wayback Machine , Tekrevue, July 28, 2015
  3. 1 2 Russinovich, Mark E.; Solomon, David A. (2005). Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000 (4 ed.). Redmond, WA: Microsoft Press. pp.  706–711. ISBN   0-7356-1917-4.
  4. "Windows Backup". Windows Vista portal. Microsoft. Archived from the original on May 10, 2007. Retrieved January 11, 2014.
  5. 1 2 Fok, Christine (September 2007). "A Guide to Windows Vista Backup Technologies". TechNet Magazine. Microsoft. Archived from the original on February 9, 2014. Retrieved January 11, 2014.
  6. 1 2 "MSDN System Restore Reference: Monitored File Extensions". Archived from the original on October 20, 2017. Retrieved May 22, 2008.
  7. "Monitoring the System". MSDN . Microsoft. Archived from the original on October 6, 2012. Retrieved May 10, 2014.
  8. 1 2 3 4 "Frequently Asked Questions Regarding System Restore in Windows XP". TechNet . Microsoft. Archived from the original on April 24, 2008.
  9. 1 2 "System Restore: Monitored File Name Extensions". Archived from the original on September 10, 2016. Retrieved May 4, 2017.
  10. 1 2 "Selected Scenarios for Maintaining Data Integrity with Windows Vista". TechNet . Microsoft. Archived from the original on July 14, 2014. Retrieved May 10, 2014.
  11. 1 2 3 "About System Restore". MSDN . Microsoft. Archived from the original on October 6, 2012. Retrieved May 10, 2014.
  12. "MSFN's Unattended Windows : Reduce Disk Space Used By System Restore". Archived from the original on July 6, 2010. Retrieved November 5, 2009.
  13. "The Registry Keys and Values for the System Restore Utility". September 15, 2006. Archived from the original on October 31, 2009. Retrieved November 3, 2009.
  14. 1 2 "Windows Vista Help: System Restore FAQs". Archived from the original on May 22, 2008. Retrieved May 22, 2008.
  15. Windows Vista System Restore FAQs: Bert Kinney - System Restore MVP Archived March 27, 2008, at the Wayback Machine
  16. "The Registry Keys and Values for the System Restore Utility". Archived from the original on October 31, 2009. Retrieved November 5, 2009.
  17. "Vista System Restore Q&A - System Restore MVP Bert Kinney". Archived from the original on March 27, 2008. Retrieved May 22, 2008.
  18. "Windows Server Hacks: Hacking System Restore - O'Reilly Media". Archived from the original on August 28, 2008. Retrieved September 19, 2008.
  19. "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder". Microsoft Corporation. Archived from the original on January 4, 2007. Retrieved September 19, 2007.
  20. "How restore points and other recovery features in Windows Vista are affected when you dual-boot with Windows XP". File Cabinet Blog. Microsoft. July 14, 2006. Archived from the original on July 18, 2006. Retrieved March 21, 2007.
  21. "Calling SRSetRestorePoint". MSDN Library . Microsoft. Archived from the original on March 4, 2016. Retrieved February 1, 2015. Snapshots of the boot volume created by System Restore running on Windows 8 may be deleted if the snapshot is subsequently exposed by an earlier version of Windows.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.