Event viewer and Recycle Bin post roster


Author
Message
Mintmag
Mintmag
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)
Group: Forum Members
Posts: 39, Visits: 149
So after restoring a Macrium image, I've noticed that Event Viewer still retains logs from the overwritten image and sometimes Recycle Bin will still have files in it. How and why does this happen?
JamieW
JamieW
Macrium Representative
Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)Macrium Representative (210 reputation)
Group: Moderators
Posts: 135, Visits: 1.5K
Hi Mintmag,

Thank you for posting.

​Event Viewer still retains logs from the overwritten image

What Macrium Events are you seeing? Any events generated before the shadow copy will be restored as they'll be in the shadow copy and in the restored image. So, for example, the 'Backup Started' event will be restored.

sometimes Recycle Bin will still have files in it

The Recycle Bin will contain files that were present when the shadow copy was created.​​​​​

Kind Regards,
Macrium Support​​​
Mintmag
Mintmag
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)
Group: Forum Members
Posts: 39, Visits: 149
No I meant the Windows event Viewer. Say you create an image on Monday the 1st of October . Then you restore the image on Wednesday the 30th of October. Thus taking it back to how it was on the 1st. Expect all the event logs throughout October have remained. As well as all the files in Recycle Bin that were there on the 30th. That's what happened.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)
Group: Forum Members
Posts: 4K, Visits: 29K
Do you have other partitions on your system that you did NOT roll back? The Recycle Bin is an aggregate view of all Recycle Bin folders on all attached partitions, so if you have a different partition that you didn’t roll back, their Recycle Bin contents would still be intact and would still appear in your Recycle Bin view after a restore.  As for Event Viewer, did you change the default Event Viewer log location to another partition that you didn't roll back?

Otherwise, the only time something like this was reported, the underlying cause turned out to be that the user didn’t restore the image they thought they did. The only other way this would happen would be if the restore never ran in the first place. If you successfully restored an image of your OS partition captured at the beginning of October, then it wouldn’t have anything from after that point, otherwise that would defeat the entire point of an image restore -- and from a technical perspective, the nature of disk images means they can't be selective at a file level about what to restore anyway, so you couldn’t end up with just log files and Recycle Bin contents preserved. Is it possible that the image you restored was a Full backup file that was ORIGINALLY captured at the beginning of October but became a Synthetic Full after Incrementals were consolidated into it, and was thus carried forward in time? Did you verify the Backup Date field shown in Reflect’s Restore tab for that file?
Edited 6 December 2018 3:42 PM by jphughan
Mintmag
Mintmag
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)
Group: Forum Members
Posts: 39, Visits: 149
jphughan - 6 December 2018 3:32 PM
Do you have other partitions on your system that you did NOT roll back? The Recycle Bin is an aggregate view of all Recycle Bin folders on all attached partitions, so if you have a different partition that you didn’t roll back, their Recycle Bin contents would still be intact and would still appear in your Recycle Bin view after a restore.  As for Event Viewer, did you change the default Event Viewer log location to another partition that you didn't roll back?

Otherwise, the only time something like this was reported, the underlying cause turned out to be that the user didn’t restore the image they thought they did. The only other way this would happen would be if the restore never ran in the first place. If you successfully restored an image of your OS partition captured at the beginning of October, then it wouldn’t have anything from after that point, otherwise that would defeat the entire point of an image restore -- and from a technical perspective, the nature of disk images means they can't be selective at a file level about what to restore anyway, so you couldn’t end up with just log files and Recycle Bin contents preserved. Is it possible that the image you restored was a Full backup file that was ORIGINALLY captured at the beginning of October but became a Synthetic Full after Incrementals were consolidated into it, and was thus carried forward in time? Did you verify the Backup Date field shown in Reflect’s Restore tab for that file?

Yes to the partitions question. Only the C drive gets restored while D drive is left alone. I haven't moved the event viewer files but I thought it might have something to do with intelligent restore. It was a differential restore that I did.
jphughan
jphughan
Macrium Evangelist
Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)Macrium Evangelist (5.9K reputation)
Group: Forum Members
Posts: 4K, Visits: 29K
I'm not sure if "intelligent/differential restore" refers to the fact that you restored from a Differential backup or used Rapid Delta Restore, but either way that wouldn't affect the final result of the restore operation.  Rapid Delta Restore simply avoids the need to delete and restore the entire partition, since it can instead basically roll back all of the changes that have been made on the restore target since the time of the backup you're restoring.  Think of it as a giant Undo button.  But it still rolls back ALL changes that have been made since the time of the backup; it can't roll back everything except Event Viewer logs, for example.

However, are you sure you have ALL of your Event Viewer logs since the time of the backup?  The reason I ask is that Windows generates quite a few Event Viewer log entries even before you log onto your PC, so for example if on October 30 you restore your system to a backup that was captured on October 1, when you first start your PC after that restore, you'll already have new logs dated October 30.  But if you scroll past those, your NEXT logs entries should be October 1 or earlier, i.e. you shouldn't have any logs dated October 15, for example

Edited 6 December 2018 7:33 PM by jphughan
Mintmag
Mintmag
Junior Member
Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)Junior Member (57 reputation)
Group: Forum Members
Posts: 39, Visits: 149
jphughan - 6 December 2018 7:32 PM
I'm not sure if "intelligent/differential restore" refers to the fact that you restored from a Differential backup or used Rapid Delta Restore, but either way that wouldn't affect the final result of the restore operation.  Rapid Delta Restore simply avoids the need to delete and restore the entire partition, since it can instead basically roll back all of the changes that have been made on the restore target since the time of the backup you're restoring.  Think of it as a giant Undo button.  But it still rolls back ALL changes that have been made since the time of the backup; it can't roll back everything except Event Viewer logs, for example.

However, are you sure you have ALL of your Event Viewer logs since the time of the backup?  The reason I ask is that Windows generates quite a few Event Viewer log entries even before you log onto your PC, so for example if on October 30 you restore your system to a backup that was captured on October 1, when you first start your PC after that restore, you'll already have new logs dated October 30.  But if you scroll past those, your NEXT logs entries should be October 1 or earlier, i.e. you shouldn't have any logs dated October 15, for example

I seem to be mistaken. You see I saw a kernel power critical error before and after restore. I thought this was a left over but it's likely a side affect caused from restoring the image. there are no logs between the 1st and the 6th so I must have created the image on the first.
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...




Similar Topics

Reading This Topic

Login

Explore
Messages
Mentions
Search