System Restore

System Restore is a feature in Microsoft Windows that allows the user to revert their computer's state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems. First included in Windows ME, it has since been included in all following desktop versions of Windows released since, excluding the Windows Server

In prior Windows versions it was based on a file filter that watched changes for a certain set of file extensions, and then copied files before they were overwritten. An updated version of System Restore introduced by Windows Vista uses the Shadow Copy service as a backend (allowing block-level changes in files located in any directory on the volume to be monitored and backed up regardless of their location.) and allows System Restore to be used from the Windows Recovery Environment in case the Windows installation no longer boots at all.

Overview
In System Restore, the user may create a new restore point manually (as opposed to the system creating one automatically), roll back to an existing restore point, or change the System Restore configuration. Moreover, the restore itself can be undone. Old restore points are discarded in order to keep the volume's usage within the specified amount. For many users, this can provide restore points covering the past several weeks. Users concerned with performance or space usage may also opt to disable System Restore entirely. Files stored on volumes not monitored by System Restore are never backed up or restored.

System Restore backs up system files of certain extensions (.exe, .dll, etc.) and saves them for later recovery and use. It also backs up the registry and most drivers.

Resources monitored
The following resources are backed up:
 * Registry
 * Files in the Windows File Protection (Dllcache) folder (under Windows XP). On Windows Vista and later versions, all system file types are monitored on all paths on a volume.
 * Local user profile
 * COM+ and WMI Databases
 * IIS Metabase
 * Specific file types monitored

The list of file types and directories to be included or excluded from monitoring by System Restore can be customized on Windows Me and Windows XP by editing %windir%\system32\restore\Filelist.xml.

Disk space consumption
The amount of disk space System Restore consumes can be configured. Starting with Windows XP, the disk space alloted is configurable per volume and the data stores are also stored per volume. File are stored using NTFS compression and a Disk Cleanup handler allows deleting all but the most recent Restore Point to free up disk space. System Restore can be disabled completely to regain disk space. It automatically disables itself if the disk free space is too low for it to operate.

Restore points
Restore points are created:
 * When software is installed using the Windows Installer, Package Installer or other installers which are aware of System Restore.
 * When Windows Update installs new updates to Windows.
 * When the user installs a driver that is not digitally signed by Windows Hardware Quality Labs.
 * On Windows XP or Windows Vista, every 24 hours of computer use or when the operating system starts after being off for more than 24 hours (10 hours in Windows Me), or every 24 hours of calendar time, whichever happens first. This setting is configurable through the registry or using the deployment tools on Windows XP. Such a restore point is known as a system checkpoint. System Restore requires Task Scheduler to create system checkpoints. Moreover, system checkpoints are only created if the system is idle for a certain amount of time. In Windows 7, automatic Restore Points are created only once every seven days, however a script can be used to silently create Restore Points more frequently.
 * When the user manually creates a Restore Point.

In Windows XP, restore point files are stored in a hidden folder named 'System Volume Information' on the root of every drive, partition or volume, including most external drives, and some USB flash drives. On drives or partitions that are not monitored by System Restore, this folder will be very small in size or completely empty, unless Encrypting File System is in use or the Indexing Service is turned on. If the System Volume Information folder is deleted, it will be recreated automatically.

Older restore points are deleted as per the configured space constraint on a First In, First Out basis.

Implementation differences
There are considerable differences between how System Restore works under Windows XP and later Windows versions.


 * Configuration UI - In Windows XP, there is a graphical slider to configure the amount of disk space alloted to System Restore. In Windows Vista, the GUI to configure the disk space utilized for System Restore points is not available. Using the command-line tool Vssadmin.exe or by editing the appropriate registry key, the space reserved can be adjusted. The GUI to configure disk space is available once again, starting with Windows 7.


 * Maximum space - In Windows XP, System Restore can be configured to use up to a maximum of 12% of the volume's space for most disk sizes; however, this may be less depending on the volume's size. Restore points over 90 days old are automatically deleted, as specified by the registry value RPLifeInterval (Time to Live - TTL) default value of 7776000 seconds. In Windows Vista and later, System Restore is designed for larger volumes. By default, it uses 15% of the volume's space.


 * File paths monitored - Up to Windows XP, files are backed up only from certain directories. On Windows Vista and later, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder.


 * File types monitored - Up to Windows XP, it excludes any file types used for users' personal data files, such as documents, digital photographs, media files, e-mail, etc. It also excludes the monitored set of file types (.DLL, .EXE etc.) from folders such as My Documents. Microsoft recommends that if a user is unsure as to whether certain files will be modified by a rollback, they should keep those files under My Documents. When a rollback is performed, the files that were being monitored by System Restore are restored and newly created folders are removed. However, on Windows Vista and later, it excludes only document file types; it does not exclude any monitored system file type whatsoever its location and operates on the entire volume.


 * Configuring advanced System Restore settings - In Windows XP only, several System Restore settings can be configured via the Registry. System Restore in Windows Vista and later versions no longer supports configuring its settings through the registry. File types and file paths can also no longer be included or excluded from monitoring by System Restore by editing %windir%\system32\restore\Filelist.xml as was possible in Windows XP. This file no longer exists in Windows Vista and later.


 * FAT32 volume support: In Windows XP, System Restore works on FAT32 volumes and can be enabled for smaller disks, less than 1 GB. On Windows Vista and later, System Restore does not work on FAT32 disks and cannot be enabled on disks smaller than 1 GB.

Restoring the system
Up to Windows XP, the system can be restored as long as is an online state, that is, as long as Windows boots normally or from Safe mode. It is not possible to restore the system if Windows is unbootable. Under Windows Vista and later, the Windows Recovery Environment can be used to launch System Restore and restore a system in an offline state, that is, in case the Windows installation is unbootable. However, for all operating systems including Windows XP, the Diagnostics and Recovery Toolset (DaRT) tools from the Microsoft Desktop Optimization Pack can be used to create a bootable recovery disc that can log on to an unbootable Windows installation and start System Restore.

Limitations & complications
A bug exists in System Restore that shipped with Windows Millennium Edition wherein the rollback procedure does not work after 8 September 2001 due to the limitations of the algorithm used to generate checkpoints. Microsoft had created an update to address this issue.

A limitation which applies to System Restore in Windows versions prior to Windows Vista is that only certain file types and files in certain locations on the volume are monitored, therefore unwanted software installations and especially in-place software upgrades may be incompletely reverted by System Restore. Consequently, there may be little or no practical beneficial impact. Certain issues may also arise when attempting to run or completely uninstall that application. In contrast, various other utilities have been designed to provide much more complete reversal of system changes including software upgrades. However, beginning with Windows Vista, System Restore monitors all system file types on all file paths on a given volume, so there is no issue of incomplete restoration.

It is not possible to create a permanent restore point. All restore points will eventually be deleted after the time specified in the RPLifeInterval registry setting is reached or earlier if allotted disk space is insufficient. Even if no user or software triggered restore points are generated allotted disk space is consumed by automatic restore points. Consequently, in systems with little space allocated, if a user does not notice a new problem within a few days, it may be too late to restore to a configuration from before the problem arose.

For data integrity purposes, System Restore does not allow other applications or users to modify or delete files in the directory where the restore points are saved. On NTFS volumes, the Restore Points are protected using ACLs. Since its method of backup is fairly simplistic, it may end up archiving malware such as viruses, for example in a restore point created before using antivirus software to clean an infection. Antivirus software is usually unable to remove infected files from System Restore; the only way actually to delete the infected files is to disable System Restore, which will result in losing all saved restore points; otherwise they will remain until Windows deletes the affected restore points. However stored infected files in themselves are harmless unless executed; they will only pose a threat if the affected restore point is reinstated. Windows System Restore is not compatible with restore points made by third party applications.

Changes made to a volume from another OS (in case of dual-boot OS scenarios) cannot be monitored. Also, a compatibility issue exists with System Restore when dual-booting Windows XP/Windows Server 2003 and Windows Vista or later operating systems which makes System Restore unusable in a dual-boot scenario. Specifically, the shadow copies on the volume are deleted when the older operating system accesses (and therefore mounts) that NTFS volume. This happens because the older operating system does not recognize the newer format of persistent shadow copies.