Jump to content

Restore point question


Amethyst
 Share

Recommended Posts

Probably a dumb question, but I have to ask.

I allowed Microsoft Security Essentials to quarantine something (it was what they called a 'potentially unwanted software' which I figured was fine, but they can't be budged from their position on it.)

It was in:

C:\System Volume Information\_restore{(insert long series of letters & numbers that I won't bother typing in here)}\RP1985\A0316787.exe

I just want to make sure that this is only one restore point from one day, and not the whole thing including ALL my restore points. When I go to System Restore, it looks like they're all there going back to December (that's as far back as they go, not that I need any of those, quite frankly). If there's one missing because of quarantine, I can't tell.

The odd thing with this, too, is that originally, MSE picked up another file which it gave the same name to on a routine full system scan, and it didn't identify anything in System Volume at that time. When the first file was identified, I had MSE allow it until I found more information on it, and then I deemed the file harmless but unnecessary, so I put it in quarantine. It was nearly an hour later, after doing some other tasks, that MSE's real time protection popped up a warning about this System Volume Information item, and it appeared to be svchost that set that off.

This all happened on Feb 26th.

So my questions are:

Is this just one restore point out of many that is quarantined then? So if I happened to ever try to use it, I would then get an error message?

Is there any way to figure out which restore point that might be if there's just one that is now inaccessible?

Link to post
Share on other sites

OK, I found a way to get at what's inside that System Volume folder, but I haven't taken the steps beyond clearing the 'hide protected operating files'. Because I'm not the only one who uses this computer, I would sooner leave those files hidden. I did unhide them briefly and saw the System Volume folder. I see it is said to be empty, which I'm pretty sure it's not. Looks like it would take a few steps to get in there, which I don't think I need to do tonight. I would just like to know if an individual restore point can be quarantined.

Link to post
Share on other sites

  • Root Admin

No you cannot select individual ones to remove without breaking it. You can run the following for XP to clean out all but the most recent one.

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".

  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.

  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Link to post
Share on other sites

Thanks for your response, Advanced Setup.

Are you saying that my having quarantined this one file would have corrupted the entire System Volume folder then? This file was placed in quarantine on Feb 26th. So if I tried to, say, go back to a restore point created yesterday, for example, would I then find that it wouldn't work? Would all the restore points created since Feb 26th therefore not work? Even if I ran the disk cleanup and kept one restore point? (I'm wondering if I need to just toggle System Restore on and off, although I hate to be completely without any restore points at all. But I guess if the entire folder is shot, there's nothing to lose by doing this.)

Edited to add (and I should have mentioned this before!), this is Windows XP SP3.

Link to post
Share on other sites

  • Root Admin

It really has nothing to do with whether or not you quarantined the file or not. If in fact it is Malware and it was on the system during a snapshot process and was within the range of files that Microsoft backs up then it would have backed it up all on it's own.

Well its up to you what you do but personally I would scan with MBAM and Anti-Virus and verify that you have no infection and then remove the Restore Points and create a new one.

Link to post
Share on other sites

Hey there, Advanced Setup,

I went onto the MSE forum because I was trying to understand whether or not MSE could actually manage to quarantine one file out of System Volume without ruining the possibility of my ever successfully restoring anything. The suggestion there was that I toggle off System Restore and then restart it. The person who answered figured there would still be an infection in there. Well, there wasn't. I scanned the whole computer again today and nothing was found.

I guess I don't understand the nature of System Restore. I assumed that each time a restore point was created, it made some compressed copy of critical system files and the registry, which could be unpacked and restored any time one chose. A bit of further reading this morning makes me think that it really isn't that simple.

http://support.microsoft.com/kb/831829

So I figured it is as you've indicated, that it wouldn't be so nice and tidy as to just pluck one little infected restore point out of there and then everything would be fine.

Rather than risk some surprise maybe even a few weeks or months down the road where I need to restore the system and then find out I can't because one little .exe, or rather its absence, has corrupted the whole thing in some way, I figured it was safer to start from scratch.

The person from the MSE forum figured the infection would still be in the System Volume folder, which it isn't. I know sometimes an antivirus won't be able to clean a file out of the System Volume folder, but apparently MSE did manage to do that somehow.

I ended up turning off System Restore, letting it all clear out (took a couple of minutes) and then I started it back up. When I opened up System Restore, it had created a "System Checkpoint" at the time that I turned System Restore off, or maybe this is a brand new one created when I turned System Restore back on? I don't know. :) (10 years with a computer and I still don't know some of what should be basic stuff!)

Thanks again for bearing with me while I sort this stuff out. Sometimes it takes a bit of time.

BTW, the file MSE didn't like was part of an old Roller Coaster Tycoon game that's been on this computer for about 4 years now. It's one of those registration things. At virustotal, Microsoft was the only one that didn't like it. It had none of the characteristics and registry entries that Microsoft described in its encyclopedia.

MSE creates restore points before it cleans computers, and it created one before it quarantined this file. It looks like MSE then found it in the System Volume folder, where it had placed a copy of it, and complained about it being there. (What is the sense of MSE creating a restore point before cleaning a computer if it is then going to say System Volume is infected?

:) I should speak to them about that. :D )

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.