Is there a tool for testing restore points for validity on Windows 7

I had all my restore points corrupted by past malware, most likely.
I got errors when trying to use system restore to get rid of the malware that the restore point could not be extracted.

I removed the malware, so this post is not about malware, I am not posting in the malware forum because of that.

I have manually created a few restore points since that was removed, but I am not exactly sure they are working.

So my question is this:
Is there a tool that can test restore points that have been created for validity?

Or a way to make sure system restore is working properly>

 

I am pretty sure.

I went through the process at Bleepingcomputer, but I had already removed the malware. They declare it clean, So yeah, expert. But I am pretty good, so I had already killed the malware before that.

It's windows 7 professional, SP1, 64 Bit, an 8 core xeon Dell Precision 490.

 

Well, I did run the tweaking tool.

What this post is about is verifying that the restore points are valid and working.

The system is working.

 

I realize that works, I was hoping some clever person had written a tool to test them.

 

Well, yeah, sure. But I have used system restore to roll back malware from customers machines many times. Customers almost never have backups that are useable.

 

That was not a question, just a statement. It doesn't require an answer. Heh.

 

I completely agree, but lacking any backups or any other solution, that's the first thing I do.

 

To see if a restore point is working, I create one. Next I download a few things like a picture, a small program, create a text file and dump it on my desktop.

I then go to the restore point I created and restore. If the picture, the downloaded program and the txt file (saved to my desktop) are gone, I know the restore point worked.

 

Well, I have missing restore points. Every couple of days they all disappear.
I was looking through the task scheduler to see if some past malware had planted a task to delete them, but I couldn't put my finger on anything.

I created four yesterday, and today they disappeared.
I created two more, they are still here. But none are being created automatically.
I feel sure in a day or so my two restore points will be gone.

Can anyone give me some procedures to isolate this problem?

Thanks.

 

Sttevo...

Right click on Computer->Properties->System Protection tab->check to make sure System Restore is on for the Windows drive. Next click on configure and see how much space System Restore is set to use. If this number is low or very low, System Restore won't keep many restore points. You could get the impression they are disappearing quickly...

 

I increased it to 120 gb. Before this all started. Or during it, the increase didn't change anything.

 

Steevo...

OK, well, that may or may not change it at first, but you don't need it at more than 5-10 GB for there to be 20 or more restore points. If you were more than that before you changed the number, you can just put it back, because that isn't the problem. I keep system restore at around 5 GB, and it works very well at that number for me. Most of the PCs I have here have 160 GB drives, so that number works best for those, especially. I get 20-30 restore points with that amount...

Do you use a cleaner program? I think some of them remove restore points...

 

I just bumped it up, I have disk space to burn. Ruled that out as a problem.

I just used the farbar one, and it did get rid of restore points, (or they were missing) but that does not explain before, and there are none being automatically created.

If I could get them to being automatically created again, that is a big part of the problem. Not being created.

And then, something is wiping them out. Not sure what.

 

Well I just learned something I never knew.

Source: https://msdn.microsoft.com/en-us/library/aa378910(VS.85).aspx

This portable program looks like something for you. It creates a restore point (you just have to remember to run it) and it can be used to restore any of the points that you created.
http://www.thewindowsclub.com/system-restore-manager-for-windows-released

I've downloaded it and I'll kick the tires.

 

That is interesting.

I'm using system restore manager.

Not sure whether it runs all the time after install or not, but someone suggested it might be doing something to my restore points.
Oh, I just looked, it's a standalone executable. Not installed.

I haven't been able to get a rise out of the author over there. He has not responded on the forums in a couple years.

 

I created a restore point through this exe this morning. I didn't want to do it yesterday because I already had one generated by system restore. It created my restore point and then I opened the system restore in Windows 7 and it appears there.

 

Yes, mine do too.
But in a day or two, poof. Gone.

That's the problem.
Not that I cannot create restore points.

1. That they are not created automatically
2. That they are gone a day or two later.
3. That when I need one there are none.

 

About that system restore manager.
It makes restore points, but at least on windows 7 it is not able to change the auto creation interval.

Or when I change the interval it does not change when I rerun the executable.

So that tool probably needs maintenance, and it's not getting any from the author. Is he still alive?

I just don't know.

 

Greetings, Steevo.

To verify something mentioned earlier by AtlBo: the restore points that disappear are for the %SystemRoot% drive (normally "C:") and not for partitions or separate drives?

Also: does the machine in question ever "go to sleep" or hibernate? If so, have you tried disabling sleep or hibernate modes (or for that matter, just leave the machine on for several days) to see if the symptoms change?

 

I'm now searching for restore points disappearing.
One thing that was discovered is the system had malware. Why not head over to the malware section http://forums.majorgeeks.com/showthread.php?t=35407
download the MG Tools, get the logs and have someone look them over to be sure the computer is clean.

Another thing I've seen mentioned are programs that remove them: Kaspersky was mentioned as well as Auslogics Disk Defrag. There may be others that do this too.

Then I found one site that claims if you edit the registry, you can fix this.
Directions here:
http://www.askvg.com/fix-windows-7-deletes-all-system-restore-points-upon-reboot/
(I hate that there is no date on this so I have no idea if this has been corrected).

 

Yes, they are drive C.
That had system restore space set to zero, a few weeks ago troubleshooting this problem I found that and increased that greatly, much more than needed.
That has not fixed the problem.

It also does not happen on reboot. Yesterday the restore points I had created the day before were there at 7:30 AM, but by 10:30 there were none.

The one I created with system restore manager at 7:35 this AM is still there now, after 8 PM.

 

It is not reboot related. They just disappear. I posted on it above.

I am going to run mg tools.
Should I start a thread somewhere to have the log reviewed, or is this OK?

 

Here is the log MGtools created.

Well, I clicked to attach it, but I don't see it.
Oh, there it is on the pulldown.

 

You should start a thread in the Malware Removal Forum.

 

OK. Incidentally, this morning the manually created restore point that was there last night is gone.
No reboot.

So I dunno.

 

Can someone move post 23 to the malware section?

 

One quickie, just to get it out of the way: do the symptoms change while booted into Safe Mode? You might try creating a restore point in Safe Mode, letting the machine run overnight in SM and seeing if the RP is still there - the results might give additional troubleshooting ammo/info...

 

And I don't see it in services.

So that is the problem.
How can I get it running, and maybe this will go away?

OK, I have software protection. Stopped.
It's set to delayed start. Should it be set to delayed start?
I just started it.
Is that the one?

I also notice that security center is also set to delayed start.
Windows defender is also set to delayed start.

If someone has a windows 7 machine and can look at their services and say how theirs are set.

 

At the moment I have restarted the software protection service.
I will be watching to see if it stays running or is stopped.
If it is stopped by something that might be the past malware. If it keeps running then I know it was just me. Heh.
This kind of stuff will give you humility.

If it stops I have to find out why.
As I mentioned I looked in task manager but I didn't see anything that looked hinky.

If software protection stays running and restore points are back to working, I will know by tomorrow. One way or another.

 

I have been kicked back here from the malware forum.

 

It seems software protection might be related to microsoft licensing, not system restore or system protection.

 

What is the name of that service?

 

I just started Windows Backup and set it to automatic.

I found this.
http://answers.microsoft.com/en-us/...7/ac4d0845-d3f0-415a-b19f-87ebb64e4bea?auth=1

I just looked and they are both set to not configured. Which is correct according to the Microsoft post.

 

I just checked, I have no restore points.
I created one. I used SRM.
It's not there, it was not created.
Or it was deleted immediately afterward by something.

I created one again with SRM.
It is now there. Both of them. Odd.
A delay to appears.

I just created another one with system protection.

I looked in system restore manager and all three are there.

I will be watching to see if these disappear.

 

I have four restore points as of this moment.

FWIW, when I first started working on this problem it was that the restore points were somehow corrupted. Unuseable.

Later, they disappeared completely.

By tomorrow I will know if they are staying around.

 

Well, you are the one that said the resource is not running, this morning.

I believe it's running now.

When I started troubleshooting this issue a couple months agor, I had corrupt restore points. I would try to do a restore and I got an error that the restore point was not usable.

Then, the restore points were not there at all, the message was that I have not created any restore points.

I then created some manually, and they were there. Then, over night, without reboot, they would be missing in the morning. This AM this happened. at about 7 the restore points were listed, and by 8:30, they were gone.

If system restore is being turned off it's not by me, which is why I was reviewing task scheduler. To see if a task had been placed, by malware, that was deleting my restore points.

I didn't find anything obvious. Still looking.

 

Good morning.

To repeat from post #27: do the symptoms change when the machine has been booted into Safe Mode?

 

Yeah, well, I have not tried that, since at the moment my restore points from yesterday are still here. So booting in safe mode wouldn't change anything.

In a couple of hours I will know if they disappear or not now. I did restart the service. The restore points from yesterday survived overnight.

And I have UAC off, which is unbelievably pleasant. I forgot what an irritation that thing is. I turned it off to run MG Tools, as instructed.

 

As of right now my restore points that I manually created are still there.
By tomorrow I should have an automatically created one.
If that shows up things are improving.

 

OK, things are looking up a little, I guess.

My four manually created restore points are now gone, in both system restore with show more restore points selected,

and in System Restore Manager v2.

But I do have a restore point from windows update, I haven't seen that in a while.

So I dunno, why would manually created restore points disappear? But I do now have the one automatically created one.

Odd.

I will be watching this to see if the automatically created one disappears.
I will manually create one now, so I will have two, and I can watch to see what happens.

Something is still deleting my restore points. Likely a vestige of old malware (I hope).
I hope means I hope it's just a vestige.

 

It's 7:47 AM and I still have the two restore points.
Later today I will check again.

 

How much space is allocated for system restore?

I noticed something unexplainable: I increased the allocated space in Windows System Restore and yet the allocated space doesn't change in the standalone program so I guess it uses exactly what it wants. I haven't rebooted the computer to see if it changes. The maximum increases but that doesn't help if the allocated space stays at a lower number.

 

For the C drive I have 2.53 GB at this time.

 

I have 5 restore points showing. 2 were created by MS and the other three by me. Those 5 are using a total of 2.84GB (mine says 3.29GB allotted).

Now depending on the size of the restore points, if I only had 2.53, I would not be allowed 5 restore points because it goes over that value.

I don't depend on restore points because I make images but if I did, I'd sure want to be able to save more than 5.

I'll create a few more in the next few days and see when the first one disappears so I know how many my allotment can handle.

 

Wonder where I got that 2.53 gb? Somewhere. Maybe that is what was being used for the two restore points I had this AM.

I have none now. Both are gone as I type this.
I have 92 gb allocated for system restore for the C drive on the system protection tab.

Something is still deleting my restore points.

 

I just manually created one.
It is there.
It will be gone by tomorrow.

I have to find the problem here.