System Restore

System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows Me, it has been included in all following desktop versions of Windows released since, excluding Windows Server. In Windows 10, System Restore is turned off by default and must be enabled by users in order to function. This does not affect personal files such as documents, music, pictures, and videos.

In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten. An updated version of System Restore introduced by Windows Vista uses the Shadow Copy service as a backend (allowing block-level changes in files located in any directory on the volume to be monitored and backed up regardless of their location) and allows System Restore to be used from the Windows Recovery Environment in case the Windows installation no longer boots at all.

Overview

In System Restore, the user may create a new ''restore point'' manually (as opposed to the system creating one automatically), roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.

System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use. It also backs up the registry and most drivers.

Resources monitored

Starting with Windows Vista, System Restore takes a snapshot of all volumes it is monitoring. However, on Windows XP, it only monitors the following:
* Windows Registry
* Files in the Windows File Protection folder (Dllcache)
* Local user profiles
* COM+ and WMI databases
* IIS metabase
* Specific file types monitored

The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing ''%windir%\system32\restore\Filelist.xml''.

Disk space consumption

The amount of disk space System Restore consumes can be configured. Starting with Windows XP, the disk space allotted is configurable per volume and the data stores are also stored per volume. Files are stored using NTFS compression and a Disk Cleanup handler allows deleting all but the most recent Restore Points. System Restore can be disabled completely to regain disk space. It automatically disables itself if the volume's free space is too low for it to operate.

Restore points

Windows creates restore points:

* When software is installed using Windows Installer or other installers that are aware of System Restore
* When Windows Update installs new updates
* When the user installs a driver that is not digitally signed by Windows Hardware Quality Labs
* Periodically. By default:
** Windows XP creates a restore point every 24 hours
** Windows Vista creates a restore point if none is created within the last 24 hours
** Windows 7 creates a restore point if none has been created within the last seven days
* On user's command

Windows XP stores restore point files in a hidden folder named "System Volume Information" on the root of every drive, partition or volume, including most external drives and some USB flash drives.

The operating system deletes older restore points per the configured space constraint on a first in, first out basis.

Implementation differences

There are considerable differences between how System Restore works under Windows XP and later Windows versions.

* Configuration user interface – In Windows XP, there is a graphical slider to configure the amount of disk space allotted to System Restore. In Windows Vista, the slider to configure the disk space is not available. Using the command-line tool Vssadmin.exe or by editing the appropriate registry key, the space reserved can be adjusted. Starting with Windows 7, the slider is available once again.
* Maximum space – In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volume's space for most disk sizes; however, this may be less depending on the volume's size. Restore points over 90 days old are automatically deleted, as specified by the registry value RPLifeInterval (Time to Live – TTL) default value of 7776000 seconds. In Windows Vista and later, System Restore is designed for larger volumes. By default, it uses 15% of the volume's space.
* File paths monitored – Up to Windows XP, files are backed up only from certain directories. On Windows Vista and later, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder.
* File types monitored – Up to Windows XP, it excludes ''any'' file types that are considered "personal" to the user, such as documents, digital photographs, media files, e-mail, etc. It also excludes the monitored set of file types (, etc.) from folders such as My Documents. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under ''My Documents''. When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed. However, on Windows Vista and later, it excludes only document file types; it does not exclude any monitored system file type regardless of its location.
* Configuring advanced System Restore settings – Windows XP supports customizing System Restore settings via Windows Registry and a file at %windir%\system32\restore\Filelist.xml. Windows Vista and later no longer support this.
* FAT32 volume support – On Windows Vista and later, System Restore no longer works on FAT32 disks and cannot be enabled on disks smaller than 1 GB.

Restoring the system

Up to Windows XP, the system can be restored as long as it is in an online state, that is, as long as Windows boots normally or from '' Safe mode''. It is not possible to restore the system if Windows is unbootable without using 3rd-party bootable recovery media such as ERD Commander. Under Windows Vista and later, the Windows Recovery Environment can be used to launch System Restore and restore a system in an offline state, that is, in case the Windows installation is unbootable. Since the advent of Microsoft Desktop Optimization Pack, Diagnostics and Recovery Toolset from it can be used to create a bootable recovery disc that can log on to an unbootable Windows installation and start System Restore. The toolset includes ERD Commander for Windows XP that was previously a 3rd-party product by Winternals.

Limitations and complications

A limitation which applies to System Restore in Windows versions prior to Windows Vista is that only certain file types and files in certain locations on the volume are monitored, therefore unwanted software installations and especially in-place software upgrades may be incompletely reverted by System Restore. Consequently, there may be little or no practical beneficial impact. Certain issues may also arise when attempting to run or completely uninstall that application. In contrast, various other utilities have been designed to provide much more complete reversal of system changes including software upgrades. However, beginning with Windows Vista, System Restore monitors all system file types on all file paths on a given volume, so there is no issue of incomplete restoration.

It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or earlier if allotted disk space is insufficient. Even if no user or software triggered restore points are generated allotted, disk space is consumed by automatic restore points. Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.

For data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. On NTFS volumes, the restore points are protected using ACLs. Since its method of backup is fairly simplistic, it may end up archiving malware such as viruses, for example in a restore point created before using antivirus software to clean an infection. Antivirus software is usually unable to remove infected files from System Restore; the only way actually to delete the infected files is to disable System Restore, which will result in losing all saved restore points; otherwise they will remain until Windows deletes the affected restore points. However stored infected files in themselves are harmless unless executed; they will only pose a threat if the affected restore point is reinstated. Windows System Restore is not compatible with restore points made by third party applications.

Changes made to a volume from another operating system (in case of multi-booting scenarios) cannot be monitored. In addition, multi-booting different versions of Windows can disrupt the operation of System Restore. Specifically, Windows XP and Windows Server 2003 delete the checkpoints created by Windows Vista and later. Also, checkpoints created by Windows 8 may be destroyed by previous versions of Windows.

See also

* Backup

References

Further reading

*
*
*
*

External links

Microsoft Support article

{{Microsoft Windows components

Windows components
Windows administration