Does Macrium Reflect Installation Disable Windows System Restore?


Author
Message
Christopher Souter
Christopher Souter
New Member
New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)
Group: Forum Members
Posts: 19, Visits: 34
Hi all,
Subject says it all.
My reason for asking this is that I have recently discovered that Windows System Restore is disabled on my machine, there are no restore points, and I don't remember ever having disabled it.
I have recently had a malware issue, which has now been ironed out with the help of Malwarebytes Tech Support, and that's how I found out about this System Restore issue.
Considering that System Restore is normally a "set-and-forget" item, I don't think it's something that most users would be continuously monitoring.
Current OS: Windows 7 Ultimate x64 SP1
Current Macrium Reflect Version: Macrium Reflect Home v7.2.4971

All comments and/or suggestions welcome, (high constructivity content would be preferred, however).


Best regards to all,
Christopher Souter
(Sydney, Australia)

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)
Group: Forum Members
Posts: 7.3K, Visits: 52K
It's enabled on my system.  However, malware and particularly ransomware is ABSOLUTELY known for disabling System Restore for the specific purpose of purging your VSS snapshots.  Early versions of ransomware failed to do this, so when it encrypted people's data, savvy victims figured out that they could restore clean copies of their data from those snapshots, and in some cases could even use System Restore to roll back their entire system.  Obviously the ransomware authors weren't thrilled at people getting their data back without paying the ransom, so it didn't take long for them to update their ransomware so that it blew away your snapshots first thing.

Christopher Souter
Christopher Souter
New Member
New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)
Group: Forum Members
Posts: 19, Visits: 34
jphughan - 18 June 2020 1:37 AM
It's enabled on my system.  However, malware and particularly ransomware is ABSOLUTELY known for disabling System Restore for the specific purpose of purging your VSS snapshots.  Early versions of ransomware failed to do this, so when it encrypted people's data, savvy victims figured out that they could restore clean copies of their data from those snapshots, and in some cases could even use System Restore to roll back their entire system.  Obviously the ransomware authors weren't thrilled at people getting their data back without paying the ransom, so it didn't take long for them to update their ransomware so that it blew away your snapshots first thing.

OIC...  OK...
FYI, Malwarebytes Tech Support never did find out what was the actual malware on my system, but numerous scans (as instructed by them), failed to find anything of note...
(The issue which originally prompted me to contact Malwarebytes was that I had discovered that my HOSTS file had been altered - not by me)....  We never did discover what was responsible for this...
However, I'm still left wondering whether System Restore is all that useful, considering that I already have Macrium Reflect installed, always up-to-date, doing automatic daily backups.
What do you think?

Best regards to all,
Christopher Souter
(Sydney, Australia)

jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)
Group: Forum Members
Posts: 7.3K, Visits: 52K
I would say that most people who have frequent Reflect backups probably have little to no reason to use System Restore.  However, the one way that it can come in handy is that it is explicitly designed to allow you to roll back your Windows and application environments WITHOUT also rolling back your personal data.  So in a case like this, obviously you'd want to roll back your "system stuff", but you probably don't want to roll back all of your Word documents and such that you may have updated since your last backup.  System Restore is designed to do that.  With Reflect, you'd have to capture a new backup just prior to restoring whatever backup you wanted to restore, run that restore, and then afterward mount that just-prior-to-restore backup in order to extract the latest versions of your personal data.

The DOWNSIDE of System Restore is that its "selective restore" mechanism doesn't always work as advertised, in fact when it was first introduced it failed FAR more often than it succeeded, in my experience.  And in the specific case of malware, it might be designed specifically to withstand that type of selective restore, assuming it even allowed your snapshots to survive to permit a System Restore operation at all.  And that's another drawback of System Restore, namely that it relies on snapshots existing on the partition to be restored.  Those snapshots might have been deleted or you might have a file system issue that renders them unusable.  By comparison, Reflect backups are often stored on completely separate drives and therefore tend to be more resilient.

The way to have your cake and eat it too here is to store your personal data on a separate partition.  That way if you want to roll back your OS, you can choose to restore only those partitions while leaving your Data partition untouched.  But not everyone knows how to do that, and partitions can introduce headaches of their own.  For example, you have to decide how to size each partition, and if you predict your needs incorrectly, you might run out of space one partition while you have plenty free on another one, and reallocating partition space takes a bit of doing.

But I personally would be very concerned if I had a malware attack and couldn't find it on my system.  If you never found it, you can't be confident it's actually gone.  And there are limits to what anti-malware scanners running within an infected OS can do, because some malware can hide itself from other processes running within the OS.  That's especially true of rootkits that execute when the OS first boots.  And if your OS is compromised at its foundation, then everything on top of it can be compromised.  UEFI Secure Boot is specifically designed to protect against this type of attack, but not all systems support it or have it enabled.

One thing you might want to consider is running Windows Defender Offline.  It basically runs a Defender scan from outside of Windows, and therefore it may be able to find things that Defender running within Windows wouldn't be able to see.  Here is an article about it: https://support.microsoft.com/en-us/help/17466/windows-microsoft-defender-offline-help-protect-my-pc

Christopher Souter
Christopher Souter
New Member
New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)New Member (29 reputation)
Group: Forum Members
Posts: 19, Visits: 34
jphughan - 18 June 2020 2:02 AM
I would say that most people who have frequent Reflect backups probably have little to no reason to use System Restore.  However, the one way that it can come in handy is that it is explicitly designed to allow you to roll back your Windows and application environments WITHOUT also rolling back your personal data.  So in a case like this, obviously you'd want to roll back your "system stuff", but you probably don't want to roll back all of your Word documents and such that you may have updated since your last backup.  System Restore is designed to do that.  With Reflect, you'd have to capture a new backup just prior to restoring whatever backup you wanted to restore, run that restore, and then afterward mount that just-prior-to-restore backup in order to extract the latest versions of your personal data.

The DOWNSIDE of System Restore is that its "selective restore" mechanism doesn't always work as advertised, in fact when it was first introduced it failed FAR more often than it succeeded, in my experience.  And in the specific case of malware, it might be designed specifically to withstand that type of selective restore, assuming it even allowed your snapshots to survive to permit a System Restore operation at all.  And that's another drawback of System Restore, namely that it relies on snapshots existing on the partition to be restored.  Those snapshots might have been deleted or you might have a file system issue that renders them unusable.  By comparison, Reflect backups are often stored on completely separate drives and therefore tend to be more resilient.

The way to have your cake and eat it too here is to store your personal data on a separate partition.  That way if you want to roll back your OS, you can choose to restore only those partitions while leaving your Data partition untouched.  But not everyone knows how to do that, and partitions can introduce headaches of their own.  For example, you have to decide how to size each partition, and if you predict your needs incorrectly, you might run out of space one partition while you have plenty free on another one, and reallocating partition space takes a bit of doing.

But I personally would be very concerned if I had a malware attack and couldn't find it on my system.  If you never found it, you can't be confident it's actually gone.  And there are limits to what anti-malware scanners running within an infected OS can do, because some malware can hide itself from other processes running within the OS.  That's especially true of rootkits that execute when the OS first boots.  And if your OS is compromised at its foundation, then everything on top of it can be compromised.  UEFI Secure Boot is specifically designed to protect against this type of attack, but not all systems support it or have it enabled.

One thing you might want to consider is running Windows Defender Offline.  It basically runs a Defender scan from outside of Windows, and therefore it may be able to find things that Defender running within Windows wouldn't be able to see.  Here is an article about it: https://support.microsoft.com/en-us/help/17466/windows-microsoft-defender-offline-help-protect-my-pc

Well firstly, the changes to my HOSTS file were that the URLs for two well-known browser and search hijackers had been redirected to the loopback interface address, (127.0.0.1), which seems to be pretty strange behaviour for malware...
Several scans of the machine failed to pick up any trace of either of the relevant malware programs, (isearch.omiga-plus.com and search-conduit.com), and I suspect that they had already been cleaned up by Malwarebytes, which may well also have altered my HOSTS file as a precaution.  Unfortunately no reference to this or any similar scenario can be found in any of my recent Malwarebytes logs.

Secondly, in a sense, I already do keep my data on a separate partition, because it is continuously backed up to Google Drive.  I quite realise that the Google Drive folder is in my C:\Users\,MY USER NAME> folder, but if there were any malware-inspired alterations being made to my data, I think I would see it straight away, because the little "sync-in-progress" indicator on my Google Drive tray icon would start working, and I don't know of any malware that could hide this from me.

Windows Defender Offline looks interesting, and I might give it a try, but the only problem is that if my machine really is infected with malware, I'll have to get hold of another machine from somewhere, in order to create the bootable ISO.

Thanks very much for your advice, anyway.

Best regards to all,
Christopher Souter
(Sydney, Australia)

Edited 18 June 2020 2:48 AM by Christopher Souter
dbminter
dbminter
Master
Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)Master (2K reputation)
Group: Forum Members
Posts: 1.5K, Visits: 16K
I admit I disabled System Restore for 2 reasons.  The first was in the all years I tried to use System Restore to fix a problem over the years, it NEVER fixed a single one!  So, I disabled it to free up the system space since it was useless as far as I was concerned.  The second was, ever since like 1995, I've been taking some kind of daily drive image of my system, going back to Drive Image.  So, I always had an at most 24 hours old backup I could restore back to should it be needed.  This also further negated the reason to use System Restore for me, so I freed up the space.

alQamar
alQamar
Junior Member
Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)
Group: Forum Members
Posts: 31, Visits: 56
System Restore is mostly disabled by Windows 10, and should be disabled. It is a legacy technology that causing some of these side effects:
- slow performance (boot / install / uninstall)
- corruption with VSS
- uncatched errors when upgrading Windows 10
- allocation of space (esp. on SSD)
- migraton settings issues. Often Windows 10 after an IPU looses a link to the partition causing stale VSS protections visible in the GUI
- migraton settings issues. Often Windows 10 after an IPU it does not retain the percentage of the VSS maximum storage but instead sets it to 100%
- VSS snapshot may contain malware / spyware or worse that have been fought successfully

Since the registry backups have been disabled by default it is even more useless.
Microsoft recommends to disable it, I do the same based on many migration projects.
If you need security again tampering or unbootable system, Macrium is your friend. Don't trust system restore from Win95.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)Macrium Evangelist (10K reputation)
Group: Forum Members
Posts: 7.3K, Visits: 52K
alQamar - 18 June 2020 4:16 PM
System Restore is mostly disabled by Windows 10, and should be disabled. It is a legacy technology that causing some of these side effects:
- slow performance (boot / install / uninstall)
- corruption with VSS
- uncatched errors when upgrading Windows 10
- allocation of space (esp. on SSD)
- migraton settings issues. Often Windows 10 after an IPU looses a link to the partition causing stale VSS protections visible in the GUI
- migraton settings issues. Often Windows 10 after an IPU it does not retain the percentage of the VSS maximum storage but instead sets it to 100%
- VSS snapshot may contain malware / spyware or worse that have been fought successfully

Since the registry backups have been disabled by default it is even more useless.
Microsoft recommends to disable it, I do the same based on many migration projects.
If you need security again tampering or unbootable system, Macrium is your friend. Don't trust system restore from Win95.

I'm not sure what you mean that System Restore is "mostly disabled", or what that would even mean in this context.  System Restore is enabled by default on new Win10 installations performed using unmodified Microsoft media.  Installs and uninstalls would only be slower if they choose to create a System Restore point, and then they'd only be slower by the time taken to do that.  I don't know where the slow boot claim is coming from.

I also don't know where the VSS corruption claim is coming from.  System Restore uses VSS snapshots, but it wouldn't cause general VSS snapshot corruption.  Reflect uses VSS snapshots too, and I've never had a problem with them on any of the many systems I use where System Restore is enabled because it's on by default.

I don't know where the claims about "uncatched" errors when upgrading or "migration settings issues" are coming from either.

As for allocation of space, sure System Restore reserves a certain amount of space for snapshots.  If you don't want it to do that, then you can disable it, but it's not very much.

VSS snapshots containing malware isn't really System Restore's fault.  VSS snapshots performed for other purposes could retain malware too, but if malware exists solely in a snapshot, then it's not going to infect you, just like having a file sitting on your hard drive doesn't automatically infect you.  The file has to execute somehow (or be read by some application that has a known vulnerability that can be exploited by having it read specially crafted data), and data sitting in a VSS snapshot doesn't get executed.  In any case, again that risk isn't unique to System Restore.  An old Reflect backup could contain malware too.  And that wouldn't be Reflect's fault.

Please provide a citation for Microsoft's recommendation to disable System Restore.  As I said, it is still enabled by default even on new installations of Win10 2004.

System Restore was introduced with Windows XP, not Windows 95.  And it's not like it hasn't been touched since then.

Those were a lot of pretty broad claims to make without providing any citations.

Edited 18 June 2020 5:39 PM by jphughan
alQamar
alQamar
Junior Member
Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)
Group: Forum Members
Posts: 31, Visits: 56
@jphughan sorry if my statements come around bold. It's just my personal expierence over the years I am sharing. And from this I recommend to turn this off, at least for Windows 10.

As the OP requested founded information and you like citations I have bothered myself to find some more references.

]I don't know where the claims about "uncatched" errors when upgrading or "migration settings issues" are coming from either.

Please provide a citation for Microsoft's recommendation to disable System Restore. As I said, it is still enabled by default even on new installations of Win10 2004.


In fact I cannot find any cite from Microsoft to disable system restore, though being insider since 2014 even in 2020 I encounter to help people with error codes like 0xC1900101 that get mostly solved by disabling this. It is an open secret. 

For years I am seeing what is written down here in the answer forums and feedback hub that system restore gets disabled with upgrades.
https://answers.microsoft.com/en-us/windows/forum/windows_10-update/why-is-system-restore-off-by-default-for-many/3049a3ac-f77f-4bff-af19-f6fd51184185
https://answers.microsoft.com/en-us/windows/forum/all/system-restore-constantly-disabled-after-updates/336f337b-0b48-4bcb-b37a-688e8aa4709c

or opposite of my point. All confirms a high rate of misconfigured or disabled systems for sytem restore.
https://www.bruceb.com/2016/03/windows-10-tip-turn-on-system-restore-because-youll-really-miss-it-if-you-need-it-and-its-not-there/

here is one of my systems after upgrading from 1909 to 2004 this week.


Windows 10 will (erratically) disable System Restore and Microsoft is okay with that. Otherwise they would address it. 
If they wanted, it is a powershell oneliner and moreover a part of the base wim.


On Windows Servers System Restore does not even exist, for a good reason. Reason is why in a productive time critical environment this feature is not there? It is a home user oriented legacy thing, for those that usually think it is ok to have it and do not need any backups.
Ironically Windows 10 even introed VSS based backup and officially deprecated Windows Backup for Clients. This is documented on several places (https://docs.microsoft.com/en-us/windows/win32/w8cookbook/windows-7-backup-and-restore-deprecated). 
 
It can only repeat myself to consider "it does not exist" or consider it deprecated. Main point is that registry is no longer backuped, except the CurrentControlSet Backups.

I also don't know where the VSS corruption claim is coming from. System Restore uses VSS snapshots, but it wouldn't cause general VSS snapshot corruption. Reflect uses VSS snapshots too, and I've never had a problem with them on any of the many systems I use where System Restore is enabled because it's on by default.

not corrupting VSS at all, but only the system restore. See settings (Either system restore points to a drive no longer accessible, or it is set to 0% or to 100%, nothing but default parameters.


System Restore was introduced with Windows XP, not Windows 95. And it's not like it hasn't been touched since then.

My fault, it was introed with Windows ME not 95 or 98(SE), same ugly GUI, the GUI / menu like it looks now is certainly based on XP. And it hasn't been touch much (i guess)
https://www.mcafee.com/enterprise/en-us/downloads/free-tools/disabling-system-restore.html
https://www.bleepingcomputer.com/forums/t/52036/system-restore-for-windows-98/

I hope my posts are clearer now. 
Edited 18 June 2020 7:48 PM by alQamar
alQamar
alQamar
Junior Member
Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)Junior Member (51 reputation)
Group: Forum Members
Posts: 31, Visits: 56
After this excursion: I would like to share some more lines. hopefully all helpful why we don't need to bother with this anymore
- the rate of boot failures should be low (legendary stop 7b). Windows 10 isn't more resilent to this but we have now standard drivers in place like AHCI, NVME that are usually enabled at kernel boot time.

- heavy issues that insiders are reporting for years the boot troubleshooting cannot (but could fix) like bootmgr / bcdboot issues) can be fixed using an USB key with Windows 10 or other recovery media that has Console access to bcdboot, fixboot, etc.

- UEFI/GPT systems are less prone to issues with boot sector issues from my field expierence. The only ones I saw not booting without a root cause had MBR infact.

- Updates: a main concern is an update leads to an inaccessible system that does not boot (except WinRE). Since 1903 one can uninstall updates from WinRE without booting Windows. That is a big step forward of not being too much affected by this major reason. 

- hardware changes: except of Storage, Windows 10 does perfectly handle hardware changes with most common setups. not saying it is healthy in all cases but you could switch 3 generations of mainboards and even from AMD to Intel and back without a reinstall - basically - without weighting cons, but it does work. So what we wanted in a POC with Win95, plug and play works great nowadays. 


GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Reading This Topic

Login

Explore
Messages
Mentions
Search