Vista - Manual System Restore with BartPE

[goombawaho]

I have often recovered XP systems using the procedure outlined here by booting from a BartPE CD. (

http://www.icompute.info/restore_with_B_PE_disk.htm).

Basically a manual copy and rename of the backup registry files from System Volume Information\Restore PointXXX to C:\Windows\Config. It works quite well.

I tried booting to BartPE in Vista and I don't see the same folders/files in the System Volume Information folder in Vista. I can't find any registry files in the RPxx folders.

Is there a way to do what I want in Vista or is the System Restore (restore points) folder structure different?? Or maybe the files are hidden.

 

[linney]

Are the Registry Backup kept in this type of location rather than any RPxx folder?

C:\System Volume Information\ {746623ff-0ce0-11de-ad61-001bfcb6f3a7}{3808876b-c176-4e48-b7ae-04046e6cc752}, the latter being a system file of which I have no idea how to access any of the contents? Also the alphanumeric file name varies too.

On the positive side, you will find a couple of recent backups of the Registry files in C:\Windows\System32\config\RegBack, I have used those files to restore a Registry.

There are also a .bak copy of the Registry files and a .sav file copy in C:\Windows\System32\config which might be from the original install of Vista?

To make life easier you could look at this program which will save (easily accessible) backups of the Registry files for you whenever and wherever you wish.

Registry Backup and Restore for Windows NT/2000/2003/XP/Vista

http://www.larshederer.homepage.t-online.de/erunt/

 

[linney]

This might be interesting if not actually helpful?

VISTA Shadow Volume Forensics

http://sansforensics.wordpress.com/2008/10/10/shadow-forensics/

 

[goombawaho]

Linney - 1. I'm not following this:
"Are the Registry Backup kept in this type of location rather than any RPxx folder?"

I'm assuming vista stores the restore points in the same folder structure as XP. And that's where I meant to say I got the XP restore points from - one of the RPxxx folders then drill down for the actual backup registry files: SAM, SYSTEM, SECURITY, DEFAULT, SOFTWARE. Copy them to C:\windows\system32\config and rename.

2. The only way you can access data in the System Volume Information folder is via a boot disk - not while running windows.

3. That registry backup program won't work for me. I need this be usable for customer PCs and they're not going to have anything but what Vista gives them by default.

 

[linney]

I don't think System Restore uses RPxx type of folders for Registry Snapshots similar to XP, that is why I said it might create them in these long named files, not folders, {2e7e7fcf-0d23-11de-bfd8-001bfcb6f3a7}{3808876b-c176-4e48-b7ae-04046e6cc752}. When ever I look in a RPxx folders there is never more than a couple of files in there, one is a change.log and the other one is an .ini file. Do you see anything different?

"The only way you can access data in the System Volume Information folder is via a boot disk". Not strictly true from my experience, but Permissions need to be set to allow access. Then it may only be access to allow you to browse the folders, like you, if I want to act on the information in System Restore folders, or the RegBack folder, I would do it outside of the Vista environment. In most cases Vista would be crashed by that stage in any case, else you wouldn't be going down such a path.

Vista's Startup Repair probably does this type of repair by default anyway, but sometimes it might fail, so it is good to know the alternatives.

Did you look at the other locations, I mentioned, where Vista stores some (not all, obviously) Registry Backups?

Also that Shadows Copy forensic link will give you some idea or what is going on in the background of Vista.

 

[yourpc]

They seem to have changed where the System Restore files are located. They also dont seem to work the way they did in XP. It looks like the location may now be at: C:\Windows\Logs\SystemRestore I manually created system restore points while this window was open and noticed that each time I created a point, the files in the folder changed. If this is how system restore works now, I dont know if you could do much with them like the old restore feature. I will try to find out more later. Let us know if you find anything. Thanks...

 

[goombawaho]

So, a valuable tool has been changed and made more complicated and inaccessible. Who would have thought that?? It all looks too complicated for me to bother with to be honest.

I just liked the idea of being able to go outside the operating system and doing my own restore since a lot of PCs I see are not bootable and often that brings them back to bootable where I can work more magic.

 

[yourpc]

goombawaho. The reason they may have changed it is that they added a way to run system restore from the CD (and the hard drive) like we have been doing from the CD for Windows XP.
I am the author of the icompute.info website. I had put that info up on the website about running system restore from a CD so I could go to it without having to look it up on the occasions that I had to do it. Im glad you have found it useful too. The reference you gave in the post at the top of this page and also

http://www.icompute.info/System_restore_from_xp_cd.htm

are 2 of the ways that I have been doing this for some time now. I wanted to let you know that a while back I started using the ultimate boot cd 4 windows and it has several cool features on it. One feature is an easy way of doing the registry changes like you have been doing but with a program instead of doing it manually. I will be posting an article on the icompute site for that soon.
Just thought you might want to know.

 

[goombawaho]

Actually - I found the "XP manual system restore" procedure somewhere else, but I couldn't find that site when I posted my question, so I just used your site. Sooooo - no glory for you, but you had the same idea which is good for everyone.

Sounds like you are propagandizing for your site a bit.........

 

[yourpc]

Thanks for mentioning the page anyway.

Sorry if it sounds that way. I just didnt know if you had tried the ultimate boot cd. They have a gui for the system restore that works well and is easier than copying the files over and renaming them. It does it all for you. Its a Bart's PE environment.

http://www.ubcd4win.com/downloads.htm

 

[linney]

This program will save Snapshot versions of the Registry in Vista that can be restored at will, in or out of the Windows environment.

Registry Backup and Restore for Windows NT/2000/2003/XP (+Vista)

http://www.larshederer.homepage.t-online.de/erunt/

 

[yourpc]

Cool I'll try it. Thanks...

 

[goombawaho]

Yeah - I've been down with the UBCD for 2 years. Great for memory and hard drive testing and it boots up lightning quick. I use the BART PE for registry restores, file copies and malware file renaming/removal and virus scanning.

If those two can't fix it along with MalwareBytes, time to start thinking format.

 

[goombawaho]

This program will save Snapshot versions of the Registry in Vista that can be restored at will, in or out of the Windows environment.

Registry Backup and Restore for Windows NT/2000/2003/XP (+Vista)

http://www.larshederer.homepage.t-online.de/erunt/"

Again, this is NOT helpful unless you have it installed and have made a backup copy of the registry on the PC BEFORE it became non-bootable.

This would NOT be the case when you go over to JoeBob's house because he never installed this and thus has no backup. Substitute JoeBob for everyone else I visit and you see why it's not useful in most cases for me.

UNLESS I'M MISSING SOMETHING

 

[yourpc]

Thanks for the heads up. I cant remember the name of it but I think it was undelete data recovery software that acts like that. Same thing, works best if its on the computer in the first place. I like stuff that can get you into John Doe's computer that will get them up and running again.

 

[goombawaho]

Right - which is what I'm all about - something I can use to FIX a non-bootable PC. In which case, I use my BART PE CD to boot and perform the procedure in my initial post. Works great when you get a black screen/no boot/blue screen ESPECIALLY when safe mode is fried too.

I was just hoping to apply that to Vista, but it looks like booting from the Vista DVD is going to have to suffice.

 

[yourpc]

For now, it looks like thats the case. I have also noticed that many of the computers I have worked on did not have system restore on. I found that they were that way right out of the box. This makes a system restore impossible since there have never been any restore points made.
I have had some luck doing a repair install but that means carrying around a Vista DVD because if they have anything but a Dell they normally only have a recovery disk set not an actual Vista DVD. Have you run into the problem of no restore points on a lot of computers too. I think it was due to SP1 coming into the computer but I cant say for sure.

 

[goombawaho]

By default - System Restore is ON. Malware often destroys system restore points. Whether the system restore points have been destroyed/deleted/corrupted I see quite a lot with the Antivirus XP and other similar malware.

 

[yourpc]

Me too. Ive had to remove that from sooo many computers in the last year I cant believe it. Maybe thats why Ive noticed a large amount of computers with restore turned off. Thanks for pointing that out. It makes sense, I just didnt associate the two. I know there are other reasons for system restore to not be there but thats probably the reason for most of the computers Ive noticed.

 

[goombawaho]

What I was trying to say is that System Restore is turned ON, but the actual contents of the RPXXX folders do not have what you need to do an actual system restore. In other words, they have been corrupted/deleted intentionally by the malware to prevent an easy roll-back fix.