View Single Post
  #28  
Old December 29th 17, 12:41 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default dog ate my desktop

Bill in Co wrote:
Paul wrote:
Bill in Co wrote:
Bill in Co wrote:
J. P. Gilliver (John) wrote:
In message , Paul
writes:
wrote:
On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)"
wrote:

In message ,
writes:
On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)"
wrote:

In message , Shadow
writes:
On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)"
wrote:

In message , Paul
writes:
[]
On WinXP, files outside your "My Documents" tree
are tracked. Say you normally keep Firefox downloads
[]
Restore Point. Files kept in the "officially blessed"
parts of C: are unaffected, so nothing in My Documents
gets added or subtracted to match the way it was
three days ago.

Paul
Are you saying _everything_ else - or maybe everything else on
C: - gets tracked, and potentially restored (synced)? This must
make for a huge tracking area (if for example you [or the
system] delete a few feature films).
They have another record in the NTFS stream and also
various in the registry. Long after you deleted the original
files. Yes, it's there for forensic purposes. What else ?
[]'s
I wasn't in tinfoil-hat mode - just more surprised at the storage
involved. From what is said above, if you deleted a few feature
films, then unless you were storing them in an "officially
blessed" area, invoking a Restore Point would magically restore
them; I was just thinking that, if true, this implies a backup
storage area as big as your disc (or maybe half as big), which
seems unlikely,
System Restore does not restore all of the data, only the internals
of Windows necessary to make it run. An image is just that, a bit
copy of the drive. Images are very big, essentially the same size
as all of the data on the drive, minus whatever compression they
may do. Hence trying to make C: as small as you can. (like not
storing media files there). You can easily back up and restore
"data" simply using COPY or drag and drop. Getting a working
version of a post W/98 windows system is more complicated. XCOPY
worked OK to copy a W/98 machine with the right switches.
I know what an image is. And for what I thought was that reason, I
keep as little data on my C: partition as software will let me. The
line above that surprised me was 'files outside your "My Documents"
tree are tracked'; this was in the context of System Restores, not
images. The _implication_ was that _all_ files (outside the tree)
are tracked (and restored at a System Restore, which would
necessitate copies of _all_ files deleted being stored somewhere -
which seemed unlikely to me
From the help
"Restoring your computer does not affect or change your personal data
files."
True.

If you do things the "Microsoft way" and
stay in My Documents like a good boy.

OK, let's try an experiment. This is a virtual machine
containing WinXP, from modernie.com (a Microsoft site).
I got this virtual machine a number of years ago, before
Microsoft removed them (because "WinXP isn't supported" yadda yadda).

https://s17.postimg.org/w2ewlgba7/sr_before.gif

https://s17.postimg.org/7lwqr0d4f/sr_after.gif

OK, so here is the time line.

1) 10:11:29 PM Set a restore point entitled
"And files after this will be deleted"
2) 10:13 PM Create one.exe and two.exe in
C:\Downloads. EXE files are on the
"tracked" list. (See Burts web page.)
3) 10:24 PM The "current time" in the sr_before picture.
And I take this picture, just as I am about
to click the "restore" buttom.
4) 10:26 PM The "current time" in the sr_after picture.
I just opened C:\Downloads for a look and
my two EXE files were erased. Why ? Because
at 10:11 when the restore point was set, those
files didn't exist in C:\Downloads, and that's
the way it's gonna be after the restore to 10:11
point. Now, I also did the experiment with "one.txt" and "two.txt".
That file extension is *not* tracked. When the restore was
clicked, one.txt and two.txt were not erased from C:\Downloads.
They were still there.

If I'd placed one.exe and two.exe inside My Documents,
they would have been safe. I didn't bother running
that test case.

All I really needed to do in this case, is demonstrate
a "danger", and leave it to you to plan accordingly.
(With a "safety backup" done in a trustworthy way.)

I first discovered this, by having files erased on me
after using a Restore Point. I didn't actually read the
SR site until after that.

Paul
So you've proved (for some value of "proved") that files created after
the restore point are deleted by invoking it.

How about the other case: 'files outside your "My Documents" tree are
tracked' also _implies_ that files that _did_ exist when the restore
point was created, but were subsequently deleted, will magically
reappear when it's invoked. This was the bit I found hard to swallow.
And I'm pretty sure that was what happened (recalling my past results),
but *only* for the monitored file types (like EXE), and NOT for
documents and such. Remember System Restore is "only" monitoring a
select subset of file types, so it's not like it has to keep track of
ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some
cases. :-)
An update. I was going to run a test on this, but then I just figured it
out, I think. To answer John's suspicion about it being hard to
swallow, I think I know how SR works its magic. As soon as you delete a
monitored file, System Restore saves that file in its restore point, and
that is how it can be brought back later. What that means is the size
of the restore point (seen in the System Volume Information folders) is
proportional to how much you delete, of course. I may be
misinterpreting something written here, but I think that's answering
this question.

Here is a picture of a Restore Point in WinXP.

https://s17.postimg.org/wybuk71vj/Wi...t_surprise.gif

Paul


Yup, there's a mess of stuff in there!. One can see this by clicking on the
System Volume Information main folder and selecting "Explore" with a right
mouse click.

I've found on the average each restore point subdirectory may be around 200
MB in size, but it really varies a LOT with what has happened since the
prior restore subdirectory was created. And there are one or more of these
RPnnnn subfolders in there for each day of activity.


You know, it just occurred to me. Something in that picture
looks familiar :-)

The A0001440.exe and A0001441.exe files are my "two.exe" and
"one.exe" test files :-) To make the files, there was a slight
accident while I was making fakes (they're not really PE files
inside). They were supposed to be the same size, but one ended
up half the size of the other. And it helped me spot them. So
the files that got erased, if you moved forward in time, it's
my guess those files would put things right again.

Paul
Ads