Understanding how System Restore in Windows Vista treats executable files

Understanding how System Restore in Windows Vista treats executable files

  • Comments 1
  • Likes

A newsgroup customer noticed that an executable file he’d recently downloaded to his Documents folder disappeared after he used System Restore in Windows Vista to restore his computer’s system files to an earlier point in time. He asked why the executable file was “rolled back” (i.e., deleted) and why System Restore would do this within his Documents folder. I asked the System Restore development lead, Ivan Pashov, to explain this behavior:

 

The job of System Restore is to bring the system state (registry, WMI, COM+, etc.) and all binaries, including executables, back to exactly the state at the time of the restore point. System Restore does not exclude executable files in users’ Documents folders because programs and drivers (or spyware) can be installed anywhere, not just under c:\Program Files. We have no way of knowing what is installed, what is downloaded, and what is just put there for any other reason. Therefore, we restore a specific set of files on all volumes where system protection is enabled. On Windows Vista, this set of files is defined by monitored extensions outside of the Windows folder, and everything under the Windows folder. You can find a list of monitored extensions for Windows XP at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sr/sr/monitored_file_extensions.asp. We added a couple new extensions for Windows Vista, but this list is basically the same as Windows Millennium.

 

Using System Restore can be a heavy-handed approach to uninstalling programs. However, we believe that most customers would want this type of repair in situations where, say, a co-worker or family member installed a questionable program from a website that causes problems with Windows Vista. If uninstalling the program doesn’t work, then System Restore is the right tool to restore the computer to a functional state.  Should you find that a “good” executable file was removed during this process, you can right-click on the parent folder that previously contained the executable file, click Restore Previous Versions, open a version on a date where the executable existed, and copy the executable to any folder.

 

By the way, exactly the opposite artifact exists as well: if there was a download captured on the restore point, which later turned to be garbage and deleted by the user, when we restore to that specific restore, we are going to resurrect the unnecessary file. We do this because we have no way of knowing the fact it is unnecessary.

--Ivan

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment