System Restore Points offer a convenient solution for reverting your Windows OS to a previous state should you encounter unintended system file or registry issues following the installation of faulty drivers, updates, or applications. A restore point allows you to restore the state of the registry, system files, drivers, and installed software to the point in time that the restore point was established. Despite the fact that system restore points are built on the foundations of volume shadow copies, user profile files remain unaffected when a system is restored from a checkpoint. This guide will examine how system administrators can utilise restore points in Windows 10 and 11.
How to Enable System Protection on Windows
The feature of restore points in Windows 10 and 11 is reliant on the System Protection service. By default, this service is deactivated. You can verify whether the system protection that includes restore points has been enabled for a specific drive on Windows:
- Run the command
systempropertiesprotection - The System Protection tab of the classic System Properties applet will open;
- In this case, protection is enabled for the system drive (C:) and disabled for all others;
- Select the drive and click the Configure button;
- Here you can enable or disable drive protection, change the maximum disk size available for storing restore points, and delete all restore points.
You can enable system protection using GPO. Configure the following Group Policy options:
- Navigate to Computer Configuration -> Policies -> Administrative Templates -> System -> System Restore and change Turn off System Restore = Disabled
- Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Windows Defender -> Scan and set Create system restore point = Enabled
You can use PowerShell to enable system protection for a specific drive:
Enable-ComputerRestore -drive "c:"
Create, List, and Delete a System Restore Point on Windows
By default, Windows automatically creates restore points when installing or uninstalling updates, drivers, or applications.
To initiate the creation of a restore point right away, one can simply click the Create button and provide a brief description for the said point.
Besides, creating a restore point manually from a PowerShell prompt is possible as well:
Checkpoint-Computer -description "Checkpoint before update video driver" -RestorePointType "APPLICATION_INSTALL"
Typically, a restore point with type APPLICATION_INSTALL is created by default. Some other options can be used for the RestorePointType parameter as per need.
- MODIFY_SETTINGS
- DEVICE_DRIVER_INSTALL
- APPLICATION_INSTALL
- APPLICATION_UNINSTALL
- CANCELLED_OPERATION
List available restore points:
Get-ComputerRestorePoint|ft -AutoSize
By default, System Protection allows you to create only one restore point every 24 hours. If you attempt to create a new one, you will encounter an error:
WARNING: A new system restore point cannot be created because one has already been created within the past 1440 minutes.
To create restore points more frequently, you need to modify the SystemRestorePointCreationFrequency DWORD registry parameter under the HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore registry key. The default parameter value is 1440 (24 hours). Alter the value to 0 to disable the limit on the frequency of restore points creation.
Restore points are not a comprehensive backup tool for Windows and should not replace a full backup. You can backup your Windows image to external media using the built-in System Image Backup tool:
wbAdmin start backup -backupTarget:U: -include:C: -allCritical -quiet
Windows restore points are founded on shadow copies, which are checkpoints of the volumes created by the VSS service. During the creation of a restore point, VSS requests all applications to enter a consistent status and briefly halt their operations. It subsequently fabricates a snapshot of the entire volume’s consistency state.
Restore point image files are housed in the hidden System Volume Information folder based at the root of each drive. The screenshot illustrates shadow copy files for every restore point formed. As evident, they can grow to tens or hundreds of gigabytes in size.
Present are the drives (volumes) for which shadow copies have materialized:
vssadmin list shadowstorage
In this example, there are checkpoints on drive C: that take up 6% of the space (summary can occupy up to 10% of the drive capacity).
You can change the maximum size available for shadow copies using the commands:
Please note that ads were removed from the original version and are not represented here for your convenience.
vssadmin resize shadowstorage /on=c: /for=c: /maxsize=50GB
Or:
vssadmin resize shadowstorage /on=c: /for=c: /maxsize=15%
Lists available shadow copies for the specified volume:
vssadmin list shadows /for=c:
You can delete a specific checkpoint by its Shadow Copy ID:
vssadmin delete shadows /Shadow={xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
Use the following command to delete the oldest shadow copy:
vssadmin delete shadows /for=C: /oldest
Erase all restore points:
vssadmin delete shadows /all
For deleting outdated restore points, you can also utilize the in-built Disk Cleanup tool (cleanmgr.exe). Navigate to the More Options tab and tap Clean up under the System Restore and Shadow Copies section.
Recovering Windows or Individual Files from the System Restore Point
To restore the operating system state from a previously created restore point, you can use the rstrui.exe tool.
- Run the tool;
- Select the previous restore point to which you want to roll back Windows
- Compare the list of applications, services, and drivers in the online Windows image with the list at the restore point (click Scan for affected programs);
- Click Next -> Finish;
- Windows will rollback the system state to the previous shadow copy (reboot required).
You can use PowerShell to restore Windows from a restore point. Get restore point IDs:
Get-ComputerRestorePoint
Restoring Windows from a specified restore point:
Restore-Computer -RestorePoint 21
Check to see if the restore was successful:
Get-ComputerRestorePoint -LastStatus
As noted beforehand, reverting to an earlier restore point won’t result in overwriting the user’s files. They, however, remain available in a shadow copy due to the creation of a checkpoint for the whole volume. As such, you can manually restore any file from a volume shadow copy.
To examine files within a shadow copy, you can employ the free to use tool called ShadowCopyView. You can find it here. You should navigate the required shadow copy (sorted by creation date), locate the older version of the file (folder), and restore it to a specific location on the disk with the function ‘Copy Selected files to…’
One should note that in practice, this method for restoring personal files via restore points is not viable on Windows 10 22H2 as the restored files will be corrupted – partial filling with zeros occur.
A possible solution is to configure File History or utilize a Task Scheduler job to generate shadow copies with the command: ‘wmic shadowcopy call create Volume=’C:”
You will be able to restore the state of Windows in offline mode. Boot your computer into the Windows RE recovery environment and select System Restore from the menu. You will be prompted to select one of the previously created restore points.
After restoring a domain member computer from a previously created restore point, you will usually also need to repair the trust relationship with the domain:
Test-ComputerSecureChannel –Repair
On Windows Server, you should use the built-in feature of the Windows Server Backup (WSB) component as an analog to the restore point. This is because there is no System Protection service in Windows Server OSs.