Windows Tip Sheet

System Restore, Virus Restore...Same Thing

A scriptable way to keep clients updated and virus-free.

Windows ME and Windows XP have a handy System Restore feature, which periodically make backups of key system files, especially when you install new software or hardware. Unfortunately, virus-infected files can get backed up by System Restore. So, you could clean your system and then roll back to a restore checkpoint and poof! The virus is back. One way to handle this is to always, always, always run a virus scanner and to run a full system scan after you roll back a System Restore checkpoint. However, since end users in many companies are allowed to roll back on their own, you can't be sure if they remember to scan. Depending on how you feel about System Restore's benefits vs. the risks of bringing a virus back, you might want to disable System Restore.

In XP, it's easy enough to do: Open System Properties (right-click My Computer and select Properties), go to the System Restore tab and select the checkbox to "Turn off System Restore." If—heaven help you—you're using Windows ME, it's in a similar location: Open the properties of My Computer, select the Performance tab, click the File System button, and select the Troubleshooting tab. The checkbox to disable System Restore is the last one in the list.

For Windows XP only, you can even script this. The Microsoft TechNet Script Center has a sample script that'll get you started: http://www.microsoft.com/
technet/community/scriptcenter/compmgmt/scrcm92.mspx
. Here's an expanded version that attempts to disable System Restore for every computer listed in a text file you provide:

'get input file name
Dim sInputFile
sInputFile = _
   InputBox("Enter path and filename to input file" & _
   "(list of computer names", "Input file")

'clicked cancel?
If sInputFile = "" Or sInputFile = -1 Then
   WScript.Quit
End If

'open input file
Dim oFSO, oTS
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set oTS = oFSO.OpenTextFile(sInputFile)
If Err <> 0 Then
   MsgBox "Couldn't open input file."
   WScript.Quit
End If
On Error Goto 0

'go through names in file
Dim sComputer, oPing, oStatus
Do Until oTS.AtEndOfStream

   'get name
   sComputer = oTS.ReadLine

   'name provided?
   If sComputer <> "" Then

      'connect to the WMI provider
      On Error Resume Next
      Set oWMIService = GetObject("winmgmts:\\" & _
      sComputer & "\root\default")
      Set oItem = oWMIService.Get("SystemRestore")
      errResults = oItem.Disable("")
      On Error Goto 0

   End If
   Loop

'finished - notify
oTS.Close
MsgBox "Script is finished executing."

Remember that this will only work with Windows XP machines; Windows 2000 and Windows 2003 don't implement System Restore.

Micro Tip Sheet

Perhaps you like System Restore and wish you could get more control over it? Run over to the Script Center at http://www.microsoft.com/technet/community/
scriptcenter/compmgmt/default.mspx
and you'll find scripts that let you centrally make a System Restore checkpoint, roll back to a prior checkpoint, and more. You can combine many of them with my script, above, to affect a batch of computers at once.

If you're turning off System Restore, you'll obviously want to put something in place to back up at least the WinXP registry. There are three techniques (http://www.mvps.org/sramesh2k/registry.htm) which are easy, including using RegEdit and good old NTBackup.

Your backup tapes are also a good repository for viruses. Make sure you're using a backup solution that can scan files for viruses as the backup is occurring, or at least make sure an antivirus scanner is running when you perform any restores. That way your backup tapes won't become a source of viruses.

More Resources
Network Associates describes the System Restore virus problem and explains how to turn it off manually: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

My Web site has additional scripting resources and a discussion forum on managing aspects of Windows through scripts: www.scriptinganswers.com

Microsoft has a KnowledgeBase article that describes System Restore: http://support.microsoft.com/default.aspx?scid=kb;EN-US;306084

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.