Jump to content



Recommended Posts


We are testing MBMR and keep finding this:







I am pretty sure its a false positive and just reading the registery entery that controls system restore. We disable system restore and believe its flagging MalwareBytes because maybe some threats do this.


I would like to confirm our theory is correct. Also, when it finds and "removes" what does it do to the  registry key, if anything?



Link to post
Share on other sites

  • Staff

Hi Kevin,


Indeed that key is for system restore. More specifically - it is a policy setting that allows or dissallows users to configure system restore.


Many threats disable system restore which in turn removes all previous restore points so the user cannot revert to an uninfected date.

Often they will also block user's ability to turn system restore back on again to create restore points as they work on fixing the system.


So - this in not a false positive.

However - because you set this yourself, you can ignore this/whitelist this setting.


When MBAM "fixes" the entry, it sets the value data back to 0 (which allows users to enable system restore again)

Value of 1 means "don't let users configure system restore"

Value of 0 means "allow users to configure system restore"


More info here on this specific policy:



Hope that helps explain it.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.