Windows Tip Sheet
System Restore, Virus Restore...Same Thing
A scriptable way to keep clients updated and virus-free.
Windows ME and Windows XP have a handy System Restore feature, which
periodically make backups of key system files, especially when you install
new software or hardware. Unfortunately, virus-infected files can get
backed up by System Restore. So, you could clean your system and then
roll back to a restore checkpoint and poof! The virus is back. One way
to handle this is to always, always, always
run a virus scanner
and to run a full system scan after you roll back a System Restore checkpoint.
However, since end users in many companies are allowed to roll back on
their own, you can't be sure if they remember to scan. Depending on how
you feel about System Restore's benefits vs. the risks of bringing a virus
back, you might want to disable System Restore.
In XP, it's easy enough to do: Open System Properties (right-click My
Computer and select Properties), go to the System Restore tab and select
the checkbox to "Turn off System Restore." If—heaven help
you—you're using Windows ME, it's in a similar location: Open the
properties of My Computer, select the Performance tab, click the File
System button, and select the Troubleshooting tab. The checkbox to disable
System Restore is the last one in the list.
For Windows XP only, you can even script this. The Microsoft TechNet
Script Center has a sample script that'll get you started: http://www.microsoft.com/
technet/community/scriptcenter/compmgmt/scrcm92.mspx. Here's an expanded
version that attempts to disable System Restore for every computer listed
in a text file you provide:
'get input file name
sInputFile = _
InputBox("Enter path and filename to input file"
"(list of computer names", "Input file")
If sInputFile = "" Or sInputFile = -1 Then
'open input file
Dim oFSO, oTS
Set oFSO = WScript.CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Set oTS = oFSO.OpenTextFile(sInputFile)
If Err <> 0 Then
MsgBox "Couldn't open input file."
On Error Goto 0
'go through names in file
Dim sComputer, oPing, oStatus
Do Until oTS.AtEndOfStream
sComputer = oTS.ReadLine
If sComputer <> "" Then
'connect to the WMI provider
On Error Resume Next
Set oWMIService = GetObject("winmgmts:\\"
sComputer & "\root\default")
Set oItem = oWMIService.Get("SystemRestore")
errResults = oItem.Disable("")
On Error Goto 0
'finished - notify
MsgBox "Script is finished executing."
Remember that this will only work with Windows XP machines; Windows 2000
and Windows 2003 don't implement System Restore.
Perhaps you like System Restore and wish you could
get more control over it? Run over to the Script Center
scriptcenter/compmgmt/default.mspx and you'll find
scripts that let you centrally make a System Restore
checkpoint, roll back to a prior checkpoint, and more.
You can combine many of them with my script, above,
to affect a batch of computers at once.
If you're turning off System Restore, you'll obviously
want to put something in place to back up at least the
WinXP registry. There are three techniques (http://www.mvps.org/sramesh2k/registry.htm)
which are easy, including using RegEdit and good old
Your backup tapes are also a good repository for viruses.
Make sure you're using a backup solution that can scan
files for viruses as the backup is occurring, or at
least make sure an antivirus scanner is running when
you perform any restores. That way your backup tapes
won't become a source of viruses.
Network Associates describes the System Restore virus problem and explains
how to turn it off manually: http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
My Web site has additional scripting resources and a discussion forum
on managing aspects of Windows through scripts: www.scriptinganswers.com
Microsoft has a KnowledgeBase article that describes System Restore:
About the Author
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.