Windows Tip Sheet

System Restore, Virus Restore...Same Thing

A scriptable way to keep clients updated and virus-free.

Windows ME and Windows XP have a handy System Restore feature, which periodically make backups of key system files, especially when you install new software or hardware. Unfortunately, virus-infected files can get backed up by System Restore. So, you could clean your system and then roll back to a restore checkpoint and poof! The virus is back. One way to handle this is to always, always, always run a virus scanner and to run a full system scan after you roll back a System Restore checkpoint. However, since end users in many companies are allowed to roll back on their own, you can't be sure if they remember to scan. Depending on how you feel about System Restore's benefits vs. the risks of bringing a virus back, you might want to disable System Restore.

In XP, it's easy enough to do: Open System Properties (right-click My Computer and select Properties), go to the System Restore tab and select the checkbox to "Turn off System Restore." If—heaven help you—you're using Windows ME, it's in a similar location: Open the properties of My Computer, select the Performance tab, click the File System button, and select the Troubleshooting tab. The checkbox to disable System Restore is the last one in the list.

For Windows XP only, you can even script this. The Microsoft TechNet Script Center has a sample script that'll get you started:
. Here's an expanded version that attempts to disable System Restore for every computer listed in a text file you provide:

'get input file name
Dim sInputFile
sInputFile = _
   InputBox("Enter path and filename to input file" & _
   "(list of computer names", "Input file")

'clicked cancel?
If sInputFile = "" Or sInputFile = -1 Then
End If

'open input file
Dim oFSO, oTS
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set oTS = oFSO.OpenTextFile(sInputFile)
If Err <> 0 Then
   MsgBox "Couldn't open input file."
End If
On Error Goto 0

'go through names in file
Dim sComputer, oPing, oStatus
Do Until oTS.AtEndOfStream

   'get name
   sComputer = oTS.ReadLine

   'name provided?
   If sComputer <> "" Then

      'connect to the WMI provider
      On Error Resume Next
      Set oWMIService = GetObject("winmgmts:\\" & _
      sComputer & "\root\default")
      Set oItem = oWMIService.Get("SystemRestore")
      errResults = oItem.Disable("")
      On Error Goto 0

   End If

'finished - notify
MsgBox "Script is finished executing."

Remember that this will only work with Windows XP machines; Windows 2000 and Windows 2003 don't implement System Restore.

Micro Tip Sheet

Perhaps you like System Restore and wish you could get more control over it? Run over to the Script Center at
and you'll find scripts that let you centrally make a System Restore checkpoint, roll back to a prior checkpoint, and more. You can combine many of them with my script, above, to affect a batch of computers at once.

If you're turning off System Restore, you'll obviously want to put something in place to back up at least the WinXP registry. There are three techniques ( which are easy, including using RegEdit and good old NTBackup.

Your backup tapes are also a good repository for viruses. Make sure you're using a backup solution that can scan files for viruses as the backup is occurring, or at least make sure an antivirus scanner is running when you perform any restores. That way your backup tapes won't become a source of viruses.

More Resources
Network Associates describes the System Restore virus problem and explains how to turn it off manually:

My Web site has additional scripting resources and a discussion forum on managing aspects of Windows through scripts:

Microsoft has a KnowledgeBase article that describes System Restore:;EN-US;306084

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Wed, Aug 11, 2004 Steve Brown

"Remember that this will only work with Windows XP machines; Windows 2000 and Windows 20003 don't implement System Restore."

Windows Twenty thousand and three, Can't wait for that one :)

Wed, Aug 11, 2004 Kharmin Washington DC

We've had this same issue when dealing with spyware and adware. Every time we thought we'd cleared them, they'd be back. We remembered System Restore-- d'oh! So, we turn off System Restore, and then run Spybot and AdAware from safe mode. Once done, we'd reset the System Restore.

Wed, Aug 11, 2004 Ron Kansas

Or... for Windows XP, you can turn it off using a GPO (Computer Configuration -- Administrative Templates -- System -- System Restore)

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.