Viruses in the System Volume Information (System Restore).

Published on
44,259 Points
42 Endorsements
Last Modified:
Editor's Choice
Community Pick
System Restore -- is a Windows utility that periodically saves the changes made in the system, e.g., backup monitored files, registry, drivers and allow users to roll back the system to its previous state in the event of PC instability or program failures. It is indeed a very useful windows component that can save users time of repairing or reinstalling the Operating System.

However, in cases where the system is infected, System Restore might also back up infected files and viruses. But the good thing is, it is also very easy to remove viruses in that folder, all you have to do is turn it off and all viruses will be deleted along with all of the restore points.

So... with an infected system - when do you purge those restore points? Do you disable it BEFORE or AFTER removing the infections? The timing as to when to turn off System Restore is very important.

There have been so many discussions about this, and I've addressed it many times. The best time to turn it off is AFTER the cleanup, hence this article.

The bad practice that many PC techs have is the disabling of System Restore before cleaning the system.  YOU SHOULD NOT DO THIS. They also believe that viruses in the System Restore will creep out of that folder and re-infect the system. Of course that's an absolute nonsense...  the fact is, viruses in that folder are DORMANT and HARMLESS. They don't do anything while in that folder, the only time that those viruses become active and pose a threat to the system is when you use those infected restore points.

You might say, "but Symantec suggests to turn it off before running a scan?"  Well it's wrong to suggest that!... but let's be fair and look at it from their own perspective. They say that, possibly for the following reasons:

     1. Antivirus can not delete viruses in the System Restore.
     2. There's a fairly good chance that the scan will hang when scanning that folder.
     3. It dramatically shortens the scanning time.

Now that certainly makes sense... but what about the users? Is it to their advantage if System Restore is disabled before the cleanup? The answer is NO, in fact for the PC users, it is a BAD idea to turn off System Restore before cleaning the system. While removing malware/viruses, things can go wrong, there are times when the removal process will not go smoothly, and the user will need those restore points. If the user turns it off, he will have no restore points to go back to. It is better to have a possibly infected restore points than none where the only option left is to reformat.

To quote [MVP] MowGreen's thoughts on SR, "It's better to have a leaky, rodent infested life boat than no life boat at all."

In Conclusion:

The best time to disable System Restore in an infected system is AFTER the cleanup when the system is in a stable condition.
When the PC is clean, and you no longer need those restore points, you can turn it off to flush all the viruses and create a new and clean restore point.

I hope this article will help some users understand the importance of keeping those restore points intact while in the process of removing infections.

* If you like, also check out these links and read the comments from Microsoft's Most Valuable Professionals.

CalamityJane (MS-MVP Consumer Security)

"II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore older and set a new point AFTER the PC is clean and all programs are working properly."

Sandi Hardmeier (MS-MVP, AH-VSOP) , in her webpage "Troubleshooting browser hijackings" and also in an article "Bug busting: Getting Rid of Spyware"

She CLEARLY stated NOT to delete Restore Points before attempting spyware removal because if something goes wrong there's no way to reverse your actions. Yes you would want to delete those restore points but the time to do it is later, not while in the process of cleaning the system.

Bugbatter (MS-MVP Consumer Security), 'pre-cleanup' speech.
"If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly."

Jim Eshelman (MS-MVP, AumHa Webmaster/Proprietor), in his article "Purging old System Restore points"
"Leave System Restore in place until your computer is clean and stable."

Steve Wechsler- aka Mow Green (MS-MVP, AH-VSOP)
(Msg. 5)
"Sorry, Symantec's advice is just plain wrong. What if the tool you've
download prevents the system from rebooting, then what ? You'll have *no* restore points to use to regain control of the system."

tashi - (MS-MVP. Consumer Security)
"Please do NOT turn off System Restore trying to remove an infection. Doing so would only serve to destroy a known restore point (not good) and won't remove the malware."

Bert Kinney (MS-MVP, AH-VSOP)
(Msg. 8)
"When removing virus/spyware infection, DO NOT DELETE ALL RESTORE POINTS until the system is confirmed clean and functioning normally."

Happy computing!
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free