Author Topic: Deleted system restore points  (Read 14333 times)

0 Members and 1 Guest are viewing this topic.

Offline smccaffr39

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 4
  • Karma: 0
    • View Profile
Deleted system restore points
« on: April 28, 2014, 07:45:02 am »
this is a long shot, but thought i'd ask.  i have a customer who was hit with cryptodefense.  it deleted system restore points, but i was able to run a recovery to get 14.5GB of files from the "c:\system volume information" folder that were older than the infection.  if i place those files back in that folder, can this program re-associate those restore points so that i can try to use "restore previous versions" to replace the encrypted files?

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Deleted system restore points
« Reply #1 on: April 28, 2014, 09:45:24 am »
My program doesnt do anything like that with the system restore. best thing to do is make a copy of that fiel you have just in case then in safe mode, put the restore point back in that folder and reboot and see if system restore sees it.

MS is very very quite on how system restore works and what it needs, so there is no way to tell how or what it needs to see the restore point, so best to simply give it a try :-)

If it fails then the best thing to do would be to extract the files out of the restore point and restore them manually. :wink:

Shane

Offline smccaffr39

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Deleted system restore points
« Reply #2 on: April 28, 2014, 01:45:21 pm »
thank you very much for your input.  i have tried to access the data manually, but the files are not set up the way that i've read they're supposed to be.  the sizeable files have names like "{87105b49-abab-11e3-866e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}" without the "_restore" prefix.  if you have some idea how to get at them without the use of the built-in system restore utility, i'd love to hear it!  i'm trying to get 10 years of this guy's life back.

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile

Offline smccaffr39

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Deleted system restore points
« Reply #4 on: April 28, 2014, 02:53:16 pm »
thanks again, but all these tools rely on what windows tells it is available.  i would need something that can look at a system restore file, outside of the affected system itself.

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Deleted system restore points
« Reply #5 on: April 28, 2014, 03:52:05 pm »
I cant find any tools that let you do that manually.

But there should be a file that says what each file name should be. What is the list of files that you have in the main restore point?

Shane

Offline smccaffr39

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 4
  • Karma: 0
    • View Profile
Re: Deleted system restore points
« Reply #6 on: April 29, 2014, 03:29:52 pm »
do you mean in the c:\system volume information folder?  if so, i can't open any, but these are the contents:

folder:
Chkdsk
SPP
Windows Backup
WindowsImageBackup

files:
MountPointManagerRemoteDatabase
Syscache.hve
Syscache.hve.LOG1
Syscache.hve.LOG2
tracking.log
{13a61fae-c069-11e3-8e70-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{33cba087-c818-11e3-b640-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{3808876b-c176-4e48-b7ae-04046e6cc752}
{3d5a1014-3538-11e3-9f1d-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{3d629c0e-c405-11e3-940b-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{512e920f-cad8-11e3-806b-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{5c16f883-2c58-11e3-829d-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{87105b49-abab-11e3-866e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{9b302e9a-3523-11e3-ae06-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{bc5d45f8-c8d7-11e3-b3c5-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{d01636ec-2681-11e3-8b6d-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{e0ab5d90-17f5-11e3-ae38-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{e16c5471-1d0d-11e3-9f55-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f36c5cb4-ca7b-11e3-b40e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f36c5cc9-ca7b-11e3-b40e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f36c5d01-ca7b-11e3-b40e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f8a632f2-3151-11e3-82e7-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile