Author Topic: System Restore points silently disappear (Read 66867 times)

Steevo · « **on:** August 08, 2015, 07:39:51 pm »

This is a window 7 x64 system.

I had a piece of malware on this system, which I was able to kill.
So that was deleted and I feel confident it's not a problem anymore.

I went through the process over at Bleepingcomputer. They declared it clean.

The problem I have left is system restore was not creating restore points. I found there was no space allocated.

I was able to allocate space on my system drive, and I was able to create points manually, both with system protection and with System Restore Manger v2.
By the next day they were missing.

I found a system backup service was not running, and after I enabled that the system automatically created a restore point associated with windows update.
I also created a couple manually.

The next morning they were still there. So far so good.
By that evening, there were none again.

I just created one manually with system protection and one with system restore manager.
I will wager in 24 hours they will both be missing.

I did notice this in the event log

volsnap The shadow copies of volume C: were aborted because of an IO failure on volume C:.

That's the only red item in the system log from today.

Can anyone suggest any steps to isolate this issue?
Drive C seems to be working great. I ran seagate tools on it. They declared it fine.

Steevo · « **Reply #1 on:** August 08, 2015, 07:40:59 pm »

Incidentally, I used the tweaking.com repair tool to work on this. I probably have logs. Then and now.

Boggin · « **Reply #2 on:** August 09, 2015, 09:50:57 am »

I've seen stacks of threads where Win 7 users have lost their restore points after a reboot but not one like you have.

In Event Viewer when you click on that error and then on the blue online help link, does MS give any more info on it.

If it doesn't can you post the Event ID No it has and then perhaps a Google may produce something definite.

Shane may have come across it before and may have an unique fix for it, but he won't be back on the forum until Monday at the earliest.

Steevo · « **Reply #3 on:** August 09, 2015, 10:07:31 am »

FWIW, I do not suspect this logged error is the cause of the missing restore points.
But I am grasping at straws right now.

The shadow copies of volume C: were aborted because of an IO failure on volume C:.

https://technet.microsoft.com/en-us/library/f90fc4d0-49fb-4789-9e65-1d12a80cb75e.aspx

Quote

- System

- Provider

[ Name] volsnap

- EventID 14

[ Qualifiers] 49158

Level 2

Task 0

Keywords 0x80000000000000

- TimeCreated

[ SystemTime] 2015-08-09T00:03:30.361328900Z

EventRecordID 710371

Channel System

Computer Dell

Security

- EventData

\Device\HarddiskVolumeShadowCopy23
C:
C:
0000000003003000000000000E0006C00B000000010000C002000000000000000000000000000000

--------------------------------------------------------------------------------

Binary data:

In Words

0000: 00000000 00300003 00000000 C006000E
0008: 0000000B C0000001 00000002 00000000
0010: 00000000 00000000

In Bytes

0000: 00 00 00 00 03 00 30 00 ......0.
0008: 00 00 00 00 0E 00 06 C0 .......À
0010: 0B 00 00 00 01 00 00 C0 .......À
0018: 02 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........

Steevo · « **Reply #4 on:** August 09, 2015, 10:14:19 am »

Here is the performance monitor warnings section.

Quote

Severity: Informational
Symptom: Missing Events in Event Log
Details: Investigate why 90% (184,800) events were lost during data collection. The settings for Event Tracing for Windows (ETW) maximum buffers and buffer size may not be optimal depending on which data sets are being collected.
Related: Event Tracing for Windows

Informational

Symptom: The Security Center has not recorded an anti-virus product.
Cause: The Security Center is unable to identify an active anti-virus application. Either there is no anti-virus product installed or it is not recognized.
Resolution: 1. Verify that an anti-virus product is installed.
2. If an anti-virus product is installed and functioning configure Security Center to stop monitoring anti-virus status.
Related: Anti-virus

As to the AV, I have microsoft security essentials, an icon in the notification area, and it is working.
I wonder why perfmon says there is none?

That's very odd.

I just looked in the security center, and it says Microsoft Security Essentials is up to date and virus scanning is on.

Boggin · « **Reply #5 on:** August 09, 2015, 10:37:31 am »

Perfmon always reports no Av detected so that isn't anything to worry about.

That bit about missing Event logs could be of concern - are there any other Errors recorded with the same or similar date and time stamp as the volsnap one ?

EDIT - Forgot to add that that bit about Verify in the TechNet link and right clicking on the volume doesn't give me that option.

Steevo · « **Reply #6 on:** August 09, 2015, 10:51:41 am »

Nothing that looks suspicious.
I just rebooted and I have a few more errors.
Bad block errors on one of my usb externals.
I just ran chkdsk on it and it came back with no errors. So I just dunno.

A couple service control manager items.

The ScRegSetValueExW call failed for Start with the following error:
Access is denied.

The ScRegSetValueExW call failed for FailureCommand with the following error:
Access is denied.

https://technet.microsoft.com/en-us/library/62512d01-8735-4497-a43d-73fcead605a5.aspx

Boggin · « **Reply #7 on:** August 09, 2015, 12:16:38 pm »

Unless anyone else comes in with any useful suggestions then it's probably best to wait for Shane to pick up your thread.

Steevo · « **Reply #8 on:** August 10, 2015, 06:49:03 am »

At 6:47 am I still have the two restore points I had yesterday. No, wait. They were from Saturday. Two days they have survived.

Boggin · « **Reply #9 on:** August 10, 2015, 09:36:24 am »

It sounds as if it has sorted itself out - I suppose we all need time to get over an infection

Try creating some more to see if they also stick.

Julian · « **Reply #10 on:** August 10, 2015, 10:03:03 am »

I'm curious can you run chkdsk /f /r this will run at next boot and when it finishes look in event viewer and post what it reports. Why i ask is because this summer is a hot one and I've been finding drives left and right failing.

Steevo · « **Reply #11 on:** August 10, 2015, 11:27:32 am »

I ran chkdsk /f on it, and it all came back clean.
I guess I could do it again tonight.

I don't suspect the disk as a problem.

Steevo · « **Reply #12 on:** August 10, 2015, 11:28:37 am »

Quote from: Boggin on August 10, 2015, 09:36:24 am

It sounds as if it has sorted itself out - I suppose we all need time to get over an infection

Try creating some more to see if they also stick.

I do not assume that, I have been working on this problem for a month or more.
I still have the two manual restore points.

Shane · « **Reply #13 on:** August 10, 2015, 11:35:43 am »

I/O problem normally means a problem with the disk, can you post the log of the chkdsk you ran? It should be in the event viewer

Shane

Steevo · « **Reply #14 on:** August 10, 2015, 12:09:43 pm »

Quote from: Shane on August 10, 2015, 11:35:43 am

I/O problem normally means a problem with the disk, can you post the log of the chkdsk you ran? It should be in the event viewer

Shane

I had that volsnap error.
I just looked in windows/system event log. I did a ctrl-l find and I only see a chkdsk error from June, for another drive.

Hmm. I didn't know that chkdsk made a log. I don't see it. Can you tell me how to find it?

I used the tweaking.com tool and I have logs from that somewhere.

Steevo · « **Reply #15 on:** August 10, 2015, 12:13:17 pm »

Quote from: Steevo on August 10, 2015, 12:09:43 pm

Quote from: Shane on August 10, 2015, 11:35:43 am
I/O problem normally means a problem with the disk, can you post the log of the chkdsk you ran? It should be in the event viewer

Shane

I had that volsnap error.
I just looked in windows/system event log. I did a ctrl-l find and I only see a chkdsk error from June, for another drive.

Hmm. I didn't know that chkdsk made a log. I don't see it. Can you tell me how to find it?
Oh, in application.
The only chkdsk log of my drive C is dated in June.

I used the tweaking.com tool and I have logs from that somewhere.

Shane · « **Reply #16 on:** August 10, 2015, 12:46:25 pm »

The chkdsk would have to be ran before windows boots because the drive is in use and the scan can take a while since it is checking the sectors as well.

Then when it is done it will put a entry into the event viewer
http://www.sevenforums.com/tutorials/96938-check-disk-chkdsk-read-event-viewer-log.html

Did you do the chkdsk c: /r and it asked you to reboot and the scan ran before windows loaded?

Shane

Steevo · « **Reply #17 on:** August 10, 2015, 12:53:30 pm »

I ran chkdsk again just now and here is the result:

I did not use the /r

Quote

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 3)...
Cleaning up instance tags for file 0x18d11.
568576 file records processed. File verification completed.
1352 large file records processed. 0 bad file records processed. 2 EA records processed. 63 reparse records processed. CHKDSK is verifying indexes (stage 2 of 3)...
667234 index entries processed. Index verification completed.
0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 3)...
568576 file SDs/SIDs processed. Cleaning up 231 unused index entries from index $SII of file 0x9.
Cleaning up 231 unused index entries from index $SDH of file 0x9.
Cleaning up 231 unused security descriptors.
Security descriptor verification completed.
49330 data files processed. CHKDSK is verifying Usn Journal...
37590944 USN bytes processed. Usn Journal verification completed.
Windows has made corrections to the file system.

976657407 KB total disk space.
367383096 KB in 454150 files.
228900 KB in 49331 indexes.
0 KB in bad sectors.
704835 KB in use by the system.
65536 KB occupied by the log file.
608340576 KB available on disk.

4096 bytes in each allocation unit.
244164351 total allocation units on disk.
152085144 allocation units available on disk.

Internal Info:
00 ad 08 00 c4 ae 07 00 f7 41 0e 00 00 00 00 00 .........A......
9f 07 00 00 3f 00 00 00 00 00 00 00 00 00 00 00 ....?...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

EventData

Checking file system on C: The type of the file system is NTFS. A disk check has been scheduled. Windows will now check the disk. CHKDSK is verifying files (stage 1 of 3)... Cleaning up instance tags for file 0x18d11. 568576 file records processed. File verification completed. 1352 large file records processed. 0 bad file records processed. 2 EA records processed. 63 reparse records processed. CHKDSK is verifying indexes (stage 2 of 3)... 667234 index entries processed. Index verification completed. 0 unindexed files scanned. 0 unindexed files recovered. CHKDSK is verifying security descriptors (stage 3 of 3)... 568576 file SDs/SIDs processed. Cleaning up 231 unused index entries from index $SII of file 0x9. Cleaning up 231 unused index entries from index $SDH of file 0x9. Cleaning up 231 unused security descriptors. Security descriptor verification completed. 49330 data files processed. CHKDSK is verifying Usn Journal... 37590944 USN bytes processed. Usn Journal verification completed. Windows has made corrections to the file system. 976657407 KB total disk space. 367383096 KB in 454150 files. 228900 KB in 49331 indexes. 0 KB in bad sectors. 704835 KB in use by the system. 65536 KB occupied by the log file. 608340576 KB available on disk. 4096 bytes in each allocation unit. 244164351 total allocation units on disk. 152085144 allocation units available on disk. Internal Info: 00 ad 08 00 c4 ae 07 00 f7 41 0e 00 00 00 00 00 .........A...... 9f 07 00 00 3f 00 00 00 00 00 00 00 00 00 00 00 ....?........... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Windows has finished checking your disk. Please wait while your computer restarts.

Steevo · « **Reply #18 on:** August 10, 2015, 12:55:42 pm »

The two restore points I manually created on Saturday 8/8 are still there.
Woo hoo.

Shane · « **Reply #19 on:** August 10, 2015, 01:16:59 pm »

When you have the time and dont need the system run the chkdsk with the /r

That will make it 5 stages instead of the 3. And will take a while, so do it when you dont need the system and then post the results of it

Shane

Steevo · « **Reply #20 on:** August 10, 2015, 01:24:52 pm »

I'll do that tonight.

The log I posted doesn't look bad.
I think it mostly rules out disk problems causing the missing restore points, no?

Anything else I could try to isolate this issue?

Shane · « **Reply #21 on:** August 10, 2015, 01:26:40 pm »

Nope

I/O errors is either corrupt file system, bad sectors or bad driver. The chkdsk you did only checked the file system but didnt check the rest. So if a volume shadow copy ended up on a bad sector you would get that error but chkdsk wouldn't see it if nothing is on that sector right now. This is why I want to do a bad sector check to be sure.

Shane

Steevo · « **Reply #22 on:** August 10, 2015, 02:05:52 pm »

I'll do it tonight.
But I doubt this would cause restore points to not be created.
Or to disappear silently.

Can you suggest anything to look into as far as the restore points?
I had one automatically created last week by windows update, and I created several manual ones.
They all disappeared.

BTW, the two restore points I have now, one was manually created, one is created by tweaking.com windows repair.

Shane · « **Reply #23 on:** August 11, 2015, 12:00:10 am »

Actually windows auto deletes restore points for the simplest of reasons.

This was for XP but still holds true and then some for 7 and so on
https://support.microsoft.com/en-us/kb/301224

Basically anything has a hiccup and windows removes the restore points. MS also lists not a single page on how to repair system restore or what files or services it needs. Really odd actually.

I myself never use system restore, ever. I use my registry backup and then I have my file backup to my external hard drive.

But my process for fixing something is to go through a list and start crossing stuff off. So many times I spent hours on something to find out it was something simple causing it the whole time lol

So I just want to cover all the simple stuff first, then move on to the bigger stuff

Shane

Steevo · « **Reply #24 on:** August 11, 2015, 08:49:14 am »

I ran the disk check overnight and it completed successfully, however when I walked in this morning there was a character mode screen about what had happened.
Things had been fixed.
A message at the bottom that the system would now reboot.

It never did reboot, so I rebooted it.
Unfortunately there is nothing in the log.

So I am going to say the checkdisk ran OK and fixed some things but because it did not write we don't have any details about that.

Darn.

My two restore points are gone right now as well. Is that because of the chkdsk?