If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
dog ate my desktop
On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)"
wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. |
Ads |
#17
|
|||
|
|||
dog ate my desktop
|
#18
|
|||
|
|||
dog ate my desktop
On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)"
wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." |
#20
|
|||
|
|||
dog ate my desktop
In message , Paul
writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf "quidquid latine dictum sit, altum viditur". ("Anything is more impressive if you say it in Latin") |
#21
|
|||
|
|||
dog ate my desktop
J. P. Gilliver (John) wrote:
How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. That's possible and likely to happen. Why not test it ? :-) ******* This is what VMs are for. In the pictures I took, I was running WinXP on top of WinXP. The VM was allocated 512MB, which means even a modest amount of RAM allows VM testing. In this picture, I show two hosting softwares, and the VMs inside. You cannot run these programs at the same time, because they have the same Hypervisor model and wouldn't "share nice" with one another. https://s17.postimg.org/f6mg0zvbj/vi...winxp_host.gif For other OSes, 1GB is a handy amount of RAM to use. And OSes like Win10, are a bit of a pig unless you have powerful hardware. A quad core is a good place to start with something like that. I do run Win10 x32 on top of WinXP x32 using VirtualBox on a dual core processor, but it can be pretty damn slow at times. It might take me two hours to run the simplest of test cases. The CPU in there, stays pinned at 100% doing stuff I don't care about, and playing "whack-a-mole" with it, really isn't all that helpful in the overall scheme of things. Part of this is the fault of VirtualBox, but most of it is Windows 10. Paul |
#22
|
|||
|
|||
dog ate my desktop
J. P. Gilliver (John) wrote:
In message , Paul writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. And I'm pretty sure that was what happened (recalling my past results), but *only* for the monitored file types (like EXE), and NOT for documents and such. Remember System Restore is "only" monitoring a select subset of file types, so it's not like it has to keep track of ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-) |
#23
|
|||
|
|||
dog ate my desktop
Bill in Co wrote:
J. P. Gilliver (John) wrote: In message , Paul writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. And I'm pretty sure that was what happened (recalling my past results), but *only* for the monitored file types (like EXE), and NOT for documents and such. Remember System Restore is "only" monitoring a select subset of file types, so it's not like it has to keep track of ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-) An update. I was going to run a test on this, but then I just figured it out, I think. To answer John's suspicion about it being hard to swallow, I think I know how SR works its magic. As soon as you delete a monitored file, System Restore saves that file in its restore point, and that is how it can be brought back later. What that means is the size of the restore point (seen in the System Volume Information folders) is proportional to how much you delete, of course. I may be misinterpreting something written here, but I think that's answering this question. |
#24
|
|||
|
|||
dog ate my desktop
Bill in Co wrote:
Bill in Co wrote: J. P. Gilliver (John) wrote: In message , Paul writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. And I'm pretty sure that was what happened (recalling my past results), but *only* for the monitored file types (like EXE), and NOT for documents and such. Remember System Restore is "only" monitoring a select subset of file types, so it's not like it has to keep track of ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-) An update. I was going to run a test on this, but then I just figured it out, I think. To answer John's suspicion about it being hard to swallow, I think I know how SR works its magic. As soon as you delete a monitored file, System Restore saves that file in its restore point, and that is how it can be brought back later. What that means is the size of the restore point (seen in the System Volume Information folders) is proportional to how much you delete, of course. I may be misinterpreting something written here, but I think that's answering this question. Here is a picture of a Restore Point in WinXP. https://s17.postimg.org/wybuk71vj/Wi...t_surprise.gif Paul |
#25
|
|||
|
|||
dog ate my desktop
In message , Paul
writes: J. P. Gilliver (John) wrote: How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. That's possible and likely to happen. Why not test it ? :-) ******* This is what VMs are for. Hm. My main machine (this XP one) is a single-core, with the 2G maximum it can take; my W7, with 3G, is I _think_ also a single core. Hence VMs are something I haven't really played with ... (-: [] I think what I'd missed was that only certain file _types_ are tracked. (Though even that could lead to pretty big restore points.) -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf All's well that ends. |
#26
|
|||
|
|||
dog ate my desktop
Paul wrote:
Bill in Co wrote: Bill in Co wrote: J. P. Gilliver (John) wrote: In message , Paul writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. And I'm pretty sure that was what happened (recalling my past results), but *only* for the monitored file types (like EXE), and NOT for documents and such. Remember System Restore is "only" monitoring a select subset of file types, so it's not like it has to keep track of ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-) An update. I was going to run a test on this, but then I just figured it out, I think. To answer John's suspicion about it being hard to swallow, I think I know how SR works its magic. As soon as you delete a monitored file, System Restore saves that file in its restore point, and that is how it can be brought back later. What that means is the size of the restore point (seen in the System Volume Information folders) is proportional to how much you delete, of course. I may be misinterpreting something written here, but I think that's answering this question. Here is a picture of a Restore Point in WinXP. https://s17.postimg.org/wybuk71vj/Wi...t_surprise.gif Paul Yup, there's a mess of stuff in there!. One can see this by clicking on the System Volume Information main folder and selecting "Explore" with a right mouse click. I've found on the average each restore point subdirectory may be around 200 MB in size, but it really varies a LOT with what has happened since the prior restore subdirectory was created. And there are one or more of these RPnnnn subfolders in there for each day of activity. |
#27
|
|||
|
|||
dog ate my desktop
J. P. Gilliver (John) wrote:
In message , Paul writes: J. P. Gilliver (John) wrote: How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. That's possible and likely to happen. Why not test it ? :-) ******* This is what VMs are for. Hm. My main machine (this XP one) is a single-core, with the 2G maximum it can take; my W7, with 3G, is I _think_ also a single core. Hence VMs are something I haven't really played with ... (-: [] I think what I'd missed was that only certain file _types_ are tracked. (Though even that could lead to pretty big restore points.) And it indeed does, if you delete some large files of the monitored type. I've witnessed that firsthand, since, on occasion, I've monitored those RPnnnn system restore subdirectories and files created throughout the day that lie inside the System Volume Information main folder. You can see all those if you right mouse click on System Information Volume, and select Explore. |
#28
|
|||
|
|||
dog ate my desktop
Bill in Co wrote:
Paul wrote: Bill in Co wrote: Bill in Co wrote: J. P. Gilliver (John) wrote: In message , Paul writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. And I'm pretty sure that was what happened (recalling my past results), but *only* for the monitored file types (like EXE), and NOT for documents and such. Remember System Restore is "only" monitoring a select subset of file types, so it's not like it has to keep track of ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-) An update. I was going to run a test on this, but then I just figured it out, I think. To answer John's suspicion about it being hard to swallow, I think I know how SR works its magic. As soon as you delete a monitored file, System Restore saves that file in its restore point, and that is how it can be brought back later. What that means is the size of the restore point (seen in the System Volume Information folders) is proportional to how much you delete, of course. I may be misinterpreting something written here, but I think that's answering this question. Here is a picture of a Restore Point in WinXP. https://s17.postimg.org/wybuk71vj/Wi...t_surprise.gif Paul Yup, there's a mess of stuff in there!. One can see this by clicking on the System Volume Information main folder and selecting "Explore" with a right mouse click. I've found on the average each restore point subdirectory may be around 200 MB in size, but it really varies a LOT with what has happened since the prior restore subdirectory was created. And there are one or more of these RPnnnn subfolders in there for each day of activity. You know, it just occurred to me. Something in that picture looks familiar :-) The A0001440.exe and A0001441.exe files are my "two.exe" and "one.exe" test files :-) To make the files, there was a slight accident while I was making fakes (they're not really PE files inside). They were supposed to be the same size, but one ended up half the size of the other. And it helped me spot them. So the files that got erased, if you moved forward in time, it's my guess those files would put things right again. Paul |
#29
|
|||
|
|||
dog ate my desktop
Bill in Co wrote:
Paul wrote: Bill in Co wrote: Bill in Co wrote: J. P. Gilliver (John) wrote: In message , Paul writes: wrote: On Thu, 28 Dec 2017 01:53:21 +0000, "J. P. Gilliver (John)" wrote: In message , writes: On Tue, 26 Dec 2017 23:21:43 +0000, "J. P. Gilliver (John)" wrote: In message , Shadow writes: On Tue, 26 Dec 2017 17:57:04 +0000, "J. P. Gilliver (John)" wrote: In message , Paul writes: [] On WinXP, files outside your "My Documents" tree are tracked. Say you normally keep Firefox downloads [] Restore Point. Files kept in the "officially blessed" parts of C: are unaffected, so nothing in My Documents gets added or subtracted to match the way it was three days ago. Paul Are you saying _everything_ else - or maybe everything else on C: - gets tracked, and potentially restored (synced)? This must make for a huge tracking area (if for example you [or the system] delete a few feature films). They have another record in the NTFS stream and also various in the registry. Long after you deleted the original files. Yes, it's there for forensic purposes. What else ? []'s I wasn't in tinfoil-hat mode - just more surprised at the storage involved. From what is said above, if you deleted a few feature films, then unless you were storing them in an "officially blessed" area, invoking a Restore Point would magically restore them; I was just thinking that, if true, this implies a backup storage area as big as your disc (or maybe half as big), which seems unlikely, System Restore does not restore all of the data, only the internals of Windows necessary to make it run. An image is just that, a bit copy of the drive. Images are very big, essentially the same size as all of the data on the drive, minus whatever compression they may do. Hence trying to make C: as small as you can. (like not storing media files there). You can easily back up and restore "data" simply using COPY or drag and drop. Getting a working version of a post W/98 windows system is more complicated. XCOPY worked OK to copy a W/98 machine with the right switches. I know what an image is. And for what I thought was that reason, I keep as little data on my C: partition as software will let me. The line above that surprised me was 'files outside your "My Documents" tree are tracked'; this was in the context of System Restores, not images. The _implication_ was that _all_ files (outside the tree) are tracked (and restored at a System Restore, which would necessitate copies of _all_ files deleted being stored somewhere - which seemed unlikely to me From the help "Restoring your computer does not affect or change your personal data files." True. If you do things the "Microsoft way" and stay in My Documents like a good boy. OK, let's try an experiment. This is a virtual machine containing WinXP, from modernie.com (a Microsoft site). I got this virtual machine a number of years ago, before Microsoft removed them (because "WinXP isn't supported" yadda yadda). https://s17.postimg.org/w2ewlgba7/sr_before.gif https://s17.postimg.org/7lwqr0d4f/sr_after.gif OK, so here is the time line. 1) 10:11:29 PM Set a restore point entitled "And files after this will be deleted" 2) 10:13 PM Create one.exe and two.exe in C:\Downloads. EXE files are on the "tracked" list. (See Burts web page.) 3) 10:24 PM The "current time" in the sr_before picture. And I take this picture, just as I am about to click the "restore" buttom. 4) 10:26 PM The "current time" in the sr_after picture. I just opened C:\Downloads for a look and my two EXE files were erased. Why ? Because at 10:11 when the restore point was set, those files didn't exist in C:\Downloads, and that's the way it's gonna be after the restore to 10:11 point. Now, I also did the experiment with "one.txt" and "two.txt". That file extension is *not* tracked. When the restore was clicked, one.txt and two.txt were not erased from C:\Downloads. They were still there. If I'd placed one.exe and two.exe inside My Documents, they would have been safe. I didn't bother running that test case. All I really needed to do in this case, is demonstrate a "danger", and leave it to you to plan accordingly. (With a "safety backup" done in a trustworthy way.) I first discovered this, by having files erased on me after using a Restore Point. I didn't actually read the SR site until after that. Paul So you've proved (for some value of "proved") that files created after the restore point are deleted by invoking it. How about the other case: 'files outside your "My Documents" tree are tracked' also _implies_ that files that _did_ exist when the restore point was created, but were subsequently deleted, will magically reappear when it's invoked. This was the bit I found hard to swallow. And I'm pretty sure that was what happened (recalling my past results), but *only* for the monitored file types (like EXE), and NOT for documents and such. Remember System Restore is "only" monitoring a select subset of file types, so it's not like it has to keep track of ALL files. BTW, which is why using ERUNT is a bit "safer" to use in some cases. :-) An update. I was going to run a test on this, but then I just figured it out, I think. To answer John's suspicion about it being hard to swallow, I think I know how SR works its magic. As soon as you delete a monitored file, System Restore saves that file in its restore point, and that is how it can be brought back later. What that means is the size of the restore point (seen in the System Volume Information folders) is proportional to how much you delete, of course. I may be misinterpreting something written here, but I think that's answering this question. Here is a picture of a Restore Point in WinXP. https://s17.postimg.org/wybuk71vj/Wi...t_surprise.gif Paul Yup, there's a mess of stuff in there!. One can see this by clicking on the System Volume Information main folder and selecting "Explore" with a right mouse click. I've found on the average each restore point subdirectory may be around 200 MB in size, but it really varies a LOT with what has happened since the prior restore subdirectory was created. And there are one or more of these RPnnnn subfolders in there for each day of activity. Just a correction to my post, sorry, but I wanted to correct this error for the record. I would say the average system restore point folder size is more on the order of 50 MB, give or take. It really depends on how much you've changed your system (including deleting monitored files). But again, if you delete a monitored file type or uninstall a program, it will be saved (the monitored files) in one of those RPnnnn folders. |
|
Thread Tools | |
Display Modes | |
|
|