Use of the ERUNT/ERDNT system versus use of Windows XP System Restore facility

Yes, I had checked that FAQ on the subject.

I thought I had posted something that I don't see so I'll post it again.

If I make any errors in my assumptions or statements, please correct them.

Since on 3 previous occasions when I know that System Restore was enabled, it was uable to restore a particular restore point so I have not seen much use for the system.  

It seems to me that if the main reason that System Restore should not be eliminated from use is that the ERUNT/ERDNT system will not back up some 'critical system files', can't that weakness in relying only on ERUNT/ERDNT alone be remedied by backing up those critical system files at the time that the registry backup is made?  I presume that such a critical file backup can be automated via a batch file or they be could individually backed up at the time the ERUNT backup is made.  Please comment.

Well, I haven't found much that is specific about which critical system files are backed up by System Restore, so my impression is it would be difficult to mimic SR behavior with a batch file.  See these pages for example:

http://technet.microsoft.com/en-us/windowsxp/bb264753.aspx
Frequently Asked Questions Regarding System Restore in Windows XP

Particularly, this question:

Q. What is or is not restored on my computer when I use System Restore?
A. See below.

Restored:

• Registry
 
• Profiles (local only; roaming user profiles are not affected by restore)
 
• COM+ DB
 
• WFP.dll cache
 
• WMI DB
 
• IIS Metabase
 
• File types monitored by System Restore as specified in the SDK document Monitored File Extensions

Not restored:

• DRM settings
 
• Passwords in the SAM hive
 
• WPA settings (Windows authentication information is not restored)
 
• Specific directories/files listed in the Monitored File Extensions list in the System Restore section of the Platform SDK e.g. 'My Documents' folder
 
• Any file types not monitored by System Restore (.doc, .jpg, etc.)
 
• Items listed in both Filesnottobackup and KeysnottoRestore (hklm->system->controlset001->control->backuprestore->filesnottobackup and keysnottorestore) in the registry
 
• User-created data stored in the user profile
 
• Contents of redirected folders
 
 
See also:

http://msdn2.microsoft.com/en-us/library/Aa378870.aspx
Monitored file extensions Windows System Restore

A useful page to see about System Restore failures:

http://bertk.mvps.org/html/srfail.html
Troubleshoot System Restore “Restore Point Failures” in Windows XP

Much material to digest, I'll be back

One question that comes to mind regarding using both systems is how can the two be coordinated in the best way.

I have no accurate idea how restoring those additional critical files can be utilized with the ERUNT/ERDNT system that it seems you are recommending.  Something like first using the restore point recovery that would, among other things, restore the critical files and then follow that by restoring the ERUNT/ERDNT (full) registry backup right after that?  Would that be the "best of both worlds"?  Please comment and also correct anything I have misstated.

I don't know of any way of restoring the critical files except by using System Restore itself, so if you do decide to keep SR active, then yes, you would first do a restore, then follow by ERUNT/ERDNT if there is a backup of the registry later than was done by System Restore but prior to whatever problem you are trying to recover from.  One thing to keep in mind is when System Restore points are created.  See this page:

http://technet.microsoft.com/en-us/windowsxp/bb264753.aspx
Frequently Asked Questions Regarding System Restore in Windows XP

See this question:

Q. When are restore points created?
A. The user can manually create a restore point at any time on their computer using the System Restore Wizard. Restore Points are also automatically created on your computer when:

• Installing an unsigned device driver
 
• Installing System Restore compliant applications (Installing an application that uses Windows Installer, or Install Shield Pro version 7.0 or later, causes System Restore to create a restore point)
 
• Installing an update by using Automatic Updates
 
• Performing a System Restore operation so the user can undo that restore operation if needed
 
• Restoring data from backup media using the Backup tool
 
• Creating daily restore points (System Restore creates a restore point every 24 hours if the computer is on or 24 hours have passed since the last restore point was created)
 
 

Sorry for the delay - had to attend to other business.

Now, to further explore my concern on how to integrate the ERUNT/ERDNT and the System Restore systems into a combined effective operating system recovery process (call the combined system the ERU/ERD+SR system), I would like to ask where you believe an additional leg of the total process belongs; that is, restoration of an image backup.  I have confidence in Acronis True Image that looks very effective.

Question 1.
Am I correct that if an image backup is restored, then there would be no need at all for the ERU/ERD+SR system?

Question 2.
Is storage space the only reason favoring using the ERU/ERD+SR system over the image backup restoration?

Question 3.
Can you give me a good idea under what circumstances an image backup restoration should be used and under what circumstances the ERU/ERD+SR system should be used?

1. If an image backup is restored, then yes there would theoretically be no need for the ERU/ERD+SR system, depending upon how often you run the image creation.

2.  Storage space and time consumed would be the major reasons I can think of.  I use Acronis True Image 10 on my new Vista pc to make periodic backup images of the entire system, but I don't do it very often because it will take me a good half hour to save an image.  Luckily, I have never (so far) had to restore an image.

3. I don't know whether the ERU/ERD method works with Vista's registry, which is why I haven't tried it on my latest Vista machine.  I know I tried it long ago when I used XP, and found it very satisfactory.   But as said above, I now run XP only rather rarely as a Virtual OS using Microsoft's free Virtual Pc 2007, and I am normally booted into Vista only,  most of the time.  

Since System Restore is predominantly automatic (but you can also set manual restore points at any time you wish), I think it is a good "everyday" method for recovering from most errors of the type that can be solved by a system restore, and ERU/ERD would add another layer of registry backup and restore which might take care of problems occurring in between automatic/manual restore points.

I think most of the time I would use the image backup as the preferred choice only when my system might become unbootable (which, luckily, it hasn't yet for me.)

Thanks for the above.

Sorry, for my delay, but I'll get back soon.

Im pretty close to completing this Question since most of my questions have been well answered but there is still some needed clarification.

Ive been mulling over a number of statements and questions which turn out to be very repetitive so to simplify the process I will just state what I believe you have recommended as the way to use the ERU/ERD+SR system and ask you to criticize any misunderstandings or errors you find in my statements.

Your recommendations, as I understand them:  1) To let the System Restore system function as it is regularly set up to do - automatically create a new system restore point in each 24 hour period and when the storage location for restore points is full, it will replace the oldest restore point with the most recent (current) restore point (FIFO) and 2) Create specific manual restore points when I choose to do so as discussed in the next paragraph.

Because the following events could be potentially disruptive of the system, a manual system restore point and an ERUNT full registry backup should be created before any of the following events:
                                      Installation of a new program
                                      Updating of already installed programs
                              Updating Windows
                                      Updating of drivers
                              Installation of new devices
I am aware that these events are usually trouble-free.

Question 1.
Could you add any other items to that list of events that could potentially disrupt my system or cause it to malfunction and should therefore be covered by a preceding  manual creation of a system restore point and an ERUNT registry backup?

And the last part of using this system to restore the preinstallation state consists of:
1)  Uninstalling the item that is thought to have disrupted the system
2)  Restoring the restore point made prior to the installation of the offending item
3)  Using ERDNT to restore the registry backup made prior to the installation of that offending program.

Question 2.
Isnt the advantage of the ERU/ERD+SR system due to the fact that the registry that is restored by restoring the appropriate restore point is not a complete registry and is able   to be overwritten by the restoration of the corresponding complete ERUNT registry backup?

Question 3.
Are you recommending the full use of this ERU/ERD+SR system or some less strict adherence to that protocol  if so, what should be relaxed?


Would you please answer the questions which follow each of these descriptions of the alternative mistakes (Condition 1 and Condition 2) I could make in trying to use the ERU/ERD+SR system?

Condition 1.
Lets say:
a)  I created a system restore point and an ERUNT registry backup prior to installing a program
b) I installed the program
c)  I then restored the system restore point and the ERUNT registry backup but had not uninstalled that program first.

Question 4.
What kind, if any, system error messages would occur; what kind of error messages would occur if the program was run under these circumstances; would the system crash; what other kinds of things might happen?


Condition 2.
Lets say:
a)  I installed a particular program
b)  I created a system restore point and an ERUNT registry backup while that particular program was installed
c) I uninstalled the particular program
c)  I then restored the system restore point and the ERUNT registry backup (made when the program was installed) but with that program being uninstalled

Question 5.
What kind, if any, system error messages would occur; would the system crash; what other kinds of things might happen?

Thank you.

1.  The registry is getting updated all the time (if you try running one of the various registry tracers that can be found on the net, you will see this), and due to mis-written programs or hard disk errors or who knows what else, any such registry write COULD cause a problem.  But one of the things I can think of that might be added to your list is the running of antivirus/antispyware utilities and registry cleanup tools.  Many of these programs run registry backups before doing their thing (for example, SpyBot Search and Destroy), but some don't (LavaSoft AdAware, for example.)

2.  There definitely is an advantage to ERU/ERD in that it backs up the entire registry, while System Restore presumably only backs up what might be modified by a program installation, device driver update, etc., and registry failures can happen for other reasons than these events.

3. I can't think of any other more "relaxed" ways of doing it than what you state.

4. I would think that the major consequence of your Condition 1 would be that the uninstalled program would fail in various ways, maybe not even be capable of executing at all, for almost all modern programs make MANY modifications to the registry in order to save the chosen options of use, details about program state, conditions for executing, etc.  The missing registry info might have consequences for other programs, might cause error messages at startup, and certainly could crash the system if you tried running the program with missing registry info.

5.  Condition 2 could cause problems also, although obviously not from your manually trying to run the program since it has been uninstalled.  But if the registry has been set up so that some part of the uninstalled program is supposed to run at startup, there would be error messages at startup due to the missing files.  If you take a look at the "notification area" (formerly called the "system tray") at the righthand side of the taskbar, you will normally see a number of icons that correspond to these programs being run at system startup because of registry settings.   For example, most (perhaps all?) "instant messengers" have options for this, as well as antivirus programs, microsoft office setup, commercial or freeware firewalls, internet explorer addons, etc.

I hope I have satisfactorily answered your questions...

I'm embarassed that I lost track of this thread due to attention to other problems.  However, there is one last (I believe) subject:

Question 1.
I've just become aware that viruses (and malware?) can mess up the way to get rid of them by hiding out in a System Restore point.  Is that a correct interpretation of how such problems utilize the System Restore system or are there other things they do to the System Restore system?

Question 2.
How can I determine if that is the source of an inability to get rid of a virus or malware?

Question 3.
Am I correct that, in addition to using Anti-Spyware and Anti-Malware and Anti-Virus programs, this particular type of System Restore problem can be simply corrected by using a System Restore point preceding the virus-malware problem along with the pre-problem ERUNT registry backup?

Question 4.
Is there any problem determining whether a particular system restore point (and registry backup) is the correct one to use?  If so, could you mention how to determine that?

Thank you.

Oh, man, you want an awful lot for your 250 point question...

1.  See this page:

http://www.bleepingcomputer.com/tutorials/tutorial56.html#problems

A quotation:

There are some problems associated with System Restore when it comes to viruses. When restore points are created they are stored in a directory that is accessible only to the System account and not to a user. This keeps the restore points safe from misuse and tampering. Unfortunately this also means that any virus scan software you may have installed can not scan the files located there as well. This causes a problem if a file that is infected with a virus gets backed up into a restore point because now the anti-virus software can not clean it. Now if you ever restore from a restore point, that file that is infected will be introduced back into your system.

With this in mind, if you find that you are infected with a virus, hijacker, or spyware and want to make sure you do not get reinfected if you restore a restore point, you should turn System Restore off and then back on again to clear all the restore points. This will guarantee that their are no infected files that could be restored.

2.  Since there is no way of virus cleaning the System Volume Information folder (where System Restore points are stored), I don't think there is any way of determining that is the source of the malware.  And that is why, when you go to many pages on such sites as those of Symantec, McAfee and other antivirus products for various types of infections, they often recommend you begin the removal procedure by turning System Restore off, because that will delete all restore points where malware may be hiding.

3 and 4.  Sometimes using a restore point prior to the malware problem might correct the problem, at least temporarily.  If malware has been backed up into the System Restore point area, then since you cannot determine which restore point is infected, I don't think it is a reliable way of correcting the problem.

I never want something for nothing and as long as I have been using EE, I have been disatisfied that there was no procedure for increasing the number of points to be awarded if it turns out that there is a legitimate point that the original question should have a larger point award.  Believe me, I have discussed that with Support myself before .  As I learn about the particular subject of the question, it enlarges the scope of the question but I feel that these are legitimate questions pertinent to the discussion.  

If such point increase is possible, I can certainly agree, just let me know.  However, I am now satisfied that I have gained the knowledge I wanted and appreciate your help.

I'm not arguing with you but I'm confused now by that last statement and it may be due to the time at which points could still be added to question award but I was specifically told in Support that once a point award had been decided upon and responders were answering I couldn't add any points and yet what you have just quoted above:

"Once you have submitted the question if you feel you need to increase the point value (maximum 500 points) you can do so by clicking Viewing My Question button and increasing the point value then hitting the submit button."

sounds like a contradiction of what I believe I was specifically told by EE Support

I am not able to find any 'Viewing My Question' button but I do see that the 'Point Value' at the top of this 'Post Comment/Solution' area in which I am currently entering this particular comment has an adjacent box holding the point value for the question that can be highlighted and changed there although I am not sure that such a change would be accepted.

Please clarify this confusion and then, if is possible to add to my original award value, I am certainly willing to do this and complete the closing of the Question because it has been valuable to me.

Thank you.

OK, I'll try to modify the point value and see if it works and then close the question.  Thank you.

Well it seemed to work.

There is a situation where one only needs ERUNT,
that is before manually editing the registry by regedit.
Regarding Vista, I can confirm that ERUNT works under Vista, too,
at least when User Account Control is switched off
(as recommended on ERUNT's web page).