Using System Restore

System Restore requires at least 200 megabytes (MB) of available disk space. If 200 MB of space isn't available, Windows XP disables System Restore. By default, Windows XP allocates 12 percent of the hard disk's size (or 400 MB on hard disks that are smaller than 4 gigabytes), which is the most that Windows XP can allocate to System Restore. You can otherwise configure the amount of disk space System Restore consumes, though. On the System Restore tab of the System Properties dialog box, drag the slider left or right to adjust the amount of disk space it uses. To open System Properties, click Start, Control Panel, Performance And Maintenance, and then click System. However, don't reduce the amount–doing so limits the number of restore points that System Restore can maintain at one time.

Taking Configuration Snapshots

Here's how to create a restore point using System Restore:

1. Start System Restore in one of the following ways:

   • Click System Restore in Help and Support Center.

   • Click Start, All Programs, Accessories, System Tools, System Restore.

   • Run %SystemRoot%\System32\Restore\rstrui.exe.

2. Select the Create A Restore Point option, and then click Next.

3. In the Restore Point Description box, type a descriptive name for the restore point, and then click Create. (System Restore adds the date and time to the name of the restore point.)

To restore a checkpoint, follow these steps:

1. Start System Restore using one of the three methods in the previous procedure.

2. Select the Restore My Computer To an Earlier Time option, and then click Next.

3. Select the restore point that you want to restore, and then click Next.

   System Restore maintains up to 90 days of restore points, given enough disk space, so you can move backward and forward in the calendar to see the restore points created on each day. In the calendar, shown in Figure 3-3, bold dates are those that contain restore points.

4. Click a date, and then click the restore point in the list.

5. Click Next again, and Windows XP restarts so it can restore your configuration to the restore point you selected.

Sometimes, if your configuration is too unstable, you won't be able to start Windows XP normally. That leaves you with Safe Mode. (See Chapter 9, “Troubleshooting Problems.”) In Safe Mode, you can't create restore points, but you can restore ones that have already been created. Thus, if Windows XP doesn't start normally, start it in Safe Mode, restore to an earlier configuration, and then restart the computer.

Figure 3-3 Before continuing, make sure you save your documents and close any programs that are running. System Restore restarts your computer.

Looking Inside System Restore

Many of the files and folders System Restore uses are super hidden, so you won't see them unless you display system and hidden files. In Windows Explorer, click Tools, Folder Options. On the Folder Options dialog box's View tab, select the Show Hidden Files And Folders option, and then clear the Hide Protected Operating System Files check box. System Restore's program files are in %SystemRoot%\System32\Restore. Aside from the program file Rstrui.exe, you'll find the super-hidden file Filelist.xml, which lists the files and settings that System Restore monitors. Double-click this file to view the XML in Internet Explorer. It excludes a few legacy configuration files–for example, Win.ini, System.ini, Autoexec.bat, and Config.sys. It excludes a few folders, too, most of which aren't important to the operating system's stability. What's interesting is the list of file extensions that it includes. System Restore protects everything from EXE and DLL files to VBS and VXD (virtual device driver) files. If a file matches one of the included file extensions and it's not in a folder that Filelist.xml excludes, System Restore monitors it. It also monitors the per- user hive files listed in the key HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList .

The actual restore points are in each volume's System Volume Information folder. This folder is also super hidden, so you'll need to select the Show Hidden Files And Folders option and then clear the Hide Protected Operating System Files check box to see it. To open it, you'll have to add your user account to the folder's ACL. I don't recommend you do this on a production computer, however, because you risk corrupting the file system. If you have a lab computer, go for it; otherwise, I'll describe this folder for you.

Each System Volume Information folder contains a subfolder called _restore GUID , where GUID is the computer's GUID. (See Chapter 1, “Learning the Basics.”) For example, my computer has _restore{4545302B-EA51-4100-A7E2-C7A37551AA83}. Beneath that folder is one folder for each restore point, called RP N , where N is an incremental number beginning with 1. RP N contains backup copies of changed and deleted files. In fact, I opened my latest restore point folder, deleted a program file, and watched as System Restore added it to the restore point. It also backs up files that change so it can restore those. System Restore changes the file names , so you won't find missing files or documents in there. This folder also contains a list of the changes that System Restore must apply to the computer to restore the checkpoint, including instructions for restoring backup files.

The \snapshot subfolder is in RP N , which contains backup copies of the registry's hive files. If you have access to System Volume Information, you can load these hive files in Regedit, examine them, or even recover settings from them. If you really need settings from these hive files, you're better off restoring them using System Restore. You can see System Volume Information in Figure 3-4; hopefully that will satisfy your curiosity enough to keep you out of it. The following is a list of the registry hive files you find in \snapshot:

• _REGISTRY_MACHINE_SAM

• _REGISTRY_MACHINE_SECURITY

• _REGISTRY_MACHINE_SOFTWARE

• _REGISTRY_MACHINE_SYSTEM

• _REGISTRY_USER_.DEFAULT

• _REGISTRY_USER_NTUSER_SID

• _REGISTRY_USER_USRCLASS_SID

Figure 3-4 System Restore backs up all the hive files so it can restore them if necessary.

Managing System Restore

System Restore has sparse management options. You can change how much disk space it uses, which I've already covered, and you can even disable it altogether. There's only one good time to disable System Restore, and that's when you install Windows XP on sluggish computers. System Restore consumes a small slice of your computer's resources as it monitors the file system for changes, and disabling it can recover those resources. To disable System Restore, click Start, Control Panel, Performance And Maintenance, and then click System to open the System Properties dialog box. On the System Restore tab, select the Turn Off System Restore check box. But unless the computer is painfully slow, leave System Restore alone.

Two policies for managing System Restore are available to IT professionals. The first is Turn off System Restore , which disables System Restore altogether. I know some administrators who haven't embraced System Restore yet, and they're disabling it in their organizations. Their concern is the amount of disk space it uses, the small performance penalty for using it, and the potential for restoring unwanted code such as viruses. If you don't want users to be able to configure System Restore, enable the Turn off Configuration policy, which locks the user interface so users can't change System Restore's configuration. Users can still create their own restore points, however. Both of these policies are per-computer administrative settings available in the Group Policy console under Computer Configuration\Administrative Templates\System\System Restore .

System Restore has a few other settings for which it doesn't provide a user interface or policy. These are mostly settings in the registry that control System Restore's schedule. You can build your own administrative template for these, however, which you learn about in Chapter 7, “Using Registry-Based Policy.” Chapter 7 also shows you how to enable policies.

Customizing System Restore

HKLM\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore is the key where you find all of System Restore's settings. Unless otherwise noted, all the settings in the following list are REG_DWORD values:

• CompressionBurst .

  This value specifies, in seconds, the idle time compression–that is, the amount of time it takes to compress data after the computer becomes idle. System Restore can compress data for the amount of time specified, and then it must stop until after the next time the computer becomes idle.

• DiskPercent and DSMax .

  Together, these values specify how much disk space System Restore uses. System Restore uses the greater of the two values. Thus, for hard disks smaller than 4 gigabytes (GB), System Restore uses 400 MB, which is the default value of DSMax . For hard disks larger than 4 GB, System Restore uses 12 percent, which is the default value of DiskPercent .

• DSMin .

  This value specifies the minimum amount of free disk space that System Restore requires during the installation process. This value also specifies the minimum amount of disk space that System Restore needs in order to be reactivated and resume the creation of restore points after Windows XP has disabled System Restore due to low disk space.

• RestoreStatus .

  This value indicates whether the last restore operation failed ( 0x00 ), succeeded ( 0x01 ), or was interrupted ( 0x02 ).

• RPGlobalInterval .

  This value specifies the amount of time in seconds that System Restore waits between creating system checkpoints. The default value is 24 hours (86,400 seconds), or 0x15180 .

• RPLifeInterval .

  This value specifies the time in seconds that System Restore keeps restore points before removing them from the computer. The default value is 0x76A700 , or 90 days (7,776,000 seconds).

• RPSessionInterval .

  This value specifies, in seconds, the amount of time that System Restore waits before it creates the system checkpoints while the computer is turned on. The default value is zero, disabling this feature. You can change this value to 0xE10 to create a restore point every hour that the computer is in use. On a computer that you customize often, such as a lab computer, you might create a restore point every hour .

• ThawInterval .

  This value specifies, in seconds, the amount of time that System Restore waits before it reactivates itself after adequate disk space becomes available. Start the System Restore user interface, and it reactivates immediately.

It isn't useful to customize the remaining settings you find in SystemRestore , and Microsoft warns in no uncertain terms that you shouldn't change them. However, you can disable System Restore by setting DisableSR to 0x01 , and doing so doesn't remove existing restore points as when you disable System Restore in the user interface. Editing the remaining settings can do bad things to your computer's performance, so limit yourself to the settings I described in this section.

Scripting System Restore

You can script System Restore using Windows Scripting Host (WSH) and Windows Management Instrumentation (WMI). Chapter 11, “Scripting Registry Changes,” describes in detail how to script registry edits. But perhaps you want to write scripts to automate System Restore specifically . Using these scripts gives you more control over the creation of restore points than did the registry settings in the previous section.

Scripting System Restore relies on WMI and Srclient.dll, which is the System Restore client DLL. The account in which you run these scripts must have administrative privileges to prevent them from being used by members of the Users or Power Users groups. In the Scheduled Tasks folder, you can schedule these scripts to run with elevated privileges, though. The following listing shows a script that automatically creates a restore point: it creates a System Restore object using WMI and then creates a restore point by calling the method CreateRestorePoint() . The first parameter is the name of the restore point; you should use a descriptive name that begins with a verb, such as Installed or Changed .

Set SRP = GetObject("

winmgmts

:\\.\root\default:Systemrestore") CSRP = SRP.CreateRestorePoint("Hacked the registry", 0, 100)