patndoris TechnoGeek

For those of you who live here in the States, you’ve likely seen the commercial from one of the well known insurance companies, where the very nice gentleman describes how the unsuspecting person, while deep-frying his Thanksgiving turkey, had the cooker blow up his shed. Or the one for On Star, where a loyal customer is in an accident, and the compassionate agent is quickly going to send help. But what protection do you have when a computer crisis strikes?

...

While I do make full disk images so I can restore my system in minutes if the unthinkable should happen - it’s my plan for disaster recovery. When something just plain goes wrong and I need to repair my system, I typically use the handy Windows feature, System Restore. Now, there’s a lot of stuff written about System Restore - some of it is good, and some advice (as I’ve discovered recently) is not so good. Most users won’t necessarily know the difference between the two. This is where I jump up on my little virtual soapbox and try to provide you with some information, so you can make the best choice for your situation.

First, let’s talk about what System Restore is (and what it’s not). Well, we’re really not going to talk, I’m going to talk and you’re going to listen patiently while I ramble on a bit.

• TRUE: System Restore is a built in feature of Windows
• TRUE: System Restore will backup your system settings, so that in the case of unforeseen problems, you can "restore" your system to a previous state.
• FALSE: System Restore backs up your computer. It does not. System Restore only monitors certain files and folders, and only for certain file types, related to your system. This does include your registry and executable files, but it does not include things like your documents and music. If you really want to know what file types are monitored you can look at the list provided by Microsoft on monitored file types. The default file and folders included and excluded on any given machine are listed in a file named filelist.xml, saved to the directory C:\WINDOWS\system32\Restore\. More interesting are the files and folders NOT monitored.
  ..\cookies
  ..\favorites
  ..\History
  ..\internetcache
  ..\Downloaded Program Files
  ..\Offline Web Pages
  ..\temp
  ..\TMP
  ..\Documents And Settings\All Users\Favorites
  ..\Documents And Settings\All Users\Documents
  ..\Documents And Settings\Default User\My Documents
  ..\Documents And Settings\Default User\Favorites
  ..\Documents And Settings\Default User\Cookies
  ..\Documents And Settings\Default User\Cache
  ..\Documents And Settings\Default User\Local Settings\History
  ..\Documents And Settings\Default User\Local Settings\Temp
  ..\Documents And Settings\Default User\Local Settings\Temporary Internet Files
• TRUE: System Restore does take up some space on your machine. It requires at least 200MB of space. But, as it fills up, it will automatically delete older restore points. You can have this space allotment set quite a bit higher, allowing you to access far more restore points if necessary. But if space is at a premium you might consider reducing the amount of space dedicated to System Restore.
• FALSE: Doing a System Restore if you’ve cleaned malware off your machine will bring it all back. It is true there are types of infections that can be backed up in your System Restore. But, depending on where the malware was, it may not be. The Downloaded Programs folder is home to add-ins, BHOs, chat plugins, java, activex files etc, and this folder is excluded from System Restore. So, while these are certainly types of items that can harbor unintended malware, they won’t be in your System Restore points. Executable virus files (for example) can be in System Restore points. So, after a cleaning it’s important to create a new restore point free of such nuisances, and to remove all your previous restore points that might contain infected data. (More on how to do that later - I’m sure you’ll be waiting on the edge of your seat.) Remember, the files in System Restore are not active so even if they contain malware, you don’t have to worry about it unless you actually have to use your restore points.

Now, let’s look at why turning off System Restore is a BAD idea. Systems can crash, things can go wrong at boot time, with the advent of "always on" cable and DSL your system is always at risk for infection (unlike the days of dial-up), or if you have an dormant infection on your machine that suddenly springs to life - your machine can be crippled and you’ll have no restore point. Bottom line, any time System Restore is turned off, for any reason, you risk being left without a viable way to restore your system. You may think it saves you space. Is 200MB really that high of a price to pay for some peace of mind? Not to mention, do you really have the time to install your OS again if something goes amiss? How about those malware removal instructions that tell you to turn it off while you clean up, then turn it on to create that new clean restore point? Don’t do it! Restore points are removed as soon as you confirm you want to turn it off. If anything goes wrong with your cleanup - how do you think you can recover your system? Even if it had infections, isn’t it better to be able to restore it and re-clean than to lose it all? For further reading on this concept, if you’re so inclined, you can check out this article on best practice on the Spyware Sucks blog.

So, let’s assume you never considered turning off System Restore, and you allow it to run faithfully. You may have even had reason to use it, so you know the value of it. There are a number of ways new restore points are created. You (or a program you use) can create a restore point for a specific reason, the system will also automatically create a restore point after your system has been on for 10 hours solid, or for every 24 hours of use. As I understand, once these time criteria are met, after two idle minutes the restore point is made. And, when you do Windows updates, a restore point will be created after the download, but before the installation of the update(s). As you can see you have a variety of points upon which you may rely to fall back if you need to. But what if you just cleaned up some kind of infection? What if you did as I suggest and didn’t turn off system restore? How do you get rid of all those previous restore points without leaving yourself unprotected for even a moment? Hmmm…should I tell you? It’s really very simple. (But you’ll have to scroll down a bit to find it.)

You now know far more than you ever wanted to about System Restore, I’m sure. But if you’ve learned anything from this post, I hope it’s to think very carefully before you ever disable System Restore for any reason. It’s your safety net - hopefully you’ll choose to keep it in place because it can get very messy when you fall, accelerating at 9.8 meters/second squared to the ground (that’s the acceleration due to gravity) and go SPLAT at the bottom. Don’t let your computer go splat! I will now climb down off my little virtual soapbox so you can quietly look at the detailed instructions on using System Restore below if you should choose to (and at least you’ll know where to find them if you need them).

Below are the steps to create a restore point, how to remove all previous restore points**, how to use them when Windows doesn’t start, and how to use them when Windows does start - for both XP and Vista.

**I don’t recommend removing your previous restore points unless you’ve done cleanup that would require you to do so for security of knowing malware was not saved in your restore points.

Creating a Restore Point - XP

• Click Start > All Programs > Accessories > System Tools > System Restore
• On the Welcome page, click Create a restore point.
• On the Create a Restore Point page, enter a descriptive name for your restore point
• Click Create
• The Restore Point Created page confirms that the new restore point has been created.

Removing All But the Most Recent Restore Point - XP

• Click Start > All Programs > Accessories > System Tools > Disk Cleanup
• This will bring up the Disk Cleanup window.
• Click the More Options tab.
• In the System Restore field, click Clean up
• You will be prompted if you want to remove all but the most recent Restore Point.
• Click < b>.
• /b>.
• When prompted whether you’re sure you want to do this click Yes.

Using a Restore Point if Windows Does Not Start - XP

• Start the computer and then press the F8 key when Windows begins to start. The Windows Advanced Options menu appears.
• Use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.
• If a boot menu appears, use the ARROW keys to select Microsoft Windows XP, and then press ENTER. Windows XP restores the computer to the most recent restore point.

Using a Restore Point if Windows Does Start - XP

• Click Start > All Programs > Accessories > System Tools, and then click System Restore
• On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next
• On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
• On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
• The System Restore Restoration Complete page appears.

Creating a Restore Point - Vista

• Click Start
• Right click on My Computer
• Select Properties
• From the tasks pane on the left, click System Protection
• Select a disk (place check mark in box if it is not already checked) from the list, usually C:
• Click on the Create button.
• Type a name to describe this restore point (ex. Before driver update)
• Click Create button
• When finished, Windows opens a window stating that the restore point was created successfully.

Removing All But the Most Recent Restore Point - Vista

• Click Start > All Programs > System Tools > Disk Cleanup
• Select Files from all users on this computer
• Click on Continue
• Select the appropriate drive letter, usually C:,
• When the Disk Cleanup window opens, select the More Options tab
• Under System Restore and Shadow Copies click on the Clean up button
• All but the latest restore point will be removed
• Note: In some editions of Windows Vista, the disc might include file shadow copies and older Windows Complete PC Backup images as part of restore points. This information will also be deleted.

Using a Restore Point if Windows Does Not Start - Vista

• Start the computer and then press the F8 key when Windows begins to start. The Windows Advanced Options menu appears.
• Use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.
• If a boot menu appears, use the ARROW keys to select Microsoft Windows XP, and then press ENTER. Windows XP restores the computer to the most recent restore point.

Using a Restore Point if Windows Does Start - Vista

• Click Start
• Right click on My Computer
• Select Properties
• From the tasks pane on the left, click System Protection
• Click on the System Restore button
• The Restore System Files and Settings screen appears
• Click Next
• Select the restore point you want to use. After you confirm your computer will restart and restore. A confirmation will be displayed showing the restoration was completed.
• When finished, Windows opens a window stating that the restore point was created successfully.