XP System Restore The BIG Q !

Discussion in 'other security issues & news' started by Spanner intheWorks, Mar 13, 2005.

Thread Status:
Not open for further replies.
  1. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Hello Spanner intheWorks,

    You can in sense, its just not as neat as one would like it to be.

    If you knew when you got infected, you simply don't use the RP's after that point.

    After you got infected and you knew it was clean, you use the RP's after that point.

    The defualt for RP points is 90 days - so that's another factor.

    In the applet that controls System Restore settings, by moving the slider down to a point less than the max file size of System Volume Information, the restore file, the oldest RP's can be eliminated.

    So you can see that this is something the user would have to pay close attention to - how many do?

    I agree, wish MS would add the capability that you've outlined.

    Regards - Charles
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043

    What you have just describe is Raxco's First Defense-ISR. Doesn't have a time limit either

    Pete
     
  3. gud4u

    gud4u Registered Member

    Joined:
    Nov 9, 2004
    Posts:
    206
    My 'worst case' defense is a weekly image of my OS partition to removable media.

    I've never had a validated image fail to restore - but I have experienced failure of System Restore Points to properly restore.
     
  4. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,048
    Location:
    SouthCentral PA
    Trial the FirstDefense program by Raxco. I could tell you all that it can do but you would not believe me, so just give it a trial. I also recommend reading all the FirstDefense pdf files and the faq and Knowledgbase available on the Raxco website BEFORE you install the program itself; with a program that powerful and flexible it helps to have an understanding of the program or you can get confused, I sure did.

    Acadia
     
  5. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Hello Spanner

    I can put in a few cents worth on the SR question: I used System Restore heavily during the past few months. You might recall I was looking for the Virtual Bouncer, which turned out to be a false positive from one of the scanning services. I used SR to try and get back to a time B4 infection. As it turned out, there was no time, as it was a false positive, but it seemed like the SR process was taking longer and longer, each time I used it.

    Finally, on one attempt to use the System Restore, it had not completed the restore in over 3 hours. A Techie said if it was his, he'd just turn the computer off, so I did. When I tried to reboot, no go...I ended up using the restore CD to just put the Windows XP back on my system...losing a lot of data in the process. Yes, I was currently on borrowed time, trying to decide which back up system to use when this all happened.

    The same Tech person said that in his experience, SR only works half the time anyway. Another offered that he never uses it - something about that it only covers up the registry keys, and doesn't really "restore" as the name implies.

    Anyway, that's my experience with System Restore. Here I come Acronis...

    Highest Regards

    Ashwin
     
  6. ashwin

    ashwin Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    66
    Could you explain what you mean by personal security risk?

    Are you running another Windows platform, or A Linux, or...?

    If I'd had the time, I would have seriously considered Mandrake when the SR went down.

    A bit off topic, hope you don't mind.

    Regards

    Ashwin
     
  7. bigbuck

    bigbuck Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    4,877
    Location:
    Qld, Aus
    I'm with you gud4u! A good image is my preferred restore option. I've had some bad experiences with 'sytem restore'!
     
  8. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Yes, there is bug in SR - if you do continous restores like the kind of operation that ashwin did, SR either gets hung up or simply says can't do it.

    Reason for that is because SR doesn't always handle a SVI file filled to the max correctly. Restores take up more room than either a System generated restore point or a manual one because it has to save the "current" state - the "undo the restore" option.

    The size of the System Volume Information is governed by the size of the monitored partition, the max size of SVI is 12% of that partition.

    One way to handle this is to play with the slider that sets the size in SR tab of System and get rid of some of the older RP's before embarking on restores.

    And yes, SR can be used in safe mode, it's one of the options when booting into safe mode.

    SR is not a substitute for Drive Imaging, its primary purpose is to monitor the OS, not user data.

    But, SR considers things like installed .exe files not user data :)

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sr/sr/monitored_file_extensions.asp

    An exception, any file, regardless of file extension that is in the My Documents folder is not monitored, so no restore.

    Regards - Charles
     
Loading...
Thread Status:
Not open for further replies.