Windows 8 and 8.1 Forums


Accessing Windows Restore Points

  1. #1


    Posts : 8
    Win 8.1

    Accessing Windows Restore Points


    Hi guys,

    Interesting questions to explore about Windows Restore Points:

    - how to check size of each folder in System Volume Information folder, where Restore Points are saved?
    - what program allows or how to change snapshots taking frequency (SR Task doesn't show any default triggers) and life time of restore points in Win8.1 ?
    - if a Restore Point was deleted, where to look for it with advanced Undelete Software? If I find it and copy back to System Volume Information folder, can I then restore a system to it? What program or how to re-register such "recovered" restore points?
    Last edited by zamar21; 16 May 2015 at 19:29.

      My System SpecsSystem Spec

  2. #2


    Posts : 22,582
    64-bit Windows 10


    Hello Zamar,

    The vssadmin list shadowstorage command will show you the size of each shadow storage for each drive you have system protection turned on.

    Restore points are automatically created by default just before significant system events, such as the installation of some programs, device driver, Windows Update, and by using a scheduled task once every seven days if no other restore points were created in the previous seven days. If you like, you can disable automatic restore point creation. You can also manually create restore points at any time.

    If you delete a restore point, it's gone for good. There is no recovery for a deleted restore point.

    Hope this helps,
    Shawn
      My System SpecsSystem Spec

  3. #3


    Harrisonburg, Va.
    Posts : 10,488
    Windows 8.1.1 Pro with Media Center


    There is no recovery for a deleted restore point.
    A good reason to make a system image on a USB using Macrium Reflect.
      My System SpecsSystem Spec

  4. #4


    Posts : 8
    Win 8.1


    Hi Shawn,

    Did you mean, there's no official MS way to recover Restore Points via Windows commands? But there may be "unofficial" way, as Restore Points are essentially large archive files (differential disk volumes), you can see them with Ccleaner, Shadow Explorer, Paragon HDM (export them) and many other programs stored inside System Volume Information folder. When they're deleted, you can find them with recovery software like R-Studio etc. on the HDD. Recovered points can be copied back to System Volume Information folder, if you temp change its permissions. Once copied, they likely need some registration to become "known to OS"?

    Many folks complain about their precious points been deleted by Windows in the very moment they need them most. For example, Windows can create a new Restore Point 2 days after new series of updates, and therefore delete more important previous point created before the update. Then we may face a problem of badly broken OS with no way out. That's where "recovered" points come handy. Relevant question is, what software allows to import previously exported Restore Points?
    Last edited by zamar21; 16 May 2015 at 13:18.
      My System SpecsSystem Spec

  5. #5


    Posts : 22,582
    64-bit Windows 10


    If you delete a restore point, it is permanent.

    Restore points are nice to have for when needed, but they should not be relied upon as the only option of recovery. A system image and backups should also always be kept.
      My System SpecsSystem Spec

  6. #6


    Posts : 8
    Win 8.1


    It looks like CCBoot allows to export and import Restore Points, meaning such possibility exists or can be added if not published yet. I need to play with it to see if it can be applied to a live system rather than the frozen one, since that's CCBoot marketplace. This feature is quite important, given the fact that most users would leave disk space for Restore Points at default 5%, and in my case Windows would always delete or hide previous Restore Points before creating a new one right after a large system update. Since many folks set Windows Update to auto, and in fact Windows resets its Update settings to auto after each monthly update, this may become the only way to recover your system after Windows Update, since most users never monitor when the next update is coming, and therefore never create a full backup before that, especially if they made no changes to PC after previous Windows update.
    Last edited by zamar21; 19 May 2015 at 11:31.
      My System SpecsSystem Spec

  7. #7


    Posts : 22,582
    64-bit Windows 10


    That program works with existing restore points. If you delete a restore point before exporting it using that program, it will still be gone for good.

    Of course, a system image will include everything.
      My System SpecsSystem Spec

  8. #8


    Posts : 8
    Win 8.1


    More useful background info on how Restore Points are created, registered and maintained, but no recovery solution yet:
    Restore Point Forensics


    Next question is: how to mount a Restore Point and look what's inside? Its easier than you think with right software. You can mount them using Windows or various forensic and other tools. It looks like Windows vssadmin utility reads various data in System Volume Information folder before presenting a list of Volume Shadow Copies (i.e. Restore Points) available for a selected drive. Then mklink can add a Symbolic Link to a chosen Shadow Copy to mount the volume into a new folder on any drive. To dismount the Shadow, just delete the symbolic link, the source data won't be affected. For example, to list shown by System Restore before cut-off date Restore Points for drive C:\, select a Restore Point 1 and mount to C:\RestorePoint1 folder, enter in Windows Admin Power Shell:

    Code:
    PS C:\Windows\system32> vssadmin list shadows /for=C:\ |
        Select-String -Pattern "shadow copies at creation time" -Context 0,3 |
        ForEach-Object {
            [pscustomobject]@{
                Path = (($_.Context.PostContext -split "\r\n")[2] -split ':')[1].Trim();  
                DateCreated = ($_.Line -split ':\s',2)[1];
            }
        }
     
    
    Path                                                                 DateCreated
    ----                                                                 -----------
    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1                      5/14/2015 3:59:53 PM
    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3                      5/15/2015 6:02:02 PM
    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4                      5/15/2015 6:07:11 PM
    \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5                      5/16/2015 3:13:22 PM
    
    PS C:\Windows\system32> & cmd /c "mklink /D C:\RestorePoint1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1"
    symbolic link created for C:\RestorePoint1 <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

    The easiest way to mount Restore Points I found is using System Restore Explorer. Despite not recently updated, it installs and works well in Win 8.1, and once open listed in my case more earlier Restore Points (with checkbox "Show restore points older than 5 days" selected) that I assumed were deleted by Windows, but likely were beyond set in Registry or default cut-off date. However, once rebooted and read current Registry settings, the package no longer shown that checkbox, and earlier Restore Points were again hidden. The package doesn't offer System Restore function, which is major drawback given it can show more Restore Points.

    With that package you can list and mount to a symbolic link folder any Windows Restore Point. Note that Restore Point Storage Volumes are relatively small differential volume archives, but once mounted they can restore access to a lot more data than stored in them - to complete files and folders that were changed or deleted since then, if occupied by them disk space wasn't overwritten yet. Hence, value of old Restore Points may diminish over time as data on disk changes, especially for successful system restore, but they still may be useful for files recovery and the mounted volume backup.

    A CML tool called VSS can mount a Restore Point to a drive letter, which makes it easier to backup with regular backup software. But it seems to show some permissions issues in 64-bit Admin Cmd Prompt.

    Interesting question is, how one can increase the number of Restore Points shown, how often they're taken, and other related parameters? A working example of using Windows Task Scheduler for frequent points taking was given here. Those parameters are likely stored in below Registry key & subkeys except defaults, so explore it or compare content to same Windows Vista key that provided more settings flexibility to a user.
    Code:
    HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\SystemRestore
    Last edited by zamar21; 19 May 2015 at 14:04.
      My System SpecsSystem Spec

  9. #9


    For more detail on mounting and working with shadow volumes, check justaskweg.com. Shadow volumes are dependeant on one another, and a deleted shadow volume can't be mounted, although you may be able to recover files from it forensically.
      My System SpecsSystem Spec

  10. #10


    Posts : 8
    Win 8.1


    It appears that Windows tracks newly created and deleted Restore Points in Registry and certain log files stored in System Volume Information folder. Once deleted, the Restore Point archives still remain on the physical hard drive, but no longer listed in Restore Point database. Delete operation seems to occur when dedicated to System Restore disk space is near full, and is different from Hide in that Windows 8.1 won't list in System Restore applet any Restore Points beyond 5-to-7 day time limit, despite they may not be deleted for a long time beyond that limit, and remain in Windows Restore Points database.

    The problem I see is VSSADMIN doesn't list hidden Restore Points either, despite they're visible by System Restore Explorer. It may possibly depend on some Windows settings, so need to do more digging on that.
    Last edited by zamar21; 19 May 2015 at 14:06.
      My System SpecsSystem Spec

Accessing Windows Restore Points
Related Threads
I've had this issue in Windows 7 as well. No matter how many restore points I create manually, they completely disappear within a few days. It seems Windows 8/8.1 only saves 2 restore points, or even only one automatic one. Why does it not save the other restore points? I've done some googling and...
Solved restore points in Performance & Maintenance
I know you have several answer to this question But my PC windows 8.1 are not making restore points, Can you give me an easy way to fix this Lorrry
When I wanted to fix my Windows 8.1 because it wouldn't start, I saw ALL my restore points had disappeared. This has happened to me with all Windows operating systems I've had: Windows 7, 8, 8.1 and perhaps XP. When I need them most, they're gone, ALL OF THEM (not only those replaced for newer...
Automatic Restore Points is not working in System Restore. Task Scheduler is empty during last 30 days.
Got rid of 9 or so old restore points in Performance & Maintenance
I got rid of at least 9 old restore points ( all but the latest ).--- ( close to 10 GBs ) And a bunch of old log files-- 700 MBs worth with Disk Cleanup. The speed change was remarkable. :dinesh: The computer works much quicker now. Regular cleanup really helps computer function. I...
Restore Points in Performance & Maintenance
My restore points are being deleted. I usually keep 5. I looked the other day and only one was there. today I looked and there were none. Even the manually created ones were gone. I don't have a dual boot. My size is set to 45 gigs. Clint
No w8 restore points in General Support
anyone notice the W8 program does not create a restore point before updating, to get round this I used GodMode to create a restore point after each downloaded update, To create GodMode on W8 , right click an empty space on desktop, choose new folder, rename this folder...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook