What is system Restore?

The System Restore feature of Microsoft Windows XP enables administrators to restore their computers to a previous state without losing personal data files (e.g. Word documents, graphic files, e-mail). System Restore actively monitors system file changes and some application file changes to record or store previous versions before the changes occurred. Users never have to think about taking system snapshots as System Restore automatically creates easily identifiable restore points, which the users can use to revert to a previous time. Restore points are created at the time of significant system events (such as application or driver install) and periodically (each day). Additionally, users can create and name their own restore points at any time. For more information, please see the System Restore document on TechNet.

Which version of Windows features System Restore?

System Restore is available in Windows Millennium (Me) and the Windows XP (Home and Professional) Operating Systems. However, this FAQ addresses questions and issues with System Restore in Windows XP only.

How is System Restore different from Backup?

System Restore monitors only a core set of specified system and application file types (e.g. .exe, .dll etc), while Backup Utility typically backs up all files including users personal data files, ensuring a safe copy stored either on the local disk or to another medium. System Restore does not monitor changes to or recover users' personal data files such as documents, graphics, e-mail, and so on. While system data contained in System Restore's restore points are available to restore to for only a limited period (restore points older than 90 days are deleted by default), backups made by the Backup Utility can be recovered at any time.

Do I need to do anything to ensure System Restore is propecting my system?

System Restore is enabled by default and runs after the successful completion of either the Windows XP Professional or Personal x86-version installation. It requires a minimum of 200 MB of free space available on the system partition. If 200 MB is not available, System Restore will install disabled and will enable itself automatically once the required disk space is available. With System Restore, you also never have to worry about taking system snapshots, as it will automatically create easily identifiable restore points, which allows you to revert to a previous time. Restore points are created at the time of significant system events (such as application or driver install) and periodically (each day). Additionally, you can create and name your own restore points at any time. You also never have to worry about System Restore filling up your hard drive with these restore points. By default, it only uses a maximum of 12% disk capacity and has an automatic restore point space management feature that purges the oldest restore points to make room for new ones, enabling recovery from any recent undesirable changes.

 Does System Restore cause any system proformance lose??

System Restore does not cause any noticeable performance impact when monitoring your computer. The creation of a Restore point also is a very fast process and usually takes only a few seconds. Scheduled System Checkpoints (every 24 hours by default) are created only at system idle time to avoid interfering with a computer during use.

 Who can use System Restore?

Only users with administrative rights can use System Restore to restore and adjust System Restore settings. However, the creation of automatic restore points (system checkpoints or event-driven restore points) on the computer takes place regardless of which user is logged onto the computer. If a non-admin user is logged on, system checkpoints or event driven checkpoints will still be created on that computer to ensure protection. However, only a user with admin privileges will be able to restore the computer.

 Why can't all users on my computer access the System Restore settings?

Only users with administrative rights can use System Restore to restore and adjust System Restore settings. However, the creation of automatic restore points (system checkpoints or event-driven restore points) on the computer takes place regardless of which user is logged onto the computer. If a non-admin user is logged on, system checkpoints or event driven checkpoints will still be created on that computer to ensure protection. However, only a user with admin privileges will be able to restore the computer.

 Does System Restore portect personal data files?

System Restore does not monitor changes to or recover personal data files such as Word documents, graphics, e-mail, etc.

 What files are monitored by System Restore?

System Restore monitors only a core set of specified system and application file types (e.g. .exe, .dll etc), archiving the states of these files before system changes are made. System Restore does not monitor any user/personal data files. To view the included files specified in System Restore, see Monitored File Extensions in the System Restore section of the Platform SDK. Modifications to this list from sources other than Microsoft are not supported.

 How does System Restore handle passwords?

System Restore handles passwords as follows:

Passwords Not Restored

Windows XP passwords and hints are not restored. This is by design to prevent confusion and being locked out of your computer if the restore point includes an unfamiliar or old password.

Microsoft Internet Explorer and Content Advisor passwords and hints are not restored. This is by design to prevent confusion problems that could occur when browsing the Internet, in the event that you restore your system to a point with an unfamiliar or old password.

Restored Passwords

Program passwords are restored, such as Windows Messenger, AOL Messenger, Yahoo! Messenger, and other Web server-based passwords. By design, the programs simply cache these passwords on the computer; the actual passwords are stored on a Web server. System Restore does not actually change the password, but it changes the password retained locally by the program. You still need to use the current password for the program to log on to the server.

Domain and computer passwords are cached and restored by System Restore. As System Restore only rolls back the local computer state and part of the joining domains data resides in Active Directory (which is not rolled back) the restored cached password will be updated to the current password as soon as the computer reconnects to the domain.

 Does System Restore uninstall my program if I restore to a point before my program was installed?

System Restore does not completely uninstall any program if restoring to a point prior to the program installation. As System Restore is based on an inclusionary model, any files added or modified by the installation (which is not monitored by System Restore) or added to or modified in a non-monitored drive will not be tracked. To remove all changes an installation may have made to the system, the user should first use the Add/Remove option in the control panel to remove the application prior to using System Restore. System Restore will undo all recorded changes made to the registry and monitored files caused by the application install, including:
Deleted or monitored files added to the system from the program installation

Undo modifications to monitored files made by the installation
Replacement of the current registry with the registry snapshot taken at the chosen restore point (some current values may persist)

 What is or is not restored on my computer when I use System Restore?

See below.
Restored:
Registry
Profiles (local only; roaming user profiles are not affected by restore)
COM+ DB
WFP.dll cache
WMI DB
IIS Metabase
File types monitored by System Restore as specified in the SDK document Monitored File Extensions

Not restored:

DRM settings

Passwords in the SAM hive

WPA settings (Windows authentication information is not restored)
Specific directories/files listed in the Monitored File Extensions list in the System Restore section of the Platform SDK e.g. 'My Documents' folder

Any file types not monitored by System Restore (.doc, .jpg, etc.)

Items listedinbothFilesnottobackupandKeysnottoRestore(hklm->system->controlset001->control->backuprestore->filesnottobackup and keysnottorestore) in the registry

User-created data stored in the user profile

Contents of redirected folders

 Why does System Restore delete some downloaded or saved files during a restore?

As System Restore monitors a core set of specified system and application file types, any downloaded or saved file which has an extension type monitored by System Restore (e.g. .exe, .dlls) and stored on a monitored drive will be lost if restoring to a point prior to the download or save. If you do not want to lose files with a monitored extension due to a restore, you should move these files to the My Documents folder or to a non-monitored partition not restored during a restore process. If you have unknowingly deleted some files due to a restore on your system, you can always recover them by undoing the restore process in question.

 When are Restore points created?

The user can manually create a restore point at any time on their computer using the System Restore Wizard.
Restore Points are also automatically created on your computer when:

Installing an unsigned device driver.

Installing System Restore compliant applications (Installing an application that uses Windows Installer, or Install Shield Pro version 7.0 or later, causes System Restore to create a restore point).

Installing an update by using Automatic Updates.

Performing a System Restore operation so the user can undo that restore operation if needed.

Restoring data from backup media using the Backup tool.

Creating daily restore points (System Restore creates a restore point every 24 hours if the computer is on or 24 hours have passed since the last restore point was created).

Can I make a System Restore permanently retain a restore point?

No. System Restore is change base tracking tool, not an imaging or backup tool. Each restore point only stores changes to the system since the creation of the previous restore point to minimize space usage and improve performance, and all restore points are associated.
Therefore, restoring the computer from the current state to a previous state requires the availability of all restore points.
For example, if a user wants to restore the computer from point D to point A, System Restore will evaluate the system change logs for points C, B, and If a restore point is permanent, space usage for storing the complete chain of restore points since the creation of the permanent restore point would become very large and impractical. System Restore also provides a space management feature to purge old restore points to make room for new ones, creating a rolling safety net. Restore points over 90 days are purged automatically by default.

How does an improper shutdown effect System Restore?

If an improper shutdown occurs, there is a small possibility that a restore could fail because System Restore may not have logged some file operations properly at the time of shutdown. If the restore fails, the system will be in the same state as before the restore was initiated.

How much disk space does System Restore use?

Disk space used by System Restore by default:

For drives greater than 4 GB, System Restore uses up to 12% of the disk space.

For drives less than 4 GB, System Restore by default only uses up to 400 MB of disk space.

The data store size is not a reserved space on the disk and the maximum size (to the max values defined above) is limited at any time by the amount of free space available on disk. Thus, if disk space use encroaches on the data store size, System Restore always yields its data store space to the system. For example, if the data store size is configured to 500 MB, of which 200 MB is already used, and the current free hard-disk space is only 150 MB, the effective size of the data store is 350 MB (200 + 150), not 500 MB.

Note that disk space usage can be adjusted at any time.

Does System Restore support scripting?

Yes. System Restore parameters are configurable remotely or locally by using a Windows Management Instrumentation (WMI) script. A WMI script can also be used to create restore points, list them, select a restore point to restore to, and view the status of a restore operation.

What does Windows XP Service Pack (SP1) do for System Restore?

The service pack provides several security and bug fixes for the Windows XP operating system including those for System Restore. Highlights of the key fixes for System Restore in the service pack include:

Fixes the issue where System Restore does not launch and displays the error "System restore was unable to start due to a missing Framedyn.dll. Please reinstall the application to fix this problem."
Fixes the issue where the System Restore tool on a Windows XP-based computer and the calendar on the left side of the "Choose a Restore Point" window is not displayed.
Fixes the restore process issue where users were encountering failed restores. Although some of this is attributed to file corruption in the System Restore data store, in many cases it was due to locked file issues (a file which system restore couldn't access cause it was locked out by another application or process) causing the restore process to fail, notably in situations where fast user switching was used.
Fixes the drive table inconsistency causing System Restore to not create restore points.
Several Security fixes for System Restore to protect against hackers and viruses.

The Microsoft System Restore team supports users in the Microsoft public newsgroups (please visit Public.WindowsXP.perform_maintain and
Microsoft.Public.WindowsXP.help_and_support) and encourages user feedback regarding the effectiveness of Windows XP Service Pack 1.

How-To Guide

How can I enable or disable System Restore?

Select Start followed by Control Panel, and double-click the System icon. Then:

1. Click the System Restore tab on the System dialog box

2. To enable, clear the Turn off System Restore check box

3. To disable, select the Turn off System Restore check box

4. Click OK when done

How can I disbale System Restore from monitoring a particular drive?

To disable System Restore from monitoring a particular drive, click Start followed by Control Panel and double click the System icon. Then click on the System Restore tab on the System dialog box. Depending on your disk setup, use the following instructions:

Single partition: Clear the Turn off system restore check box to disable System Restore.

Multiple disks or partitions: To prevent System Restore from monitoring a particular partition, click on the drive to disable and then the settings option. Clear the Turn off System Restore check box to disable monitoring the drive in question. You cannot disable monitoring of the system drive explicitly; you must disable System Restore for the entire system to prevent system drive monitoring.

How can I set the amount of space System Restore uses on my disk?

Select Start, then Control Panel and double-click the System icon. Then click on the System Restore tab on the dialog box. Depending on your disk setup, do the following:

Single partition: Adjust the space system restore uses on the disk by moving the slider left to decrease space usage, or right to increase space usage. The default maximum space usage is 12%.

Multiple partitions or multiple disks: Click on the drive you want to adjust in the available drives section on the System Restore page and then click the settings option. You can then adjust the space system restore uses on that drive by moving the slider to the left to decrease space usage, or right to increase space usage. The default maximum space usage is 12%. Repeat for each drive as necessary.

How do I determine the amount of space System Restore uses for restore points?

To determine the amount of space System Restore is using:

1. Click on Start, then My Computer.

2. Select the Tools pull-down menu, click on Folder Options, and then select the View tab.

3. In the Advanced settings option under Hidden files and folders, select Show hidden files and folders and clear the Hide protected operating system files check box, then Click OK.

4. Refer to the system drive where Windows is installed (C: for most users).

5. Double-click the System Volume Information folder.

6. Right-click on the _restore directory and select Properties.

7. The Size on Disk value is the amount of space System Restore is using for restore points.

8. Repeat as necessary for other drives monitored by System Restore.

If the computer is part of a domain and you do not have access to the System Volume Information folder, perform these additional steps following Step 4 above:

Right-click the System Volume Information folder and click the Properties option.

Select the Security tab and add your username to the user/group list with access to this folder.

Click OK and continue with Step 5 above.

How do I delete restore points in System Restore?

You can either delete all restore points except the latest one, or all the restore points.

To delete all restore points except the latest one, use the Disk Cleanup utility. Click Start, All Programs, Accessories, System Tools, and then Disk Cleanup. Click on the more options tab and then select Clean up in the System Restore dialog box.

To delete all the restore points on your computer, disable and re-enable system restore on the system. Click Start, Control Panel, and then the System icon. Click on the System Restore tab in the dialog box, select the Turn off System Restore check box, and click Apply. Clear the check box again to re-enable System Restore and then click OK.

You can reduce the number of restore points saved by decreasing the total amount of disk space available to System Restore. Note that less available disk space will decrease the relative number of restore points.

How do I use scripts in System Restore?

WMI scripts can be used to locally or remotely create or list restore points, select a restore point to restore to, view the status of a restore operation, and adjust system restore parameters. Please refer to the System Restore Scripting Samples document, which lists functions and parameter descriptions along with script samples provided as a guide to administrators who need local or remote access to the System Restore features and settings.

How do I remotely perform a System Restore?

You can perform a remote system restore using WMI scripts.

Troubleshooting

What should I do if System Restore does not work?

Try these steps if System Restore does not appear to work:

1. Ensure the System Restore service is running. For more information, see: How can I verify that the System Restore services are running on my machine?

2. Verify that you have enough free space on all your drives as required by System Restore. If the free space on any partition system restore is monitoring falls below 50 MB, System Restore will suspend and purge out all restore points to free up disk space. It will automatically reactivate when 200 MB+ free space is available. For more information, see How the System Restore Tool Handles Hard-Disk Space Usage.

3. Examine event logs for any system restore-related errors that could help you identify the problem.

Why is System Restore suspended when enough free space on the system drive exists?

Suspension can occur if:

A non-system drive with System Restore enabled has less than 50 MB of free disk space.

A copy, delete, modify operation was made to a file monitored by System Restore. This typically causes System Restore to suspend across the system.

When using System Restore, I receive the following message: 'System Restore was unable to start due to a missing Framedyn.dll. Please restall the application to fix this problem.' How do I fix this?

This event usually occurs when the Windows path is corrupt. To resolve this issue, begin by installing Windows XP Service Pack 1. Alternatively, you can temporarily address this issue by copying the framedyn.dll file from the \windows\system32\wbem directory to the \windows\system32 directory. If you cannot locate the .dll file in the …\Wbem folder, see Why can't I see system files such as .dll or .inf in Windows?

Why isn't System Restore creating automatic system checkpoints?

Typical reasons why checkpoints are not being created:

System Restore requires Task Scheduler to create system checkpoints. If Task Scheduler is disabled it will prevent System Restore from creating system checkpoints on a scheduled basis.

System Restore requires the computer to be in an idle state to create system checkpoints. This is by design so that System Restore does not interrupt a user by taking processing power. If computer is never idle, system checkpoints cannot be created. Also, check for any applications that run on the computer during idle periods, such as a virus scanner.

Another cause may be that the computer is in continual use for limited periods and then shut down or put into hibernation, preventing System Restore from creating restore points.

Why are my restore points missing or deleted?

If no free disk space on monitored system drive or on any of the available non-system drives exists, System Restore will purge restore points consistently across all monitored partitions to free disk space. If the free disk space falls below 50 MB on any monitored partition, System Restore will stop monitoring and suspend.
Note: Some users have reported that using the Real Player One utility has deleted restore points. Please review your System Event Viewer log for System Restore events for a volume error event. For more information, please visit the Microsoft.Public.WindowsXP.perform_maintain and Microsoft.Public.WindowsXP.help_and_support.

Why does System Restore display a blank calendar in Windows XP if no restore points exist?

This can occur if the file association for Hypertext Markup Language (HTML) component (.htc) files is not in the registry. This issue has been addressed in the Windows XP Service Pack 1. If the Service Pack is unavailable, see System Restore Tool Displays a Blank Calendar in Windows XP.

Why does the System Restore Wizard lockup when trying to create a restore point?

This can occur if the event log service is disabled on the computer. The user should enable the event log service and then try to create the restore point. To verify that the service is working, do the following:

1. Click Start, Control Panel, then Performance and Maintenance.

2. Click Administrative Tools, Computer Management, then Services and Applications.

3. Click Services, then Event Log Services. Ensure this service is set to Automatic and the status is Started.

Why do I lose my Remote Assistance access after using System Restore?

If you restore to a point before the Remote Assistance Ticket creation, the HelpAssistant account password is reset. The HelpAssistant account is the account that an administrator uses to log on and connect to a computer. This issue has been resolved in Windows XP Service Pack 1. If the service pack is unavailable, use Remote Assistance to create another ticket.

Why are previous restore points not working?

Possible causes for restore point failures:

Low free disk space on a System Restore monitored partition. Every restore process involves System Restore creating a restore point prior to the restore operation so that the user can undo the restore process. If you are experiencing failed restores, ensure that there is sufficient free disk space available on all the System Restore monitored partitions.

During the restore process, files to be replaced, moved, or deleted by System Restore are locked by the system or some application causing the restore to fail. This issue has been addressed in Windows XP Service Pack 1.

A corrupt restore point possibly caused by an inconsistency between the file entries in the System Restores file change log and those that are actually backed up or tracked by System Restore. Common causes for this issue:

An improper shutdown of the computer occurred while System Restore was adding an entry for a file to the System Restore change log for tracking. During the process of the file being copied or moved to the restore point directory or elsewhere in the system, a power outage or improper shutdown may have corrupted the process, creating an inconsistency in the change log. Similarly, an entry for the file exists in the change log but the file itself may be corrupt or missing.

Changes made to files on a system from another OS (in case of dual-boot OS scenarios). For example, changes to a key application or system files or simply moving a file System Restore was tracking from one location to another while logged onto a different OS. As System Restore cannot incorporate this change, an inconsistency exists.

Changes made to a System Restore tracked file on a removable drive for a restore point while the drive was connected to another computer. Similar to the above, System Restore cannot incorporate this change. It is important to note that all restore points are linked, therefore, any restore point created prior to the missing or corrupt restore point will also not function. For more information, please visit Microsoft public newsgroups Microsoft.Public.WindowsXP.perform_maintain and Microsoft.Public.WindowsXP.help_and_support.

What should I do if my anti-virus scanner cannot access the System Volume Information folder to remove a virus?

If the System Volume Information (SVI) folder is on a FAT partition and a virus infected file has been detected or copied to the data store before it was cleaned, the data store needs to be purged to remove the Restore Point with the infected file. To do this, the user should disable and then re-enable System Restore monitoring on that particular drive as specified in How can I disable System Restore from monitoring a particular drive? If the System Volume Information Folder is on an NTFS partition, the SVI directory can be accessed by a virus utility to clean an infected file as any other part of the file system.

Microsoft support is asking me to generate a .cab file for system restore. How do I do this?

To generate a system restore Cab file:

1. Click Start, then Run.

2. Type or paste: %windir%\system32\restore\srdiag.exe and click OK.

3. A command window will open while the Srdiag.exe runs. The command session will automatically close when complete, and the .cab file will be created in your Windows\system32\restore directory. This can take several minutes.

How do I look at the event logs to investigate any system restore errors?

To check event logs:

1. Click Start, Control Panel, then Performance and Maintenance.

2. Click Administrative Tools, Computer Management, double-click Event Viewer, then click System.

3. Click the Source tab to sort by name, and then type for "sr" or "srservice." Double-click each of these services, and then evaluate the event description for the cause of the problem.

Why is System Restore displaying duplicate drives with an offline status?

This problem can occur if you convert the disk from a basic disk to a dynamic disk.

Why isn't desktop wallpaper restored when using System Restore?

The image displayed on the desktop is a common image file and therefore not monitored by System Restore. System Restore does not restore common image files, as they could compromise the security of personal data.

Why isn't the compression on files or folders restore when using System Restore?

By design, System Restore does not record changes in compression, nor does it undo them, as changes in compression do not cause the system to fail.

Why aren't System Restore settings preserved during a reinstallation or upgrade?

Setup overwrites the existing settings so that System Restore is enabled after installation. In operating systems in which System Restore is not included, such as Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT Workstation, or Microsoft Windows 2000 Professional, System Restore will also be enabled by default on all drives.

How can I verify that the System Restore services are running on my computer?

Use the following procedure:

To verify that System Restore services are running from Control Panel:

1. Click Start, Control Panel, then Performance and Maintenance.

2. Click Administrative Tools, Computer Management, then Services and Applications.

3. Click Services, and then click System Restore Services. Ensure the service is set to Automatic and the status is Started


To verify that System Restore services are running using the command prompt:

1. Click Start, Run, then type CMD in the control box

2. Press Enter, then type Net Start at the command prompt

How can I verify that the Task Scheduler is running on my computer?

Use the following procedure:

To verify that Task Scheduler is running from Control Panel:

1. Click Start, click Control Panel, and then click "Performance and Maintenance".

2. Click Administrative Tools, click Computer Management, and then click Services and Applications.

3. Click Services, then Task Scheduler service to ensure the Service is set to Automatic and the status is Started.

To verify that Task Scheduler is running using the command prompt:

1. Click Start, Run, then type CMD in the control box.

2. Press Enter, then type Net Start at the command prompt to ensure that the Task Scheduler service is running.

Why can't I see system files such as .dll or .inf in Windows?

Windows hides all system files and files marked hidden by default. To view these files:

1. Click Start, then My Computer.

2. From the toolbar open the Tools menu, select Folder Options, then click the View tab.

3. In the Advanced settings option for Hidden files and folders, ensure the Show hidden files and folders option is selected and Hide protected operating system files is unchecked. Click OK.

4. You should now be able to see hidden and system files.

Additional Information

Where can I get more information about System Restore architecture and SDK information?

For System Restore architecture, see the MSDN white paper Microsoft Windows XP System Restore.
For SDK information, see the SDK document System Restore.

Diet Coupon

Back to Home Page