More useful background info on how Restore Points are created, registered and maintained, but no recovery solution yet:
Restore Point Forensics
Next question is: how to mount a Restore Point and look what's inside? Its easier than you think with right software. You can
mount them using Windows or various forensic and other tools. It looks like Windows
vssadmin utility reads various data in
System Volume Information folder before presenting a list of
Volume Shadow Copies (i.e.
Restore Points) available for a selected drive. Then
mklink can add a Symbolic Link to a chosen Shadow Copy to mount the volume into a new folder on any drive. To dismount the Shadow, just delete the symbolic link, the source data won't be affected. For example, to list shown by
System Restore before cut-off date
Restore Points for drive C:\, select a
Restore Point 1 and mount to
C:\RestorePoint1 folder, enter in
Windows Admin Power Shell:
Code:
PS C:\Windows\system32> vssadmin list shadows /for=C:\ |
Select-String -Pattern "shadow copies at creation time" -Context 0,3 |
ForEach-Object {
[pscustomobject]@{
Path = (($_.Context.PostContext -split "\r\n")[2] -split ':')[1].Trim();
DateCreated = ($_.Line -split ':\s',2)[1];
}
}
Path DateCreated
---- -----------
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 5/14/2015 3:59:53 PM
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3 5/15/2015 6:02:02 PM
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4 5/15/2015 6:07:11 PM
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5 5/16/2015 3:13:22 PM
PS C:\Windows\system32> & cmd /c "mklink /D C:\RestorePoint1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1"
symbolic link created for C:\RestorePoint1 <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
The easiest way to mount Restore Points I found is using
System Restore Explorer. Despite not recently updated, it installs and works well in Win 8.1, and once open listed in my case more earlier Restore Points (with checkbox
"Show restore points older than 5 days" selected) that I assumed were deleted by Windows, but likely were beyond set in Registry or default cut-off date. However, once rebooted and read current Registry settings, the package no longer shown that checkbox, and earlier Restore Points were again hidden. The package doesn't offer
System Restore function, which is major drawback given it can show more Restore Points.
With that package you can list and mount to a symbolic link folder any Windows Restore Point. Note that
Restore Point Storage Volumes are relatively small differential volume archives, but once mounted they can restore access to a lot more data than stored in them - to complete files and folders that were changed or deleted since then, if occupied by them disk space wasn't overwritten yet. Hence, value of old Restore Points may diminish over time as data on disk changes, especially for successful system restore, but they still may be useful for files recovery and the mounted volume backup.
A CML tool called
VSS can mount a Restore Point to a drive letter, which makes it easier to backup with regular backup software. But it seems to show some permissions issues in 64-bit Admin Cmd Prompt.
Interesting question is, how one can increase the number of Restore Points shown, how often they're taken, and other related parameters? A working example of using
Windows Task Scheduler for frequent points taking was given
here. Those parameters are likely stored in below Registry key & subkeys except defaults, so explore it or compare content to same Windows Vista key that provided more settings flexibility to a user.
Code:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore