Accessing Windows Restore Points

zamar21

New Member
Messages
8
Hi guys,

Interesting questions to explore about Windows Restore Points:

- how to check size of each folder in System Volume Information folder, where Restore Points are saved?
- what program allows or how to change snapshots taking frequency (SR Task doesn't show any default triggers) and life time of restore points in Win8.1 ?
- if a Restore Point was deleted, where to look for it with advanced Undelete Software? If I find it and copy back to System Volume Information folder, can I then restore a system to it? What program or how to re-register such "recovered" restore points?
 
Last edited:

My Computer

System One

  • OS
    Win 8.1
Hello Zamar,

The vssadmin list shadowstorage command will show you the size of each shadow storage for each drive you have system protection turned on.

Restore points are automatically created by default just before significant system events, such as the installation of some programs, device driver, Windows Update, and by using a scheduled task once every seven days if no other restore points were created in the previous seven days. If you like, you can disable automatic restore point creation. You can also manually create restore points at any time.

If you delete a restore point, it's gone for good. There is no recovery for a deleted restore point.

Hope this helps, :)
Shawn
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
There is no recovery for a deleted restore point.

A good reason to make a system image on a USB using Macrium Reflect. :)
 

My Computer

System One

  • OS
    Windows 8.1.1 Pro with Media Center
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Gateway
    CPU
    AMD K140 Cores 2 Threads 2 Name AMD K140 Package Socket FT1 BGA Technology 40nm
    Motherboard
    Manufacturer Gateway Model SX2110G (P0)
    Memory
    Type DDR3 Size 8192 MBytes DRAM Frequency 532.3 MHz
    Graphics Card(s)
    ATI AMD Radeon HD 7310 Graphics
    Sound Card
    AMD High Definition Audio Device Realtek High Definition Audio USB Audio Device
    Monitor(s) Displays
    Name 1950W on AMD Radeon HD 7310 Graphics Current Resolution 1366x768 pixels Work Resolution 1366x76
    Screen Resolution
    Current Resolution 1366x768 pixels Work Resolution 1366x768 pixels
    Hard Drives
    AMD K140
    Cores 2
    Threads 2
    Name AMD K140
    Package Socket FT1 BGA
    Technology 40nm
    Specification AMD E1-1200 APU with Radeon HD Graphics
    Family F
    Extended Family 14
    Model 2
    Extended Model 2
    Stepping 0
    Revision ON-C0
    Instruction
    Browser
    Opera 24.0
    Antivirus
    Avast Internet Security
Hi Shawn,

Did you mean, there's no official MS way to recover Restore Points via Windows commands? But there may be "unofficial" way, as Restore Points are essentially large archive files (differential disk volumes), you can see them with Ccleaner, Shadow Explorer, Paragon HDM (export them) and many other programs stored inside System Volume Information folder. When they're deleted, you can find them with recovery software like R-Studio etc. on the HDD. Recovered points can be copied back to System Volume Information folder, if you temp change its permissions. Once copied, they likely need some registration to become "known to OS"?

Many folks complain about their precious points :) been deleted by Windows in the very moment they need them most. For example, Windows can create a new Restore Point 2 days after new series of updates, and therefore delete more important previous point created before the update. Then we may face a problem of badly broken OS with no way out. That's where "recovered" points come handy. Relevant question is, what software allows to import previously exported Restore Points?
 
Last edited:

My Computer

System One

  • OS
    Win 8.1
If you delete a restore point, it is permanent.

Restore points are nice to have for when needed, but they should not be relied upon as the only option of recovery. A system image and backups should also always be kept.
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
It looks like CCBoot allows to export and import Restore Points, meaning such possibility exists or can be added if not published yet. I need to play with it to see if it can be applied to a live system rather than the frozen one, since that's CCBoot marketplace. This feature is quite important, given the fact that most users would leave disk space for Restore Points at default 5%, and in my case Windows would always delete or hide previous Restore Points before creating a new one right after a large system update. Since many folks set Windows Update to auto, and in fact Windows resets its Update settings to auto after each monthly update, this may become the only way to recover your system after Windows Update, since most users never monitor when the next update is coming, and therefore never create a full backup before that, especially if they made no changes to PC after previous Windows update.
 
Last edited:

My Computer

System One

  • OS
    Win 8.1
That program works with existing restore points. If you delete a restore point before exporting it using that program, it will still be gone for good.

Of course, a system image will include everything. :)
 

My Computer

System One

  • OS
    64-bit Windows 10
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom self built
    CPU
    Intel i7-8700K OC'd to 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G7 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    OCZ Series Gold OCZZ1000M 1000W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Browser
    Internet Explorer 11
    Antivirus
    Malwarebyte Anti-Malware Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Galaxy S23 Plus phone
More useful background info on how Restore Points are created, registered and maintained, but no recovery solution yet:
Restore Point Forensics


Next question is: how to mount a Restore Point and look what's inside? Its easier than you think with right software. You can mount them using Windows or various forensic and other tools. It looks like Windows vssadmin utility reads various data in System Volume Information folder before presenting a list of Volume Shadow Copies (i.e. Restore Points) available for a selected drive. Then mklink can add a Symbolic Link to a chosen Shadow Copy to mount the volume into a new folder on any drive. To dismount the Shadow, just delete the symbolic link, the source data won't be affected. For example, to list shown by System Restore before cut-off date Restore Points for drive C:\, select a Restore Point 1 and mount to C:\RestorePoint1 folder, enter in Windows Admin Power Shell:

Code:
PS C:\Windows\system32> vssadmin list shadows /for=C:\ |
    Select-String -Pattern "shadow copies at creation time" -Context 0,3 |
    ForEach-Object {
        [pscustomobject]@{
            Path = (($_.Context.PostContext -split "\r\n")[2] -split ':')[1].Trim();  
            DateCreated = ($_.Line -split ':\s',2)[1];
        }
    }
 

Path                                                                 DateCreated
----                                                                 -----------
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1                      5/14/2015 3:59:53 PM
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3                      5/15/2015 6:02:02 PM
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4                      5/15/2015 6:07:11 PM
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5                      5/16/2015 3:13:22 PM

PS C:\Windows\system32> & cmd /c "mklink /D C:\RestorePoint1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1"
symbolic link created for C:\RestorePoint1 <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\


The easiest way to mount Restore Points I found is using System Restore Explorer. Despite not recently updated, it installs and works well in Win 8.1, and once open listed in my case more earlier Restore Points (with checkbox "Show restore points older than 5 days" selected) that I assumed were deleted by Windows, but likely were beyond set in Registry or default cut-off date. However, once rebooted and read current Registry settings, the package no longer shown that checkbox, and earlier Restore Points were again hidden. The package doesn't offer System Restore function, which is major drawback given it can show more Restore Points.

With that package you can list and mount to a symbolic link folder any Windows Restore Point. Note that Restore Point Storage Volumes are relatively small differential volume archives, but once mounted they can restore access to a lot more data than stored in them - to complete files and folders that were changed or deleted since then, if occupied by them disk space wasn't overwritten yet. Hence, value of old Restore Points may diminish over time as data on disk changes, especially for successful system restore, but they still may be useful for files recovery and the mounted volume backup.

A CML tool called VSS can mount a Restore Point to a drive letter, which makes it easier to backup with regular backup software. But it seems to show some permissions issues in 64-bit Admin Cmd Prompt.

Interesting question is, how one can increase the number of Restore Points shown, how often they're taken, and other related parameters? A working example of using Windows Task Scheduler for frequent points taking was given here. Those parameters are likely stored in below Registry key & subkeys except defaults, so explore it or compare content to same Windows Vista key that provided more settings flexibility to a user.
Code:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
 
Last edited:

My Computer

System One

  • OS
    Win 8.1
For more detail on mounting and working with shadow volumes, check justaskweg.com. Shadow volumes are dependeant on one another, and a deleted shadow volume can't be mounted, although you may be able to recover files from it forensically.
 

My Computer

System One

  • OS
    7x64
    Computer type
    PC/Desktop
It appears that Windows tracks newly created and deleted Restore Points in Registry and certain log files stored in System Volume Information folder. Once deleted, the Restore Point archives still remain on the physical hard drive, but no longer listed in Restore Point database. Delete operation seems to occur when dedicated to System Restore disk space is near full, and is different from Hide in that Windows 8.1 won't list in System Restore applet any Restore Points beyond 5-to-7 day time limit, despite they may not be deleted for a long time beyond that limit, and remain in Windows Restore Points database.

The problem I see is VSSADMIN doesn't list hidden Restore Points either, despite they're visible by System Restore Explorer. It may possibly depend on some Windows settings, so need to do more digging on that. :)
 
Last edited:

My Computer

System One

  • OS
    Win 8.1
Back
Top