Windows Tip Sheet
System Restore, Virus Restore...Same Thing
A scriptable way to keep clients updated and virus-free.
Windows ME and Windows XP have a handy System Restore feature, which
periodically make backups of key system files, especially when you install
new software or hardware. Unfortunately, virus-infected files can get
backed up by System Restore. So, you could clean your system and then
roll back to a restore checkpoint and poof! The virus is back. One way
to handle this is to always, always, always
run a virus scanner
and to run a full system scan after you roll back a System Restore checkpoint.
However, since end users in many companies are allowed to roll back on
their own, you can't be sure if they remember to scan. Depending on how
you feel about System Restore's benefits vs. the risks of bringing a virus
back, you might want to disable System Restore.
In XP, it's easy enough to do: Open System Properties (right-click My
Computer and select Properties), go to the System Restore tab and select
the checkbox to "Turn off System Restore." If—heaven help
you—you're using Windows ME, it's in a similar location: Open the
properties of My Computer, select the Performance tab, click the File
System button, and select the Troubleshooting tab. The checkbox to disable
System Restore is the last one in the list.
For Windows XP only, you can even script this. The Microsoft TechNet
Script Center has a sample script that'll get you started: http://www.microsoft.com/
technet/community/scriptcenter/compmgmt/scrcm92.mspx. Here's an expanded
version that attempts to disable System Restore for every computer listed
in a text file you provide:
'get input file name
sInputFile = _
InputBox("Enter path and filename to input file"
"(list of computer names", "Input file")
If sInputFile = "" Or sInputFile = -1 Then
'open input file
Dim oFSO, oTS
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set oTS = oFSO.OpenTextFile(sInputFile)
If Err <> 0 Then
MsgBox "Couldn't open input file."
On Error Goto 0
'go through names in file
Dim sComputer, oPing, oStatus
Do Until oTS.AtEndOfStream
sComputer = oTS.ReadLine
If sComputer <> "" Then
'connect to the WMI provider
On Error Resume Next
Set oWMIService = GetObject("winmgmts:\\"
sComputer & "\root\default")
Set oItem = oWMIService.Get("SystemRestore")
errResults = oItem.Disable("")
On Error Goto 0
'finished - notify
MsgBox "Script is finished executing."
Remember that this will only work with Windows XP machines; Windows 2000
and Windows 2003 don't implement System Restore.
Perhaps you like System Restore and wish you could
get more control over it? Run over to the Script Center
scriptcenter/compmgmt/default.mspx and you'll find
scripts that let you centrally make a System Restore
checkpoint, roll back to a prior checkpoint, and more.
You can combine many of them with my script, above,
to affect a batch of computers at once.
If you're turning off System Restore, you'll obviously
want to put something in place to back up at least the
WinXP registry. There are three techniques (http://www.mvps.org/sramesh2k/registry.htm)
which are easy, including using RegEdit and good old
Your backup tapes are also a good repository for viruses.
Make sure you're using a backup solution that can scan
files for viruses as the backup is occurring, or at
least make sure an antivirus scanner is running when
you perform any restores. That way your backup tapes
won't become a source of viruses.
Network Associates describes the System Restore virus problem and explains
how to turn it off manually: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
My Web site has additional scripting resources and a discussion forum
on managing aspects of Windows through scripts: www.scriptinganswers.com
Microsoft has a KnowledgeBase article that describes System Restore:
With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.