Monday, November 10, 2014

System Restore - Disable, or Not to Disable...




Most users are probably familiar with Windows System Restore and have probably fallen back on it on many occasions. For those of you unfamiliar with this feature, System Restore is a Windows utility that periodically saves changes made to the system and allows users to roll back the system to its previous state in the event of PC instability or program failures. The best part of System Restore is that it does not change any of the user files, such as Word documents or pictures. The program only rolls back things like changes made to the Registry, installed or uninstalled programs and Windows Updates.

However, in cases where the system is infected, System Restore might also be affected by infected system files and viruses. Being that System Restore monitors all Operating System files, installed programs and Windows registry settings, changes made to said components by an infection would also be backed up. Windows makes restore points automatically and does not check for any infection or malware present on your system. By design, the System Restore function doesn't allow any other program to handle files stored in the Restore folder. Virus removal programs such as Symantec have trouble clearing infected files from the System Restore folder. For example, in a system I recently repaired, a Kaspersky scan continued to show Trojan files trapped in files that begin with “C:\System Volume Information\_restore…”

While the internet can be a virtually endless wealth of information, it can also breed misinformation and half-cocked rumors. To that effect, many self-proclaimed technicians are under the impression that viruses in the System Restore will creep out of that folder and re-infect the system after an infection has been removed. The fact is, viruses in that folder are dormant and more or less harmless. They do not usually do anything while in that folder until a user activates said infected restore points by using them.
So the fact remains that these files should be removed, but not until after the system has been repaired and confirmed repaired so that System Restore can still be used for exactly what it was meant to be used for. Technicians are human beings, and human beings make mistakes. That's where System Restore comes in. This means that a blanket statement that you should always delete restore points may be a little excessive. Whether you should or not, depends on the infection, the time it occurred and whether system files were clean at the time the restore points were made.

All of these things considered reaffirms my emphasis on a reliable backup routine. Many enterprise environments don't even bother with removing infections - they just restore the user to the most recent backup.  This is also where Roaming Profiles (aka User Redirect) come into play. But that's all for another article...