Microsoft Windows Registry Guide, Second Edition

Using System Restore

System Restore returns your computer to a previous state without losing recent personal information, such as documents, history lists, favorites, or e-mail. System Restore is only available in Windows XP. It monitors the computer and many applications for changes and creates restore points. I call these restore points snapshots, but they're really instructions for undoing recent changes. You restore these snapshots when your configuration isn't working. By default, Windows XP creates restore points daily and when significant events such as installing an application or device driver occur. System Restore is ideal for serious work in the registry because you can create your own restore points any time you like. You can also change the snapshot schedule or even script System Restore, as I'll show you.

System Restore creates different types of restore points:

• Initial system checkpoints.

  System Restore creates initial system checkpoints when Windows XP starts for the first time. Restoring to this point returns Windows XP and programs to their states immediately after installing Windows XP.

• System checkpoints.

  System Restore creates restore points regularly, whether or not the system changes. By default, it creates system checkpoints every 24 hours. If you turn the computer off for more than 24 hours, System Restore will create a system checkpoint the next time you start Windows XP.

• Installation checkpoints.

  System Restore creates installation checkpoints when you install programs that use current installer technologies, so you can restore the computer to the state it was in before you installed the programs. To reverse the changes made by other programs, restore the most recent checkpoint.

• Automatic update checkpoints.

  System Restore creates a restore point before updating Windows XP by using Automatic Update or Windows Update.

• Manual checkpoints.

  You can use System Restore or a script to create your own restore points; I'll show you how later in this chapter. Create manual checkpoints before making significant changes to the registry.

• Restore operation checkpoints.

  System Restore creates restore operation checkpoints each time you restore a checkpoint. You use restore operation checkpoints to undo a restoration if you don't like the results.

• Unsigned device driver checkpoints.

  System Restore creates a restore point when you install an unsigned device driver. If installing the device driver interferes with your computer's stability, you can restore the computer to the state it was in before you installed the device driver.

• Backup utility recovery checkpoints.

  System Restore creates a restore point before you use the Backup utility to perform a recovery. You can restore the computer if the recovery leaves your computer in a questionable state.

NOTE

You must still use Add Or Remove Programs to uninstall programs, even if you restore to a point prior to program installation. Removing the program and then restoring the checkpoint is the best sequence.

System Restore requires at least 200 megabytes (MB) of available disk space. If 200 MB of space isn't available, Windows XP disables System Restore. By default, Windows XP allocates 12 percent of the hard disk's size (or 400 MB on hard disks that are smaller than 4 gigabytes), which is the most that Windows XP can allocate to System Restore. You can otherwise configure the amount of disk space System Restore consumes, though. On the System Restore tab of the System Properties dialog box, drag the slider left or right to adjust the amount of disk space it uses. To open System Properties, click Start, Control Panel, Performance And Maintenance, and then click System. However, don't reduce the amount–doing so limits the number of restore points that System Restore can maintain at one time.

Taking Configuration Snapshots

Here's how to create a restore point using System Restore:

1. Start System Restore in one of the following ways:

   • Click System Restore in Help and Support Center.

   • Click Start, All Programs, Accessories, System Tools, System Restore.

   • Run %SystemRoot%\System32\Restore\rstrui.exe.

2. Select the Create A Restore Point option, and then click Next.

3. In the Restore Point Description box, type a descriptive name for the restore point, and then click Create. (System Restore adds the date and time to the name of the restore point.)

To restore a checkpoint, follow these steps:

1. Start System Restore using one of the three methods in the previous procedure.

2. Select the Restore My Computer To an Earlier Time option, and then click Next.

3. Select the restore point that you want to restore, and then click Next.

   System Restore maintains up to 90 days of restore points, given enough disk space, so you can move backward and forward in the calendar to see the restore points created on each day. In the calendar, shown in Figure 3-3, bold dates are those that contain restore points.

4. Click a date, and then click the restore point in the list.

5. Click Next again, and Windows XP restarts so it can restore your configuration to the restore point you selected.

Sometimes, if your configuration is too unstable, you won't be able to start Windows XP normally. That leaves you with Safe Mode. (See Chapter 9, “Troubleshooting Problems.”) In Safe Mode, you can't create restore points, but you can restore ones that have already been created. Thus, if Windows XP doesn't start normally, start it in Safe Mode, restore to an earlier configuration, and then restart the computer.

Figure 3-3 Before continuing, make sure you save your documents and close any programs that are running. System Restore restarts your computer.

Looking Inside System Restore

Many of the files and folders System Restore uses are super hidden, so you won't see them unless you display system and hidden files. In Windows Explorer, click Tools, Folder Options. On the Folder Options dialog box's View tab, select the Show Hidden Files And Folders option, and then clear the Hide Protected Operating System Files check box. System Restore's program files are in %SystemRoot%\System32\Restore. Aside from the program file Rstrui.exe, you'll find the super-hidden file Filelist.xml, which lists the files and settings that System Restore monitors. Double-click this file to view the XML in Internet Explorer. It excludes a few legacy configuration files–for example, Win.ini, System.ini, Autoexec.bat, and Config.sys. It excludes a few folders, too, most of which aren't important to the operating system's stability. What's interesting is the list of file extensions that it includes. System Restore protects everything from EXE and DLL files to VBS and VXD (virtual device driver) files. If a file matches one of the included file extensions and it's not in a folder that Filelist.xml excludes, System Restore monitors it. It also monitors the per-user hive files listed in the key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList.

The actual restore points are in each volume's System Volume Information folder. This folder is also super hidden, so you'll need to select the Show Hidden Files And Folders option and then clear the Hide Protected Operating System Files check box to see it. To open it, you'll have to add your user account to the folder's ACL. I don't recommend you do this on a production computer, however, because you risk corrupting the file system. If you have a lab computer, go for it; otherwise, I'll describe this folder for you.

Each System Volume Information folder contains a subfolder called _restoreGUID, where GUID is the computer's GUID. (See Chapter 1, “Learning the Basics.”) For example, my computer has _restore{4545302B-EA51-4100-A7E2-C7A37551AA83}. Beneath that folder is one folder for each restore point, called RPN, where N is an incremental number beginning with 1. RPN contains backup copies of changed and deleted files. In fact, I opened my latest restore point folder, deleted a program file, and watched as System Restore added it to the restore point. It also backs up files that change so it can restore those. System Restore changes the file names, so you won't find missing files or documents in there. This folder also contains a list of the changes that System Restore must apply to the computer to restore the checkpoint, including instructions for restoring backup files.

The \snapshot subfolder is in RPN, which contains backup copies of the registry's hive files. If you have access to System Volume Information, you can load these hive files in Regedit, examine them, or even recover settings from them. If you really need settings from these hive files, you're better off restoring them using System Restore. You can see System Volume Information in Figure 3-4; hopefully that will satisfy your curiosity enough to keep you out of it. The following is a list of the registry hive files you find in \snapshot:

• _REGISTRY_MACHINE_SAM

• _REGISTRY_MACHINE_SECURITY

• _REGISTRY_MACHINE_SOFTWARE

• _REGISTRY_MACHINE_SYSTEM

• _REGISTRY_USER_.DEFAULT

• _REGISTRY_USER_NTUSER_SID

• _REGISTRY_USER_USRCLASS_SID

Figure 3-4 System Restore backs up all the hive files so it can restore them if necessary.

Managing System Restore

System Restore has sparse management options. You can change how much disk space it uses, which I've already covered, and you can even disable it altogether. There's only one good time to disable System Restore, and that's when you install Windows XP on sluggish computers. System Restore consumes a small slice of your computer's resources as it monitors the file system for changes, and disabling it can recover those resources. To disable System Restore, click Start, Control Panel, Performance And Maintenance, and then click System to open the System Properties dialog box. On the System Restore tab, select the Turn Off System Restore check box. But unless the computer is painfully slow, leave System Restore alone.

Two policies for managing System Restore are available to IT professionals. The first is Turn off System Restore, which disables System Restore altogether. I know some administrators who haven't embraced System Restore yet, and they're disabling it in their organizations. Their concern is the amount of disk space it uses, the small performance penalty for using it, and the potential for restoring unwanted code such as viruses. If you don't want users to be able to configure System Restore, enable the Turn off Configuration policy, which locks the user interface so users can't change System Restore's configuration. Users can still create their own restore points, however. Both of these policies are per-computer administrative settings available in the Group Policy console under Computer Configuration\Administrative Templates\System\System Restore.

System Restore has a few other settings for which it doesn't provide a user interface or policy. These are mostly settings in the registry that control System Restore's schedule. You can build your own administrative template for these, however, which you learn about in Chapter 7, “Using Registry-Based Policy.” Chapter 7 also shows you how to enable policies.

Customizing System Restore

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore is the key where you find all of System Restore's settings. Unless otherwise noted, all the settings in the following list are REG_DWORD values:

• CompressionBurst.

  This value specifies, in seconds, the idle time compression–that is, the amount of time it takes to compress data after the computer becomes idle. System Restore can compress data for the amount of time specified, and then it must stop until after the next time the computer becomes idle.

• DiskPercent and DSMax.

  Together, these values specify how much disk space System Restore uses. System Restore uses the greater of the two values. Thus, for hard disks smaller than 4 gigabytes (GB), System Restore uses 400 MB, which is the default value of DSMax. For hard disks larger than 4 GB, System Restore uses 12 percent, which is the default value of DiskPercent.

• DSMin.

  This value specifies the minimum amount of free disk space that System Restore requires during the installation process. This value also specifies the minimum amount of disk space that System Restore needs in order to be reactivated and resume the creation of restore points after Windows XP has disabled System Restore due to low disk space.

• RestoreStatus.

  This value indicates whether the last restore operation failed (0x00), succeeded (0x01), or was interrupted (0x02).

• RPGlobalInterval.

  This value specifies the amount of time in seconds that System Restore waits between creating system checkpoints. The default value is 24 hours (86,400 seconds), or 0x15180.

• RPLifeInterval.

  This value specifies the time in seconds that System Restore keeps restore points before removing them from the computer. The default value is 0x76A700, or 90 days (7,776,000 seconds).

• RPSessionInterval.

  This value specifies, in seconds, the amount of time that System Restore waits before it creates the system checkpoints while the computer is turned on. The default value is zero, disabling this feature. You can change this value to 0xE10 to create a restore point every hour that the computer is in use. On a computer that you customize often, such as a lab computer, you might create a restore point every hour.

• ThawInterval.

  This value specifies, in seconds, the amount of time that System Restore waits before it reactivates itself after adequate disk space becomes available. Start the System Restore user interface, and it reactivates immediately.

It isn't useful to customize the remaining settings you find in SystemRestore, and Microsoft warns in no uncertain terms that you shouldn't change them. However, you can disable System Restore by setting DisableSR to 0x01, and doing so doesn't remove existing restore points as when you disable System Restore in the user interface. Editing the remaining settings can do bad things to your computer's performance, so limit yourself to the settings I described in this section.

Scripting System Restore

You can script System Restore using Windows Scripting Host (WSH) and Windows Management Instrumentation (WMI). Chapter 11, “Scripting Registry Changes,” describes in detail how to script registry edits. But perhaps you want to write scripts to automate System Restore specifically. Using these scripts gives you more control over the creation of restore points than did the registry settings in the previous section.

Scripting System Restore relies on WMI and Srclient.dll, which is the System Restore client DLL. The account in which you run these scripts must have administrative privileges to prevent them from being used by members of the Users or Power Users groups. In the Scheduled Tasks folder, you can schedule these scripts to run with elevated privileges, though. The following listing shows a script that automatically creates a restore point: it creates a System Restore object using WMI and then creates a restore point by calling the method CreateRestorePoint(). The first parameter is the name of the restore point; you should use a descriptive name that begins with a verb, such as Installed or Changed.

Set SRP = GetObject("winmgmts:\\.\root\default:Systemrestore") CSRP = SRP.CreateRestorePoint("Hacked the registry", 0, 100)

In addition to creating restore points, you can restore checkpoints using scripts. You can also configure System Restore, enable and disable it, or iterate through the list of restore points on the computer. For more information about System Restore's WMI classes, see http://msdn.microsoft.com/library/en-us/sr/sr/system_restore_wmi_classes.asp, which is the MSDN documentation for System Restore.