What Does System Restore ACTUALLY Do?

00:00

The system restore feature in Windows has been around forever, and it's saved me plenty

00:04

of times, although it's not always 100% reliable.

00:07

And it got me thinking, what exactly does the system restore feature restore and back

00:12

up?

00:13

I mean I know that it obviously does system files, but does it do the entire Windows directory,

00:17

what does it do outside of the Windows directory?

00:20

Because I know that it also claims to not restore or delete any personal documents and

00:26

stuff like that, so I kind of looked into it.

00:28

Now, the first resource that I came across of course, was the official Microsoft documentation.

00:32

And the summary they say is:

00:34

"System restore monitors system changes and saves the system state as a restore point.

00:38

If a system problem develops as a result of a system change, the user can return the system

00:42

to a previous state using the data from a restore point."

00:45

Then it goes on, "System restore does not restore user data or documents,

00:48

so it will not cause users to lose their files, email browsing history or favorites.

00:52

System restore is also made available to users in the Windows recovery environment or safe

00:56

mode, making it easier for them to restore the computer to a state before the problems

01:00

occur."

01:01

But it doesn't exactly state what directories or anything specifically.

01:05

And it turns out that the system restore feature actually is a little bit more interesting

01:08

than I even anticipated.

01:09

It actually uses something called the Volume Shadow [Copy] Service, which I'll explain

01:14

what that is.

01:15

But needless to say, it actually kind of backs up quite a bit more than you expect, even

01:19

if it doesn't use all of it, which actually might come in handy,

01:22

so that's another thing we'll go over.

01:24

Now before we get too far into it, I wanna point out that the system restore feature

01:27

these days is actually not enabled by default in Windows.

01:30

Windows 10, Windows 11.

01:32

So I actually recommend you do go enable that feature.

01:35

You can do that by going to the start menu and searching "system restore", and then click

01:39

"create a restore point".

01:41

Now despite it saying, create a restore point, this actually just takes you to the general

01:44

system restore settings, so just ignore what it's called.

01:47

Anyway, in this window under protection settings in this box, it'll list the drives and whether

01:51

or not system restore is enabled on them.

01:54

I would definitely at least recommend enabling it on your main C drive.

01:58

The other

01:59

one's, probably not necessary because it's only going to restore system files and program

02:04

files anyway.

02:05

So unless you're installing programs to other drives, it won't make much of a difference.

02:09

If it's not enabled, just click to highlight the C drive and then click configure, choose

02:14

"turn on system protection" and then select whatever max usage you want, and what you're

02:19

comfortable with and just hit apply or, okay.

02:22

Now there's a few things that will trigger a system restore point creation.

02:26

First is an application installation, so you install a program, that usually will create

02:30

a restore point.

02:32

Also Windows update typically will.

02:34

You can also schedule them with a task scheduler, or you can manual create one of course.

02:38

And also interestingly, if you initiate a restore using a restore point, that will also

02:44

create a restore point.

02:45

So you can basically restore if you mess up a restoration.

02:48

And when you do go to restore a point, if you select it manually, you can actually choose

02:52

to scan affected programs, and it will try and give you an idea of what programs might

02:56

be removed or drivers as well.

02:59

And those are just the ones that you've installed since

03:02

the last system restore point.

03:03

All right so we're going back to the main question, so what exactly does this do?

03:07

And I actually kind of had to dig quite a bit to find this.

03:10

There is actually a list of file types that it will scan for across the entire drive apparently.

03:17

So what I've read is there was some ancient article, and this is the only place I've ever

03:20

seen this mentioned, is that it will back up the entire Windows

03:24

directory.

03:26

So no matter what, it'll back up the entire Windows directory.

03:28

And then for the rest of the system, it will use a list of file types that it will scan

03:34

for and monitor, and restore those.

03:36

So this means that even though it says it's not going to restore documents and stuff,

03:40

because that's not on the list of file types,

03:42

if you for example create an exe file or you're a developer something, and maybe you use other

03:49

file types that are on this list, theoretically it will actually roll those back and get rid

03:53

of them.

03:54

So that's something to be aware of.

03:56

Besides just restoring file types though, it does restore drivers, programs, like I

03:59

mentioned before, and updates.

04:01

So because of this, I believe it has to have some other kind of additional logic in there

04:06

besides just scanning for if it's a file type that matches this extension, restore it, if

04:11

not don't.

04:13

Because otherwise, how would it undo the installation of certain programs, without deleting the

04:18

whole directory.

04:19

So I think it must also go into the registry,

04:22

it does back up the registry by the way, and see where programs are installed and just

04:27

delete that whole directory too.

04:28

I believe, is how it works.

04:29

Otherwise, like I said, if it just deleted all the files, it would just leave empty directories

04:33

for those programs, which it doesn't do.

04:35

Now, I'm not 100% sure because this is not documented anywhere.

04:39

So that's a bit annoying, but that's basically the best I could find.

04:42

Now here's an interesting thing though.

04:43

I'm talking about what system restore restores and backs up, but actually behind the scenes,

04:49

there's actually way more that is backed up than what system restore actually uses.

04:54

And that's because ever since Windows Vista, the system restore feature uses something

04:59

called the volume shadow copy service.

05:01

And this is kind of like a totally separate Windows service that just is used by system

05:06

restore, but it's also used by plenty of other things.

05:09

And basically that creates a copy of your entire drive, effectively.

05:14

Now it doesn't create a one-to-one copy, but it basically creates a "difference" copy.

05:19

So you probably have seen this in some programs that do backups that are incremental backups.

05:24

So instead of literally making a copy of your whole drive and doubling the amount of data,

05:28

if you change a file, it'll literally just record the change in that specific file, so

05:34

it might only take up like a few kilobytes, even if the file is very large.

05:39

So effectively what happens is when you go to create a restore point, it really actually

05:43

calls this volume shadow copy service, which then creates a snapshot of the entire volume,

05:49

or at least the difference of it, so that it can go back and recreate

05:53

what that whole drive looked like.

05:55

So really it's not just storing just the stuff that system restore point is using, but actually

06:02

the entire drive.

06:03

And that actually has an interesting implication, because you can actually go into that shadow

06:08

copy, explore it, and take files out of it.

06:12

Even older versions,

06:13

if it's in there, if you deleted a file, you delete it from the recycle bin, but it was

06:16

in that snapshot, you can actually go back and get it.

06:19

Even if it was not something that would've been restored by system restore.

06:22

So here's how to do that.

06:23

There's a program called ShadowCopyView by Nirsoft.

06:26

You probably heard me talk about him before.

06:28

Basically he creates all these very specific Windows utilities, one of them is going to

06:33

allow you to look into these shadow copies.

06:35

So you open it up and it'll list them right there, it'll show you the date they're created.

06:38

And these are effectively system restore points, unless you have some other program that creates

06:43

them for other reasons.

06:45

And in here you can basically see it is an entire snapshot of the whole drive at the

06:49

time.

06:50

It's almost one to one compared to what you see on my main drive now, because I created

06:54

this test shot not too long ago.

06:55

But again, it's not a one to one copy, it just stores the differences.

06:58

So if there's no difference, then it's not gonna take up any

07:01

space.

07:02

So I'll show you an example.

07:03

I'll create this test file in the C drive, and just say, "this is before the snapshot",

07:07

and then I'll go and create a system restore point, so here I'm going to do that.

07:12

And then if we refresh ShadowCopyView, we can see there's a new one that appeared.

07:16

And there is that file that I just created.

07:19

So now what I can do, is go into this text file and change it to pretend like I messed

07:23

it up or something.

07:24

But if we go back into that shadow copy, I can actually use this program to copy it out,

07:29

and let's just put it in the B drive.

07:31

And if I open it back up now, it's what it was before.

07:34

So this is not even something that would have been restored if I ran a whole system restore,

07:39

because it technically would be a personal document or whatever,

07:41

it's not on that list.

07:43

But because it is backed up by the shadow copy service, which doesn't care, I was able

07:48

to go back and grab it anyway.

07:49

So that is something I even did not know before researching this video.

07:52

So basically if you mess up a file, you could theoretically use this as kind of like a hail

07:56

mary to see,

07:57

"oh, I hope it's maybe in a snapshot", you might be able to restore it.

08:00

Although I definitely would not rely on this because, if you aren't creating snapshots

08:05

regularly, then you don't know when the last one will be.

08:08

And Windows doesn't tend to keep too many anyway.

08:11

We saw that there was a hard limit on the allocation size.

08:15

And I think by default, it's only like a few percentage, or like 10 gigabytes max, it's

08:20

not gonna store too much.

08:21

You'd be way better off using the actual File History feature, which is dedicated for this

08:25

purpose.

08:26

It will hourly back up all your files or the differences of them, so if you do mess up

08:31

a file, you're way more likely to be able to restore it using that feature.

08:35

And you could just buy a dedicated hard drive through USB or something, put it on there,

08:39

then you don't have to worry.

08:40

I still would have a actual backup drive to do like a full backup, but that is still better

08:45

than nothing.

08:46

And I did make a video talking about that before actually.

08:48

Another reason why you don't want to necessarily rely on system restore, especially for malware

08:52

or something, is I've actually seen examples of certain advanced malware where one of the

08:57

things it does

08:58

is deletes all the shadow copies.

09:00

So you can't go back to a previous one knowing that you have a virus, so that's definitely

09:05

something to be aware of.

09:06

You're better off just creating you know, backups that are disconnected when you're

09:10

not creating the backup.

09:12

And that way, if a virus gets you, there's not gonna be any way for it to infect the

09:16

disconnected copy,

09:17

and you can restore from that.

09:18

Really in my opinion, the best use case for system restore is if you do install a program,

09:23

that for whatever reason messes up Windows, or you uninstall a program and it does the

09:27

same thing, but it's not a virus.

09:29

That's probably where you would use system restore.

09:31

The only problem is there's plenty of times where I've tried to do a system restore and

09:34

for whatever reason it fails.

09:36

And it doesn't tell you why, possibly it could be an antivirus program interfering, so maybe

09:41

that's something to try is disable the antivirus if you're trying to restore.

09:46

Don't do that if you have a virus and that's the reason you're trying to do it, just something

09:49

to try.

09:50

All right now, because I think I rambled a lot in this video.

09:52

Let me try and sum it up more concisely to answer the question.

09:54

What exactly does the system restore feature backup and restore?

09:59

And basically anything on this list of file types, no matter where is on the drive, and

10:04

it also apparently backs up the entire Windows directory.

10:07

Now, when I said that it backs up the Windows registry and drivers, that all is included

10:12

in the Windows directory.

10:14

So that's why it does those.

10:16

And also to be clear, it doesn't appear to exclude any directories.

10:19

So if you have an exe file for example, in your documents folder, it will also roll back

10:25

and restore those too.

10:26

And that's because theoretically, a virus could put itself anywhere, could even be put

10:31

in a user directory.

10:32

So it's not like it just decides, "well, anything in the documents folder must be documents.

10:36

We're not gonna touch that."

10:37

It literally looks anywhere for those file types.

10:40

Like I mentioned, I do believe that there is some additional logic in there for removing

10:44

program file directories.

10:46

Not 100% sure on that,

10:47

you could correct me if I'm wrong.

10:49

But I think that it definitely must do something like that.

10:51

So yeah.

10:52

I learned a few things in making this video, maybe you did, too.

10:55

If anything, you learned you should probably enable that feature cause I think it's really

10:58

useful.

10:59

Don't know why it's disabled by default now.

11:01

And now you can know what exactly it does.

11:04

So let me know what you think down the comments.

11:05

Of course, if I messed anything up, let me know and I'll make a correction in the pinned

11:09

comment, description, all that good stuff.

11:11

If you like this video, maybe consider checking out the rest of my channel and subscribing.

11:15

If you do also be sure to click the bell to enable all notifications.

11:18

These days, YouTube might not show you videos

11:19

even if you do subscribe.

11:21

If you wanna keep watching, the next video I'd recommend is the one where I was talking

11:24

about that file history feature, and how to use that and why I think you should.

11:27

So you can just click on that right there.

11:29

So thanks so much for watching guys, and I'll see you in the next video.