Hands up who has used Windows System Restore in anger? The chances are almost nobody, even though it’s one of those comforting features that has been around in Windows since the ME edition, and hums away on XP and Vista by default.
In theory it can save your PC’s neck, in practice it has a major limitation that perhaps I’m the last person in the world to discover - it just doesn’t like malware.
The theory is sound enough. It creates system “restore point” snapshots for a PC to which the user can return the machine to in the event of a problem such as a non-working driver or application conflict. The user doesn’t have to do anything as the restore points are created automagically once a week.
It turns out that there are a few conditions in which the restores will fail, one of which is after a malware infection. As I discovered on a test machine, this situation is so common that it tends to render the feature nearly useless for this situation, which is nowadays how it is most likely to be needed.
Say a piece of malware gets on to a PC, and is detected by a scanner, either at the moment it attacks a PC or, more likely, during a subsequent scan. The first thing most anti-virus software will do is to quarantine and then clean the offending code. Indeed, there is no other course of action in the vast majority of cases.
If that involves removing a file deemed a security risk, this will likely cause the restore points up to the point this file was first detected on the system to become invalid. That makes sense – why would anyone want to restore to an infected state after all? And the removal of the file creates what Microsoft terms “an inconsistent restoration state,” a way of saying that restore is impossible because the state to which the program is attempting to restore no longer exists.
The official way round this issue is to disable system restore before malware is removed creating a new, manual restore point after it has been turned on again. But this assumes that all malware has been found, and the machine really is clean, not to mention that it ditches all previous restore points. I assumed that the other solution was to choose an earlier restore point, but this doesn’t appear to be sure to work. It might, but it might not.
The shame is that system restore could be a fantastic tool to use against security hazards. Don’t trust the PC as clean? Simply turn back the clock to a time you do consider to be clean, preferably not long after the OS was installed. Implemented reliably, it could even be a feature users turn to on a regular basis, just to be sure. But as so often with promising features in Windows, life is rarely that’s simple.
Find your next job with techworld jobs