Frequently Asked Questions Regarding System
Restore in Windows XP
Click on the
Icon to Expand Answers.
Click Here to expand
all answers.
What is system
Restore?
The System Restore feature of
Microsoft Windows XP enables administrators to restore their
computers to a previous state without losing personal data files
(e.g. Word documents, graphic files, e-mail). System Restore
actively monitors system file changes and some application file
changes to record or store previous versions before the changes
occurred. Users never have to think about taking system snapshots
as System Restore automatically creates easily identifiable
restore points, which the users can use to revert to a previous
time. Restore points are created at the time of significant
system events (such as application or driver install) and
periodically (each day). Additionally, users can create and name
their own restore points at any time. For more information,
please see the System Restore
document on TechNet.
Which version
of Windows features System Restore?
System Restore is available
in Windows Millennium (Me) and the Windows XP (Home and
Professional) Operating Systems. However, this FAQ addresses
questions and issues with System Restore in Windows XP
only.
How is System
Restore different from Backup?
System Restore monitors only a
core set of specified system and application file types (e.g.
.exe, .dll etc), while Backup Utility typically backs up all
files including users personal data files, ensuring a safe copy
stored either on the local disk or to another medium. System
Restore does not monitor changes to or recover users'
personal data files such as documents, graphics, e-mail, and so
on. While system data contained in System Restore's restore
points are available to restore to for only a limited period
(restore points older than 90 days are deleted by default),
backups made by the Backup Utility can be recovered at any
time.
Do I need to do
anything to ensure System Restore is propecting my system?
System Restore is enabled by
default and runs after the successful completion of either the
Windows XP Professional or Personal x86-version installation. It
requires a minimum of 200 MB of free space available on the
system partition. If 200 MB is not available, System Restore will
install disabled and will enable itself automatically once the
required disk space is available. With System Restore, you also
never have to worry about taking system snapshots, as it will
automatically create easily identifiable restore points, which
allows you to revert to a previous time. Restore points are
created at the time of significant system events (such as
application or driver install) and periodically (each day).
Additionally, you can create and name your own restore points at
any time. You also never have to worry about System Restore
filling up your hard drive with these restore points. By default,
it only uses a maximum of 12% disk capacity and has an automatic
restore point space management feature that purges the oldest
restore points to make room for new ones, enabling recovery from
any recent undesirable changes.
Does
System Restore cause any system proformance lose??
System Restore does not cause
any noticeable performance impact when monitoring your computer.
The creation of a Restore point also is a very fast process and
usually takes only a few seconds. Scheduled System Checkpoints
(every 24 hours by default) are created only at system idle time
to avoid interfering with a computer during use.
Who can
use System Restore?
Only users with administrative
rights can use System Restore to restore and adjust System
Restore settings. However, the creation of automatic restore
points (system checkpoints or event-driven restore points) on the
computer takes place regardless of which user is logged onto the
computer. If a non-admin user is logged on, system checkpoints or
event driven checkpoints will still be created on that computer
to ensure protection. However, only a user with admin privileges
will be able to restore the computer.
Why
can't all users on my computer access the System Restore
settings?
Only users with administrative
rights can use System Restore to restore and adjust System
Restore settings. However, the creation of automatic restore
points (system checkpoints or event-driven restore points) on the
computer takes place regardless of which user is logged onto the
computer. If a non-admin user is logged on, system checkpoints or
event driven checkpoints will still be created on that computer
to ensure protection. However, only a user with admin privileges
will be able to restore the computer.
Does
System Restore portect personal data files?
System Restore does not
monitor changes to or recover personal data files such as Word
documents, graphics, e-mail, etc.
What
files are monitored by System Restore?
System Restore monitors only a
core set of specified system and application file types (e.g.
.exe, .dll etc), archiving the states of these files before
system changes are made. System Restore does not monitor any
user/personal data files. To view the included files specified in
System Restore, see
Monitored File Extensions in the System Restore section of
the Platform SDK. Modifications to this list from sources other
than Microsoft are not supported.
How does
System Restore handle passwords?
System Restore handles
passwords as follows:
Passwords Not Restored
Windows XP passwords and hints are not restored. This is by
design to prevent confusion and being locked out of your computer
if the restore point includes an unfamiliar or old password.
Microsoft Internet Explorer and Content Advisor passwords and
hints are not restored. This is by design to prevent confusion
problems that could occur when browsing the Internet, in the
event that you restore your system to a point with an unfamiliar
or old password.
Restored Passwords
Program passwords are restored, such as Windows Messenger, AOL
Messenger, Yahoo! Messenger, and other Web server-based
passwords. By design, the programs simply cache these passwords
on the computer; the actual passwords are stored on a Web server.
System Restore does not actually change the password, but it
changes the password retained locally by the program. You still
need to use the current password for the program to log on to the
server.
Domain and computer passwords are cached and restored by System
Restore. As System Restore only rolls back the local computer
state and part of the joining domains data resides in Active
Directory (which is not rolled back) the restored cached password
will be updated to the current password as soon as the computer
reconnects to the domain.
Does
System Restore uninstall my program if I restore to a point
before my program was installed?
System Restore does not
completely uninstall any program if restoring to a point prior to
the program installation. As System Restore is based on an
inclusionary model, any files added or modified by the
installation (which is not monitored by System Restore) or added
to or modified in a non-monitored drive will not be tracked. To
remove all changes an installation may have made to the system,
the user should first use the Add/Remove option in the control
panel to remove the application prior to using System Restore.
System Restore will undo all recorded changes made to the
registry and monitored files caused by the application install,
including:
Deleted or monitored files added to the system from the program
installation
Undo modifications to monitored files made by the
installation
Replacement of the current registry with the registry snapshot
taken at the chosen restore point (some current values may
persist)
What is
or is not restored on my computer when I use System Restore?
See below.
Restored:
Registry
Profiles (local only; roaming user profiles are not affected by
restore)
COM+ DB
WFP.dll cache
WMI DB
IIS Metabase
File types monitored by System Restore as specified in the SDK
document
Monitored File Extensions
Not restored:
DRM settings
Passwords in the SAM hive
WPA settings (Windows authentication information is not
restored)
Specific directories/files listed in the Monitored File
Extensions list in the System Restore section of the Platform SDK
e.g. 'My Documents' folder
Any file types not monitored by System Restore (.doc, .jpg,
etc.)
Items
listedinbothFilesnottobackupandKeysnottoRestore(hklm->system->controlset001->control->backuprestore->filesnottobackup
and keysnottorestore) in the registry
User-created data stored in the user profile
Contents of redirected folders
Why does
System Restore delete some downloaded or saved files during a
restore?
As System Restore monitors a
core set of specified system and application file types, any
downloaded or saved file which has an extension type monitored by
System Restore (e.g. .exe, .dlls) and stored on a monitored drive
will be lost if restoring to a point prior to the download or
save. If you do not want to lose files with a monitored extension
due to a restore, you should move these files to the My Documents
folder or to a non-monitored partition not restored during a
restore process. If you have unknowingly deleted some files due
to a restore on your system, you can always recover them by
undoing the restore process in question.
When are
Restore points created?
The user can manually create a
restore point at any time on their computer using the System
Restore Wizard.
Restore Points are also automatically created on your computer
when:
Installing an unsigned device driver.
Installing System Restore compliant applications (Installing an
application that uses Windows Installer, or Install Shield Pro
version 7.0 or later, causes System Restore to create a restore
point).
Installing an update by using Automatic Updates.
Performing a System Restore operation so the user can undo that
restore operation if needed.
Restoring data from backup media using the Backup tool.
Creating daily restore points (System Restore creates a restore
point every 24 hours if the computer is on or 24 hours have
passed since the last restore point was created).
Can I make a
System Restore permanently retain a restore point?
No. System Restore is
change base tracking tool, not an imaging or backup tool. Each
restore point only stores changes to the system since the
creation of the previous restore point to minimize space usage
and improve performance, and all restore points are
associated.
Therefore, restoring the computer from the current state to a
previous state requires the availability of all restore
points.
For example, if a user wants to restore the computer from point D
to point A, System Restore will evaluate the system change logs
for points C, B, and If a restore point is permanent, space usage
for storing the complete chain of restore points since the
creation of the permanent restore point would become very large
and impractical. System Restore also provides a space management
feature to purge old restore points to make room for new ones,
creating a rolling safety net. Restore points over 90 days are
purged automatically by default.
How does an
improper shutdown effect System Restore?
If an improper shutdown
occurs, there is a small possibility that a restore could fail
because System Restore may not have logged some file operations
properly at the time of shutdown. If the restore fails, the
system will be in the same state as before the restore was
initiated.
How much disk
space does System Restore use?
Disk space used by System
Restore by default:
For drives greater than 4 GB, System Restore uses up to 12% of
the disk space.
For drives less than 4 GB, System Restore by default only uses up
to 400 MB of disk space.
The data store size is not a reserved space on the disk and the
maximum size (to the max values defined above) is limited at any
time by the amount of free space available on disk. Thus, if disk
space use encroaches on the data store size, System Restore
always yields its data store space to the system. For example, if
the data store size is configured to 500 MB, of which 200 MB is
already used, and the current free hard-disk space is only 150
MB, the effective size of the data store is 350 MB (200 + 150),
not 500 MB.
Note that disk space usage can be adjusted at any
time.
Does System
Restore support scripting?
Yes. System Restore parameters
are configurable remotely or locally by using a Windows
Management Instrumentation (WMI) script. A WMI script can also be
used to create restore points, list them, select a restore point
to restore to, and view the status of a restore operation.
What does
Windows XP Service Pack (SP1) do for System Restore?
The service pack provides
several security and bug fixes for the Windows XP operating
system including those for System Restore. Highlights of the key
fixes for System Restore in the service pack include:
Fixes the issue where System Restore does not launch and displays
the error "System restore was unable to start due to a
missing Framedyn.dll. Please reinstall the application to fix
this problem."
Fixes the issue where the System Restore tool on a Windows
XP-based computer and the calendar on the left side of the
"Choose a Restore Point" window is not displayed.
Fixes the restore process issue where users were encountering
failed restores. Although some of this is attributed to file
corruption in the System Restore data store, in many cases it was
due to locked file issues (a file which system restore
couldn't access cause it was locked out by another
application or process) causing the restore process to fail,
notably in situations where fast user switching was used.
Fixes the drive table inconsistency causing System Restore to not
create restore points.
Several Security fixes for System Restore to protect against
hackers and viruses.
The Microsoft System Restore team supports users in the Microsoft
public newsgroups (please visit
Public.WindowsXP.perform_maintain and
Microsoft.Public.WindowsXP.help_and_support) and encourages
user feedback regarding the effectiveness of
Windows XP Service Pack 1.
How-To Guide
How can I
enable or disable System Restore?
Select Start followed
by Control Panel, and double-click the System icon.
Then:
1. Click the System Restore tab on the System dialog
box
2. To enable, clear the Turn off System Restore check
box
3. To disable, select the Turn off System Restore check
box
4. Click OK when done
How can I
disbale System Restore from monitoring a particular drive?
To disable System Restore from
monitoring a particular drive, click Start followed by
Control Panel and double click the System icon. Then
click on the System Restore tab on the System dialog box.
Depending on your disk setup, use the following instructions:
Single partition: Clear the Turn off system restore check
box to disable System Restore.
Multiple disks or partitions: To prevent System Restore from
monitoring a particular partition, click on the drive to disable
and then the settings option. Clear the Turn off System
Restore check box to disable monitoring the drive in
question. You cannot disable monitoring of the system drive
explicitly; you must disable System Restore for the entire system
to prevent system drive monitoring.
How can I set
the amount of space System Restore uses on my disk?
Select Start, then
Control Panel and double-click the System icon. Then
click on the System Restore tab on the dialog box.
Depending on your disk setup, do the following:
Single partition: Adjust the space system restore uses on the
disk by moving the slider left to decrease space usage, or right
to increase space usage. The default maximum space usage is
12%.
Multiple partitions or multiple disks: Click on the drive you
want to adjust in the available drives section on the System
Restore page and then click the settings option. You can then
adjust the space system restore uses on that drive by moving the
slider to the left to decrease space usage, or right to increase
space usage. The default maximum space usage is 12%. Repeat for
each drive as necessary.
How do I
determine the amount of space System Restore uses for restore
points?
To determine the amount of
space System Restore is using:
1. Click on Start, then My Computer.
2. Select the Tools> pull-down menu, click on Folder
Options, and then select the View tab.
3. In the Advanced settings option under Hidden files
and folders, select Show hidden files and folders and
clear the Hide protected operating system files check box,
then Click OK.
4. Refer to the system drive where Windows is installed (C: for
most users).
5. Double-click the System Volume Information folder.
6. Right-click on the _restore directory and select
Properties.
7. The Size on Disk value is the amount of space System Restore
is using for restore points.
8. Repeat as necessary for other drives monitored by System
Restore.
If the computer is part of a domain and you do not have access to
the System Volume Information folder, perform these additional
steps following Step 4 above:
Right-click the System Volume Information folder and
click the Properties option.
Select the Security tab and add your username to the
user/group list with access to this folder.
Click OK and continue with Step 5 above.
How do I delete
restore points in System Restore?
You can either delete all
restore points except the latest one, or all the restore
points.
To delete all restore points except the latest one, use the Disk
Cleanup utility. Click Start, All Programs, Accessories,
System Tools, and then Disk Cleanup. Click on the
more options tab and then select Clean up in the
System Restore dialog box.
To delete all the restore points on your computer, disable and
re-enable system restore on the system. Click Start, Control
Panel, and then the System icon. Click on the
System Restore tab in the dialog box, select the Turn off
System Restore check box, and click Apply. Clear the
check box again to re-enable System Restore and then click
OK.
You can reduce the number of restore points saved by decreasing
the total amount of disk space available to System Restore. Note
that less available disk space will decrease the relative number
of restore points.
How do I use
scripts in System Restore?
WMI scripts can be used to
locally or remotely create or list restore points, select a
restore point to restore to, view the status of a restore
operation, and adjust system restore parameters. Please refer to
the System Restore
Scripting Samples document, which lists functions and
parameter descriptions along with script samples provided as a
guide to administrators who need local or remote access to the
System Restore features and settings.
How do I
remotely perform a System Restore?
You can perform a remote
system restore using WMI scripts.
Troubleshooting
What should I
do if System Restore does not work?
Try these steps if System
Restore does not appear to work:
1. Ensure the System Restore service is running. For more
information, see: How can I verify that the System Restore
services are running on my machine?
2. Verify that you have enough free space on all your drives as
required by System Restore. If the free space on any partition
system restore is monitoring falls below 50 MB, System Restore
will suspend and purge out all restore points to free up disk
space. It will automatically reactivate when 200 MB+ free space
is available. For more information, see How the System Restore
Tool Handles Hard-Disk Space Usage.
3. Examine event logs for any system restore-related errors that
could help you identify the problem.
Why is System
Restore suspended when enough free space on the system drive
exists?
Suspension can occur if:
A non-system drive with System Restore enabled has less than 50
MB of free disk space.
A copy, delete, modify operation was made to a file monitored by
System Restore. This typically causes System Restore to suspend
across the system.
When using
System Restore, I receive the following message: 'System
Restore was unable to start due to a missing Framedyn.dll. Please
restall the application to fix this problem.' How do I fix
this?
This event usually occurs when
the Windows path is corrupt. To resolve this issue, begin by
installing
Windows XP Service Pack 1. Alternatively, you can temporarily
address this issue by copying the framedyn.dll file from the
\windows\system32\wbem directory to the \windows\system32
directory. If you cannot locate the .dll file in the
…\Wbem folder, see Why can't I see system files such
as .dll or .inf in Windows?
Why isn't
System Restore creating automatic system checkpoints?
Typical reasons why
checkpoints are not being created:
System Restore requires Task Scheduler to create system
checkpoints. If Task Scheduler is disabled it will prevent System
Restore from creating system checkpoints on a scheduled
basis.
System Restore requires the computer to be in an idle state to
create system checkpoints. This is by design so that System
Restore does not interrupt a user by taking processing power. If
computer is never idle, system checkpoints cannot be created.
Also, check for any applications that run on the computer during
idle periods, such as a virus scanner.
Another cause may be that the computer is in continual use for
limited periods and then shut down or put into hibernation,
preventing System Restore from creating restore points.
Why are my
restore points missing or deleted?
If no free disk space on
monitored system drive or on any of the available non-system
drives exists, System Restore will purge restore points
consistently across all monitored partitions to free disk space.
If the free disk space falls below 50 MB on any monitored
partition, System Restore will stop monitoring and suspend.
Note: Some users have reported that using the Real Player
One utility has deleted restore points. Please review your System
Event Viewer log for System Restore events for a volume error
event. For more information, please visit the
Microsoft.Public.WindowsXP.perform_maintain and
Microsoft.Public.WindowsXP.help_and_support.
Why does System
Restore display a blank calendar in Windows XP if no restore
points exist?
This can occur if the file
association for Hypertext Markup Language (HTML) component (.htc)
files is not in the registry. This issue has been addressed in
the
Windows XP Service Pack 1. If the Service Pack is
unavailable, see System Restore Tool Displays a Blank Calendar in
Windows XP.
Why does the
System Restore Wizard lockup when trying to create a restore
point?
This can occur if the event
log service is disabled on the computer. The user should enable
the event log service and then try to create the restore point.
To verify that the service is working, do the following:
1. Click Start, Control Panel, then Performance and
Maintenance.
2. Click Administrative Tools, Computer Management, then Services
and Applications.
3. Click Services, then Event Log Services. Ensure this service
is set to Automatic and the status is Started.
Why do I lose
my Remote Assistance access after using System Restore?
If you restore to a point
before the Remote Assistance Ticket creation, the HelpAssistant
account password is reset. The HelpAssistant account is the
account that an administrator uses to log on and connect to a
computer. This issue has been resolved in Windows XP Service Pack
1. If the service pack is unavailable, use Remote Assistance to
create another ticket.
Why are
previous restore points not working?
Possible causes for restore
point failures:
Low free disk space on a System Restore monitored partition.
Every restore process involves System Restore creating a restore
point prior to the restore operation so that the user can undo
the restore process. If you are experiencing failed restores,
ensure that there is sufficient free disk space available on all
the System Restore monitored partitions.
During the restore process, files to be replaced, moved, or
deleted by System Restore are locked by the system or some
application causing the restore to fail. This issue has been
addressed in
Windows XP Service Pack 1.
A corrupt restore point possibly caused by an inconsistency
between the file entries in the System Restores file change log
and those that are actually backed up or tracked by System
Restore. Common causes for this issue:
An improper shutdown of the computer occurred while System
Restore was adding an entry for a file to the System Restore
change log for tracking. During the process of the file being
copied or moved to the restore point directory or elsewhere in
the system, a power outage or improper shutdown may have
corrupted the process, creating an inconsistency in the change
log. Similarly, an entry for the file exists in the change log
but the file itself may be corrupt or missing.
Changes made to files on a system from another OS (in case of
dual-boot OS scenarios). For example, changes to a key
application or system files or simply moving a file System
Restore was tracking from one location to another while logged
onto a different OS. As System Restore cannot incorporate this
change, an inconsistency exists.
Changes made to a System Restore tracked file on a removable
drive for a restore point while the drive was connected to
another computer. Similar to the above, System Restore cannot
incorporate this change. It is important to note that all restore
points are linked, therefore, any restore point created prior to
the missing or corrupt restore point will also not function. For
more information, please visit Microsoft public newsgroups
Microsoft.Public.WindowsXP.perform_maintain and
Microsoft.Public.WindowsXP.help_and_support.
What should I
do if my anti-virus scanner cannot access the System Volume
Information folder to remove a virus?
If the System Volume
Information (SVI) folder is on a FAT partition and a virus
infected file has been detected or copied to the data store
before it was cleaned, the data store needs to be purged to
remove the Restore Point with the infected file. To do this, the
user should disable and then re-enable System Restore monitoring
on that particular drive as specified in How can I disable System
Restore from monitoring a particular drive? If the System Volume
Information Folder is on an NTFS partition, the SVI directory can
be accessed by a virus utility to clean an infected file as any
other part of the file system.
Microsoft
support is asking me to generate a .cab file for system restore.
How do I do this?
To generate a system restore
Cab file:
1. Click Start, then Run.
2. Type or paste: %windir%\system32\restore\srdiag.exe and
click OK.
3. A command window will open while the Srdiag.exe runs. The
command session will automatically close when complete, and the
.cab file will be created in your Windows\system32\restore
directory. This can take several minutes.
How do I look
at the event logs to investigate any system restore errors?
To check event logs:
1. Click Start, Control Panel, then Performance and
Maintenance.
2. Click Administrative Tools, Computer Management,
double-click Event Viewer, then click System.
3. Click the Source tab to sort by name, and then type for
"sr" or "srservice." Double-click each of
these services, and then evaluate the event description for the
cause of the problem.
Why is System
Restore displaying duplicate drives with an offline status?
This problem can occur if you
convert the disk from a basic disk to a dynamic disk.
Why isn't
desktop wallpaper restored when using System Restore?
The image displayed on the
desktop is a common image file and therefore not monitored by
System Restore. System Restore does not restore common image
files, as they could compromise the security of personal
data.
Why isn't
the compression on files or folders restore when using System
Restore?
By design, System Restore does
not record changes in compression, nor does it undo them, as
changes in compression do not cause the system to fail.
Why aren't
System Restore settings preserved during a reinstallation or
upgrade?
Setup overwrites the existing
settings so that System Restore is enabled after installation. In
operating systems in which System Restore is not included, such
as Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows
NT Workstation, or Microsoft Windows 2000 Professional, System
Restore will also be enabled by default on all drives.
How can I
verify that the System Restore services are running on my
computer?
Use the following
procedure:
To verify that System Restore services are running from Control
Panel:
1. Click Start, Control Panel, then Performance and
Maintenance.
2. Click Administrative Tools, Computer Management, then
Services and Applications.
3. Click Services, and then click System Restore
Services. Ensure the service is set to Automatic and the
status is Started
To verify that System Restore services are running using the
command prompt:
1. Click Start, Run, then type CMD in the control
box
2. Press Enter, then type Net Start at the command
prompt
How can I
verify that the Task Scheduler is running on my computer?
Use the following
procedure:
To verify that Task Scheduler is running from Control Panel:
1. Click Start, click Control Panel, and then click
"Performance and Maintenance".
2. Click Administrative Tools, click Computer Management,
and then click Services and Applications.
3. Click Services, then Task Scheduler service to
ensure the Service is set to Automatic and the status is
Started.
To verify that Task Scheduler is running using the command
prompt:
1. Click Start, Run, then type CMD in the control
box.
2. Press Enter, then type Net Start at the command
prompt to ensure that the Task Scheduler service is
running.
Why can't I
see system files such as .dll or .inf in Windows?
Windows hides all system files
and files marked hidden by default. To view these files:
1. Click Start, then My Computer.
2. From the toolbar open the Tools menu, select Folder
Options, then click the View tab.
3. In the Advanced settings option for Hidden files
and folders, ensure the Show hidden files and folders
option is selected and Hide protected operating system
files is unchecked. Click OK.
4. You should now be able to see hidden and system files.
Additional Information
Where can I get
more information about System Restore architecture and SDK
information?
For System Restore
architecture, see the MSDN white paper
Microsoft Windows XP System Restore.
For SDK information, see the SDK document
System Restore.
Back to Home
Page
Webmaster: Paul Menard
Send E-mail or Feedback
