What Does System Restore ACTUALLY Do?
Summary
TLDRThis video explores the inner workings of Windows' System Restore feature, which creates restore points to revert system changes causing issues. Despite not restoring personal data, it backs up more than expected, including the entire Windows directory and specific file types across the drive. It utilizes the Volume Shadow Copy Service for efficient backups. The video also advises enabling System Restore, which is disabled by default in recent Windows versions, and highlights its limitations and potential issues, such as interference from malware.
Takeaways
- đ System Restore in Windows is a feature that can revert the system to a previous state but is not always 100% reliable.
- đ According to Microsoft, System Restore monitors system changes and saves the system state without affecting user data or documents.
- đŸ System Restore uses the Volume Shadow Copy Service to back up more than just the listed file types, including the entire Windows directory.
- đ« System Restore does not restore user data or documents, ensuring users won't lose personal files, emails, or browsing history.
- đ ïž System Restore is not enabled by default in Windows 10 and Windows 11, and it's recommended to manually enable it for the main system drive.
- đ§ System Restore points can be triggered by application installations, Windows updates, or manually created through the system settings.
- đ The feature scans for a list of file types across the entire drive, not just the Windows directory, which could affect user-created files that match these types.
- đĄïž System Restore is also capable of restoring drivers and programs, suggesting it interacts with the registry to manage installations and removals.
- đ The Volume Shadow Copy Service creates snapshots of the entire drive, which can be explored and used to recover files outside of what System Restore typically manages.
- â ïž Malware can target and delete shadow copies, which is a risk when relying on System Restore for recovery from infections.
Q & A
What is the primary function of the system restore feature in Windows?
-The system restore feature in Windows monitors system changes and saves the system state as a restore point, allowing users to return the system to a previous state if a problem develops due to a system change.
Does system restore affect personal documents and user data?
-No, system restore does not restore user data or documents, so it will not cause users to lose their files, email, browsing history, or favorites.
Why might someone need to enable system restore on their Windows computer?
-System restore is not enabled by default in Windows 10 and Windows 11, so users may need to enable it to have the option to restore their system to a previous state in case of system issues.
What triggers the creation of a system restore point?
-System restore points can be triggered by application installations, Windows updates, manual creation, or scheduling with the task scheduler. Additionally, initiating a restore using a restore point also creates a new restore point.
How does the system restore feature interact with the Volume Shadow Copy Service?
-System restore uses the Volume Shadow Copy Service to create a snapshot of the entire volume, which includes a 'difference' copy of the drive. This service is also used by system restore to restore the system to a previous state.
What is the practical implication of the Volume Shadow Copy Service for users?
-The Volume Shadow Copy Service allows users to explore and potentially recover files from snapshots even if they were deleted from the recycle bin, providing a way to restore files that system restore might not cover.
Can system restore be used to fix issues caused by malware?
-While system restore can be used to revert system changes, it's not specifically designed for malware removal. Some advanced malware may even delete shadow copies to prevent restoration to a previous state.
What are the limitations of relying on system restore for file recovery?
-System restore may not always have the most recent snapshot, and it only restores files that are part of the system state or on the list of monitored file types. It is not a substitute for a dedicated backup solution.
Why might system restore fail and what could be done to troubleshoot it?
-System restore might fail due to various reasons, such as interference from antivirus programs. Disabling the antivirus temporarily could be a troubleshooting step, but caution should be taken not to disable it if the restore is due to a virus.
What is the recommendation for users regarding system restore and additional backup solutions?
-It is recommended that users enable system restore and also utilize additional backup solutions like the File History feature or dedicated external hard drives for a more comprehensive data protection strategy.
Outlines
đ Understanding Windows System Restore
The first paragraph delves into the functionality of the system restore feature in Windows. It explains that while the feature is designed to revert system files to a previous state to resolve system issues, it does not affect user files, such as personal documents or browsing history. The system restore function is not enabled by default in Windows 10 and 11, but users are encouraged to activate it. The paragraph also discusses how system restore points are created automatically by the system or manually by the user, often triggered by events like software installations or system updates. The text highlights that the restore process is more extensive than it seems, using the Volume Shadow Copy Service to back up more than just the files listed in a restore point.
đïž Exploring Volume Shadow Copy Service
The second paragraph focuses on the Volume Shadow Copy Service, a feature integral to Windows' backup process. This service does not create a full copy of the drive but instead creates a 'difference' copy, storing only the changes made to files. This method is similar to incremental backups, which saves storage space by only recording differences rather than duplicating the entire drive. Users can access these shadow copies using third-party tools like ShadowCopyView to recover specific files from past snapshots, even those not included in a typical system restore. The paragraph emphasizes that while useful, relying solely on shadow copies for backup is not recommended, as malware can delete these backups. Instead, a more comprehensive backup solution, such as the File History feature, is advised.
đ Best Practices for System Restore and Backups
The third paragraph provides practical advice on utilizing the system restore feature effectively. It reiterates that system restore backs up files based on specific file types, covering the entire Windows directory, including the registry and drivers. The paragraph stresses that while system restore can be a helpful tool for undoing changes from software installations or updates, it is not a reliable method for recovering from malware attacks. The text recommends enabling system restore for quick fixes but also using more robust backup methods, like the File History feature or dedicated backup drives, to ensure comprehensive data protection. The importance of regular backups and being prepared for potential system failures or malware infections is underscored, along with a call to action for viewers to engage with the content and subscribe for more tips.
Mindmap
Keywords
đĄSystem Restore
đĄRestore Point
đĄVolume Shadow Copy Service
đĄWindows Directory
đĄRegistry
đĄFile Types
đĄMalware
đĄAntivirus Interference
đĄFile History
đĄSystem Protection
đĄShadowCopyView
Highlights
System Restore in Windows can be a lifesaver, but it's not always 100% reliable.
System Restore monitors system changes and saves the system state as a restore point.
It does not restore user data or documents, ensuring users won't lose personal files, emails, or browsing history.
System Restore is available in the Windows recovery environment or safe mode.
System Restore is not enabled by default in Windows 10 and Windows 11.
Enabling System Restore is recommended, especially on the main C drive.
System Restore points can be triggered by application installations, Windows updates, or manually created.
System Restore uses the Volume Shadow Copy Service to back up more than expected.
It backs up the entire Windows directory and monitors a list of file types across the entire drive.
System Restore likely involves additional logic beyond file type scanning to handle program installations and removals.
The Volume Shadow Copy Service creates a snapshot of the entire volume, storing differences rather than full copies.
Shadow copies can be explored and used to recover deleted files not restored by System Restore.
System Restore is best used for program-related issues rather than for malware or serious system failures.
Malware can delete shadow copies, making System Restore less reliable in such cases.
For file recovery, using the File History feature or a dedicated backup drive is more reliable than relying on System Restore.
System Restore can fail, and disabling antivirus temporarily might help, but not in the case of a virus.
The video provides a detailed exploration of System Restore's capabilities and limitations.
Transcripts
The system restore feature in Windows has been around forever, and it's saved me plenty
of times, although it's not always 100% reliable.
And it got me thinking, what exactly does the system restore feature restore and back
up?
I mean I know that it obviously does system files, but does it do the entire Windows directory,
what does it do outside of the Windows directory?
Because I know that it also claims to not restore or delete any personal documents and
stuff like that, so I kind of looked into it.
Now, the first resource that I came across of course, was the official Microsoft documentation.
And the summary they say is:
"System restore monitors system changes and saves the system state as a restore point.
If a system problem develops as a result of a system change, the user can return the system
to a previous state using the data from a restore point."
Then it goes on, "System restore does not restore user data or documents,
so it will not cause users to lose their files, email browsing history or favorites.
System restore is also made available to users in the Windows recovery environment or safe
mode, making it easier for them to restore the computer to a state before the problems
occur."
But it doesn't exactly state what directories or anything specifically.
And it turns out that the system restore feature actually is a little bit more interesting
than I even anticipated.
It actually uses something called the Volume Shadow [Copy] Service, which I'll explain
what that is.
But needless to say, it actually kind of backs up quite a bit more than you expect, even
if it doesn't use all of it, which actually might come in handy,
so that's another thing we'll go over.
Now before we get too far into it, I wanna point out that the system restore feature
these days is actually not enabled by default in Windows.
Windows 10, Windows 11.
So I actually recommend you do go enable that feature.
You can do that by going to the start menu and searching "system restore", and then click
"create a restore point".
Now despite it saying, create a restore point, this actually just takes you to the general
system restore settings, so just ignore what it's called.
Anyway, in this window under protection settings in this box, it'll list the drives and whether
or not system restore is enabled on them.
I would definitely at least recommend enabling it on your main C drive.
The other
one's, probably not necessary because it's only going to restore system files and program
files anyway.
So unless you're installing programs to other drives, it won't make much of a difference.
If it's not enabled, just click to highlight the C drive and then click configure, choose
"turn on system protection" and then select whatever max usage you want, and what you're
comfortable with and just hit apply or, okay.
Now there's a few things that will trigger a system restore point creation.
First is an application installation, so you install a program, that usually will create
a restore point.
Also Windows update typically will.
You can also schedule them with a task scheduler, or you can manual create one of course.
And also interestingly, if you initiate a restore using a restore point, that will also
create a restore point.
So you can basically restore if you mess up a restoration.
And when you do go to restore a point, if you select it manually, you can actually choose
to scan affected programs, and it will try and give you an idea of what programs might
be removed or drivers as well.
And those are just the ones that you've installed since
the last system restore point.
All right so we're going back to the main question, so what exactly does this do?
And I actually kind of had to dig quite a bit to find this.
There is actually a list of file types that it will scan for across the entire drive apparently.
So what I've read is there was some ancient article, and this is the only place I've ever
seen this mentioned, is that it will back up the entire Windows
directory.
So no matter what, it'll back up the entire Windows directory.
And then for the rest of the system, it will use a list of file types that it will scan
for and monitor, and restore those.
So this means that even though it says it's not going to restore documents and stuff,
because that's not on the list of file types,
if you for example create an exe file or you're a developer something, and maybe you use other
file types that are on this list, theoretically it will actually roll those back and get rid
of them.
So that's something to be aware of.
Besides just restoring file types though, it does restore drivers, programs, like I
mentioned before, and updates.
So because of this, I believe it has to have some other kind of additional logic in there
besides just scanning for if it's a file type that matches this extension, restore it, if
not don't.
Because otherwise, how would it undo the installation of certain programs, without deleting the
whole directory.
So I think it must also go into the registry,
it does back up the registry by the way, and see where programs are installed and just
delete that whole directory too.
I believe, is how it works.
Otherwise, like I said, if it just deleted all the files, it would just leave empty directories
for those programs, which it doesn't do.
Now, I'm not 100% sure because this is not documented anywhere.
So that's a bit annoying, but that's basically the best I could find.
Now here's an interesting thing though.
I'm talking about what system restore restores and backs up, but actually behind the scenes,
there's actually way more that is backed up than what system restore actually uses.
And that's because ever since Windows Vista, the system restore feature uses something
called the volume shadow copy service.
And this is kind of like a totally separate Windows service that just is used by system
restore, but it's also used by plenty of other things.
And basically that creates a copy of your entire drive, effectively.
Now it doesn't create a one-to-one copy, but it basically creates a "difference" copy.
So you probably have seen this in some programs that do backups that are incremental backups.
So instead of literally making a copy of your whole drive and doubling the amount of data,
if you change a file, it'll literally just record the change in that specific file, so
it might only take up like a few kilobytes, even if the file is very large.
So effectively what happens is when you go to create a restore point, it really actually
calls this volume shadow copy service, which then creates a snapshot of the entire volume,
or at least the difference of it, so that it can go back and recreate
what that whole drive looked like.
So really it's not just storing just the stuff that system restore point is using, but actually
the entire drive.
And that actually has an interesting implication, because you can actually go into that shadow
copy, explore it, and take files out of it.
Even older versions,
if it's in there, if you deleted a file, you delete it from the recycle bin, but it was
in that snapshot, you can actually go back and get it.
Even if it was not something that would've been restored by system restore.
So here's how to do that.
There's a program called ShadowCopyView by Nirsoft.
You probably heard me talk about him before.
Basically he creates all these very specific Windows utilities, one of them is going to
allow you to look into these shadow copies.
So you open it up and it'll list them right there, it'll show you the date they're created.
And these are effectively system restore points, unless you have some other program that creates
them for other reasons.
And in here you can basically see it is an entire snapshot of the whole drive at the
time.
It's almost one to one compared to what you see on my main drive now, because I created
this test shot not too long ago.
But again, it's not a one to one copy, it just stores the differences.
So if there's no difference, then it's not gonna take up any
space.
So I'll show you an example.
I'll create this test file in the C drive, and just say, "this is before the snapshot",
and then I'll go and create a system restore point, so here I'm going to do that.
And then if we refresh ShadowCopyView, we can see there's a new one that appeared.
And there is that file that I just created.
So now what I can do, is go into this text file and change it to pretend like I messed
it up or something.
But if we go back into that shadow copy, I can actually use this program to copy it out,
and let's just put it in the B drive.
And if I open it back up now, it's what it was before.
So this is not even something that would have been restored if I ran a whole system restore,
because it technically would be a personal document or whatever,
it's not on that list.
But because it is backed up by the shadow copy service, which doesn't care, I was able
to go back and grab it anyway.
So that is something I even did not know before researching this video.
So basically if you mess up a file, you could theoretically use this as kind of like a hail
mary to see,
"oh, I hope it's maybe in a snapshot", you might be able to restore it.
Although I definitely would not rely on this because, if you aren't creating snapshots
regularly, then you don't know when the last one will be.
And Windows doesn't tend to keep too many anyway.
We saw that there was a hard limit on the allocation size.
And I think by default, it's only like a few percentage, or like 10 gigabytes max, it's
not gonna store too much.
You'd be way better off using the actual File History feature, which is dedicated for this
purpose.
It will hourly back up all your files or the differences of them, so if you do mess up
a file, you're way more likely to be able to restore it using that feature.
And you could just buy a dedicated hard drive through USB or something, put it on there,
then you don't have to worry.
I still would have a actual backup drive to do like a full backup, but that is still better
than nothing.
And I did make a video talking about that before actually.
Another reason why you don't want to necessarily rely on system restore, especially for malware
or something, is I've actually seen examples of certain advanced malware where one of the
things it does
is deletes all the shadow copies.
So you can't go back to a previous one knowing that you have a virus, so that's definitely
something to be aware of.
You're better off just creating you know, backups that are disconnected when you're
not creating the backup.
And that way, if a virus gets you, there's not gonna be any way for it to infect the
disconnected copy,
and you can restore from that.
Really in my opinion, the best use case for system restore is if you do install a program,
that for whatever reason messes up Windows, or you uninstall a program and it does the
same thing, but it's not a virus.
That's probably where you would use system restore.
The only problem is there's plenty of times where I've tried to do a system restore and
for whatever reason it fails.
And it doesn't tell you why, possibly it could be an antivirus program interfering, so maybe
that's something to try is disable the antivirus if you're trying to restore.
Don't do that if you have a virus and that's the reason you're trying to do it, just something
to try.
All right now, because I think I rambled a lot in this video.
Let me try and sum it up more concisely to answer the question.
What exactly does the system restore feature backup and restore?
And basically anything on this list of file types, no matter where is on the drive, and
it also apparently backs up the entire Windows directory.
Now, when I said that it backs up the Windows registry and drivers, that all is included
in the Windows directory.
So that's why it does those.
And also to be clear, it doesn't appear to exclude any directories.
So if you have an exe file for example, in your documents folder, it will also roll back
and restore those too.
And that's because theoretically, a virus could put itself anywhere, could even be put
in a user directory.
So it's not like it just decides, "well, anything in the documents folder must be documents.
We're not gonna touch that."
It literally looks anywhere for those file types.
Like I mentioned, I do believe that there is some additional logic in there for removing
program file directories.
Not 100% sure on that,
you could correct me if I'm wrong.
But I think that it definitely must do something like that.
So yeah.
I learned a few things in making this video, maybe you did, too.
If anything, you learned you should probably enable that feature cause I think it's really
useful.
Don't know why it's disabled by default now.
And now you can know what exactly it does.
So let me know what you think down the comments.
Of course, if I messed anything up, let me know and I'll make a correction in the pinned
comment, description, all that good stuff.
If you like this video, maybe consider checking out the rest of my channel and subscribing.
If you do also be sure to click the bell to enable all notifications.
These days, YouTube might not show you videos
even if you do subscribe.
If you wanna keep watching, the next video I'd recommend is the one where I was talking
about that file history feature, and how to use that and why I think you should.
So you can just click on that right there.
So thanks so much for watching guys, and I'll see you in the next video.
Voir Plus de Vidéos Connexes
Windows Me - Microsoft's Biggest Failure
Solved: Lost admin rights in Windows 11
Windows Me - Microsoft's Biggest Failure
Easily fix broken Windows files now with System File Checker
DevOps Tutorials | Kubernetes cluster backup and restore with Velero - Kubernetes cluster backup
How to Dual Boot Arch Linux and Windows 11 (2024) // BRAND NEW INSTALL GUIDE
5.0 / 5 (0 votes)