System Restore Explained

System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows Me, it has been included in all following desktop versions of Windows released since, excluding Windows Server.^[1] In Windows 10, System Restore is turned off by default and must be enabled by users in order to function.^[2] This does not affect personal files such as documents, music, pictures, and videos.

In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten.^{[3] [4]} An updated version of System Restore introduced by Windows Vista uses the Shadow Copy service as a backend (allowing block-level changes in files located in any directory on the volume to be monitored and backed up regardless of their location) and allows System Restore to be used from the Windows Recovery Environment in case the Windows installation no longer boots at all.^[5]

Overview

In System Restore, the user may create a new restore point manually (as opposed to the system creating one automatically), roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.

System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use.^[6] It also backs up the registry and most drivers.

Resources monitored

Starting with Windows Vista, System Restore takes a snapshot of all volumes it is monitoring. However, on Windows XP, it only monitors the following:^{[7] [8]}

• Windows Registry
• Files in the Windows File Protection folder (Dllcache)
• Local user profiles
• COM+ and WMI databases
• IIS metabase
• Specific file types monitored

The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing %windir%\system32\restore\Filelist.xml.^[9]

Disk space consumption

The amount of disk space System Restore consumes can be configured. Starting with Windows XP, the disk space allotted is configurable per volume and the data stores are also stored per volume. Files are stored using NTFS compression and a Disk Cleanup handler allows deleting all but the most recent Restore Points. System Restore can be disabled completely to regain disk space. It automatically disables itself if the volume's free space is too low for it to operate.

Restore points

Windows creates restore points:

• When software is installed using Windows Installer or other installers that are aware of System Restore^[10]
• When Windows Update installs new updates
• When the user installs a driver that is not digitally signed by Windows Hardware Quality Labs
• Periodically. By default:
  • Windows XP creates a restore point every 24 hours^[11]
  • Windows Vista creates a restore point if none is created within the last 24 hours
  • Windows 7 creates a restore point if none has been created within the last seven days
• On user's command

Windows XP stores restore point files in a hidden folder named "System Volume Information" on the root of every drive, partition or volume, including most external drives and some USB flash drives.

The operating system deletes older restore points per the configured space constraint on a first in, first out basis.

Implementation differences

There are considerable differences between how System Restore works under Windows XP and later Windows versions.

• Configuration user interface – In Windows XP, there is a graphical slider to configure the amount of disk space allotted to System Restore. In Windows Vista, the slider to configure the disk space is not available. Using the command-line tool Vssadmin.exe or by editing the appropriate registry key,^{[12] [13]} the space reserved can be adjusted. Starting with Windows 7, the slider is available once again.
• Maximum space – In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volume's space for most disk sizes; however, this may be less depending on the volume's size. Restore points over 90 days old are automatically deleted, as specified by the registry value RPLifeInterval (Time to Live – TTL) default value of 7776000 seconds. In Windows Vista and later, System Restore is designed for larger volumes.^[14] By default, it uses 15% of the volume's space.
• File paths monitored – Up to Windows XP, files are backed up only from certain directories. On Windows Vista and later, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder.^[15]
• File types monitored – Up to Windows XP, it excludes any file types that are considered "personal" to the user, such as documents, digital photographs, media files, e-mail, etc. It also excludes the monitored set of file types (etc.) from folders such as My Documents. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under My Documents. When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed. However, on Windows Vista and later, it excludes only document file types; it does not exclude any monitored system file type regardless of its location.
• Configuring advanced System Restore settings – Windows XP supports customizing System Restore settings via Windows Registry and a file at %windir%\system32\restore\Filelist.xml.^{[9] [16]} Windows Vista and later no longer support this.^[17]
• FAT32 volume support – On Windows Vista and later, System Restore no longer works on FAT32 disks and cannot be enabled on disks smaller than 1 GB.

Restoring the system

Up to Windows XP, the system can be restored as long as it is in an online state, that is, as long as Windows boots normally or from Safe mode. It is not possible to restore the system if Windows is unbootable without using 3rd-party bootable recovery media such as ERD Commander. Under Windows Vista and later, the Windows Recovery Environment can be used to launch System Restore and restore a system in an offline state, that is, in case the Windows installation is unbootable. Since the advent of Microsoft Desktop Optimization Pack, Diagnostics and Recovery Toolset from it can be used to create a bootable recovery disc that can log on to an unbootable Windows installation and start System Restore. The toolset includes ERD Commander for Windows XP that was previously a 3rd-party product by Winternals.

Limitations and complications

Before Windows Vista, System Restore protection was restricted to select locations and predetermined file types. Therefore, System Restore could not fully revert unwanted software installations, especially in-place software upgrades.^[18] Starting with Windows Vista, System Restore monitors all files on all file paths on a given volume.

It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or if allotted disk space is insufficient for newer Restore points. Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.

On infected system, System Restore may end up archiving malware, such as viruses, before antivirus software has the chance clean the infection. For data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. As such, antivirus software is usually unable to remove infected files from restore points.^[19] The only way to clean them is to delete them altogether. However stored infected files are harmless until the affected restore point is reinstated.

System Restore cannot monitor changes made to a volume from another operating system (in case of multi-booting scenarios). In addition, multi-booting different versions of Windows can disrupt the operation of System Restore. Specifically, Windows XP and Windows Server 2003 delete the restore points of Windows Vista and later.^[20] Also, restore points created by Windows 8 may be destroyed by previous versions of Windows.^[21]

See also

• Backup

Further reading

• Web site: Use System Restore to Undo Changes if Problems Occur . Windows XP Help . . https://web.archive.org/web/20080115204938/http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx . January 15, 2008 .
• Web site: Windows XP System Restore . April 2001 . . . https://web.archive.org/web/20080901221517/http://msdn.microsoft.com/en-us/library/ms997627.aspx . September 1, 2008 .
• Web site: Checkpoints that you create after September 8, 2001 do not restore your computer . Support . . May 9, 2014 . October 26, 2007 . 3.8 . November 5, 2004 . https://web.archive.org/web/20041105052300/http://support.microsoft.com/kb/290700 . live .
• Web site: The Registry Keys and Values for the System Restore Utility . Support . . May 9, 2014 . January 15, 2006 . 1.3 . October 23, 2012 . https://web.archive.org/web/20121023132519/http://support.microsoft.com/default.aspx?kbid=295659 . live .

External links

• Microsoft Support article

Notes and References

1. Web site: No Restore Point For You. December 28, 2007. February 27, 2020. Cnet. https://archive.today/20130119190024/http://news.cnet.com/8301-13554_3-9838164-33.html. January 19, 2013. dead.
2. Jim Tanous, "Why and How to Enable System Restore in Windows 10", Tekrevue, July 28, 2015
3. Book: Russinovich . Mark E. . David A. . Solomon . Microsoft Windows Internals: Microsoft Windows Server 2003, Windows XP, and Windows 2000 . 2005 . . . 0-7356-1917-4 . 4 . 706–711 . registration .
4. Web site: Windows Backup. Windows Vista portal. Microsoft. January 11, 2014. https://web.archive.org/web/20070510204203/http://www.microsoft.com/middleeast/windowsvista/features/foreveryone/backup.mspx. May 10, 2007.
5. Fok. Christine. A Guide to Windows Vista Backup Technologies. TechNet Magazine. Microsoft. January 11, 2014. September 2007. February 9, 2014. https://web.archive.org/web/20140209110721/http://technet.microsoft.com/en-us/magazine/2007.09.backup.aspx. live.
6. Web site: MSDN System Restore Reference: Monitored File Extensions . May 22, 2008 . October 20, 2017 . https://web.archive.org/web/20171020191129/https://msdn.microsoft.com/en-us/library/aa378870.aspx . live .
7. Web site: Monitoring the System. MSDN. Microsoft. May 10, 2014. October 6, 2012. https://web.archive.org/web/20121006064436/http://msdn.microsoft.com/en-us/library/aa378891(v=vs.85).aspx. live.
8. Web site: Frequently Asked Questions Regarding System Restore in Windows XP . . . https://web.archive.org/web/20080424052302/http://technet.microsoft.com/en-us/windowsxp/bb264753.aspx . April 24, 2008.
9. Web site: System Restore: Monitored File Name Extensions . May 4, 2017 . September 10, 2016 . https://web.archive.org/web/20160910032441/https://msdn.microsoft.com/en-us/library/aa378870(v=vs.85).aspx . live .
10. Web site: Selected Scenarios for Maintaining Data Integrity with Windows Vista . . . May 10, 2014 . July 14, 2014 . https://web.archive.org/web/20140714100839/http://technet.microsoft.com/en-us/library/cc749185(v=ws.10).aspx . live .
11. Web site: About System Restore. MSDN. Microsoft. May 10, 2014. October 6, 2012. https://web.archive.org/web/20121006010643/http://msdn.microsoft.com/en-us/library/aa378724(v=vs.85).aspx. live.
12. Web site: MSFN's Unattended Windows : Reduce Disk Space Used By System Restore . November 5, 2009 . July 6, 2010 . https://web.archive.org/web/20100706181123/http://unattended.msfn.org/unattended.xp/view/registry/68/ . live .
13. Web site: The Registry Keys and Values for the System Restore Utility . September 15, 2006 . November 3, 2009 . October 31, 2009 . https://web.archive.org/web/20091031130254/http://support.microsoft.com/kb/295659 . live .
14. Web site: Windows Vista Help: System Restore FAQs . May 22, 2008 . May 22, 2008 . https://web.archive.org/web/20080522132409/http://windowshelp.microsoft.com/Windows/en-US/help/517d3b8e-3379-46c1-b479-05b30d6fb3f01033.mspx . live .
15. http://bertk.mvps.org/html/q_a.html#16 Windows Vista System Restore FAQs: Bert Kinney - System Restore MVP
16. Web site: The Registry Keys and Values for the System Restore Utility . November 5, 2009 . October 31, 2009 . https://web.archive.org/web/20091031130254/http://support.microsoft.com/kb/295659 . live .
17. Web site: Vista System Restore Q&A - System Restore MVP Bert Kinney . May 22, 2008 . March 27, 2008 . https://web.archive.org/web/20080327064609/http://bertk.mvps.org/html/q_a.html#6 . dead .
18. Web site: Windows Server Hacks: Hacking System Restore - O'Reilly Media . September 19, 2008 . August 28, 2008 . https://web.archive.org/web/20080828123825/http://www.windowsdevcenter.com/pub/a/windows/2004/10/19/SystemRestore.html . live .
19. Web site: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder . Microsoft Corporation . September 19, 2007 . January 4, 2007 . https://web.archive.org/web/20070104075832/http://support.microsoft.com/kb/263455/EN-US/ . live .
20. Web site: How restore points and other recovery features in Windows Vista are affected when you dual-boot with Windows XP . July 14, 2006 . File Cabinet Blog . . March 21, 2007 . July 18, 2006 . https://web.archive.org/web/20060718011852/http://blogs.technet.com/filecab/archive/2006/07/14/441829.aspx . dead .
21. Web site: Calling SRSetRestorePoint . . . Snapshots of the boot volume created by System Restore running on Windows 8 may be deleted if the snapshot is subsequently exposed by an earlier version of Windows. . February 1, 2015 . March 4, 2016 . https://web.archive.org/web/20160304205146/https://msdn.microsoft.com/en-us/library/windows/desktop/aa378727.aspx . live .