View Single Post
  #24  
Old December 29th 17, 12:07 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default dog ate my desktop

Bill in Co wrote:
Bill in Co wrote:
J. P. Gilliver (John) wrote:
In message , Paul
writes:
wrote:
On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)"
wrote:

In message ,
writes:
On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)"
wrote:

In message , Shadow
writes:
On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)"
wrote:

In message , Paul
writes:
[]
On WinXP, files outside your "My Documents" tree
are tracked. Say you normally keep Firefox downloads
[]
Restore Point. Files kept in the "officially blessed"
parts of C: are unaffected, so nothing in My Documents
gets added or subtracted to match the way it was
three days ago.

Paul
Are you saying _everything_ else - or maybe everything else on C:
- gets tracked, and potentially restored (synced)? This must make
for a huge tracking area (if for example you [or the system]
delete a few feature films).
They have another record in the NTFS stream and also various
in the registry. Long after you deleted the original files. Yes,
it's there for forensic purposes. What else ?
[]'s
I wasn't in tinfoil-hat mode - just more surprised at the storage
involved. From what is said above, if you deleted a few feature
films, then unless you were storing them in an "officially blessed"
area, invoking a Restore Point would magically restore them; I was
just thinking that, if true, this implies a backup storage area as
big as your disc (or maybe half as big), which seems unlikely,
System Restore does not restore all of the data, only the internals
of Windows necessary to make it run. An image is just that, a bit
copy of the drive. Images are very big, essentially the same size as
all of the data on the drive, minus whatever compression they may
do. Hence trying to make C: as small as you can. (like not storing
media files there). You can easily back up and restore "data" simply
using COPY or drag and drop. Getting a working version of a post
W/98 windows system is more complicated. XCOPY worked OK to copy a
W/98 machine with the right switches.
I know what an image is. And for what I thought was that reason, I
keep as little data on my C: partition as software will let me. The
line above that surprised me was 'files outside your "My Documents"
tree are tracked'; this was in the context of System Restores, not
images. The _implication_ was that _all_ files (outside the tree) are
tracked (and restored at a System Restore, which would necessitate
copies of _all_ files deleted being stored somewhere - which seemed
unlikely to me
From the help
"Restoring your computer does not affect or change your personal data
files."
True.

If you do things the "Microsoft way" and
stay in My Documents like a good boy.

OK, let's try an experiment. This is a virtual machine
containing WinXP, from modernie.com (a Microsoft site).
I got this virtual machine a number of years ago, before
Microsoft removed them (because "WinXP isn't supported" yadda yadda).

https://s17.postimg.org/w2ewlgba7/sr_before.gif

https://s17.postimg.org/7lwqr0d4f/sr_after.gif

OK, so here is the time line.

1) 10:11:29 PM Set a restore point entitled
"And files after this will be deleted"
2) 10:13 PM Create one.exe and two.exe in
C:\Downloads. EXE files are on the
"tracked" list. (See Burts web page.)
3) 10:24 PM The "current time" in the sr_before picture.
And I take this picture, just as I am about
to click the "restore" buttom.
4) 10:26 PM The "current time" in the sr_after picture.
I just opened C:\Downloads for a look and
my two EXE files were erased. Why ? Because
at 10:11 when the restore point was set, those
files didn't exist in C:\Downloads, and that's
the way it's gonna be after the restore to 10:11 point.

Now, I also did the experiment with "one.txt" and "two.txt".
That file extension is *not* tracked. When the restore was
clicked, one.txt and two.txt were not erased from C:\Downloads.
They were still there.

If I'd placed one.exe and two.exe inside My Documents,
they would have been safe. I didn't bother running
that test case.

All I really needed to do in this case, is demonstrate
a "danger", and leave it to you to plan accordingly.
(With a "safety backup" done in a trustworthy way.)

I first discovered this, by having files erased on me
after using a Restore Point. I didn't actually read the
SR site until after that.

Paul
So you've proved (for some value of "proved") that files created after
the restore point are deleted by invoking it.

How about the other case: 'files outside your "My Documents" tree are
tracked' also _implies_ that files that _did_ exist when the restore
point was created, but were subsequently deleted, will magically
reappear when it's invoked. This was the bit I found hard to swallow.

And I'm pretty sure that was what happened (recalling my past results),
but *only* for the monitored file types (like EXE), and NOT for documents
and such. Remember System Restore is "only" monitoring a select subset
of file types, so it's not like it has to keep track of ALL files.

BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-)


An update. I was going to run a test on this, but then I just figured it
out, I think. To answer John's suspicion about it being hard to swallow, I
think I know how SR works its magic. As soon as you delete a monitored file,
System Restore saves that file in its restore point, and that is how it can
be brought back later. What that means is the size of the restore point
(seen in the System Volume Information folders) is proportional to how much
you delete, of course. I may be misinterpreting something written here, but
I think that's answering this question.


Here is a picture of a Restore Point in WinXP.

https://s17.postimg.org/wybuk71vj/Wi...t_surprise.gif

Paul
Ads