Friday, 29 February 2008

The Case of the Disappearing System Restore Points in Vista Home Premium

I should be writing but this could be of use...

Since at least Windows XP, many (esp XP and now Vista) Microsoft OS's have had a rather useful feature called System Restore that allows the user to restore their system to a previous point in time, thereby undoing the accidental removal of good software or the deliberate installation of something less helpful. System Restore doesn't touch data files, only the operating system and applications, however...

In Vista this facility is supported by "Shadow Storage" - a hidden area of a partition where Windows keeps copies of things for future recovery - and the use of Shadow Storage now includes keeping copies of data files so that users of high-end Vista systems (Business/Ultimate) can even restore previous versions of data files too.

Having recently encountered a bizarre problem (certain key services not starting automatically and completely un-re-enable-able - my finger points suspiciously as Visual Studio 2008 as the culprit) I naturally went to do a System Restore... only to find that I had only one restore point from midnight that day when whatever actually caused the problem (aplication, Windows Update, whatever) had probably been installed several days ago.

I was a bit miffed (he said understatedly), but to cut a very long and anguished story short I eventually recovered my system thanks to my Acronis True Image Home backups on my Thecus storage server.

But since then I've been rather keen on keeping track of my restore points because, well, shit happens and it's nice to be able yank the chain and flush the system with System Restore.

Alas the System Restore history never seemed to accumulate more than 5-6 restore points before all but the latest suddenly disappeared - and since they were scheduled by Vista to be created every midnight and at Startup, useful restore points were disappearing in a matter of days - which is so short an interval as to make System Restore effectively useless: unless a system is very unstable I wouldn't expect to notice and identify a problem requiring a system restore within a week of it arising.. Under XP the restore point history used to go back months...

I used the Event Viewer and watched SR (System Restore) create points regularly, only to have them cleaned out just as regularly by volsnap because ShadowStorage was filling up. Could restore points really be so big as to make the whole system effectively useless. On the one hadn that seemed utterly stupid, on the other hand... well, there's no fathoming MS sometimes.

The questions were: is a System Restore point the ~2GB it seemed to be... or was something else going on - which actually seemed more likely.

Why should a Restore Point be much less than 2GB? Well... I unthinkingly thought that restore points ought to be only differences in system state, and if not much is being installed, uninstalled, updated etc. the changes should be relatively small. But as Rick Rogers pointed out this is (my words, not his, seems like a nice chap) bollocks: there can't be a "full backup" to reference "differential" backups to because it might get thrown away as the system manages shadow copies to keep the total space under the nominal 15% - and I now see that my flash idea that somehow they were referenced to the current state isn't any better. (But - if my Windows folder is ~10GB and a Restore point is say ~1GB what is being saved and what isn't - and how are the choices being made?)

Anyway, I eventually turned up the Cmd window command "vssadmin" (Cmd needs to be run "As Administrator" for access to this command) which allows me to see how much ShadowStorage space is available and how much is in use. ShadowStorage can be up to 15% of the partition size and a quick check showed that indeed my 83.5GB C partition had 15% available for ShadowStorage - and most of it was used, but I only had 5 restore points.

I kept a very careful eye on Shadow Storage usage and did some experiments: I tagged a large number of photos... shadow usage went up (thought not by the total size of all the files tagged - it was about 25%); I forced certain other files to change (Outlook.pst) and it might have changed a bit, I created a System Restore point and it went up by 2-400MB. Generally however ShadowStorage usage seemed to be creeping up continuously whether I was making Restore points or not.

At which point, "Mark" directed me to a new piece of 3rd party freeware called ShadowExplorer (at http://www.shadowexplorer.com) which would allow me to take a peek into ShadowStorage and see what was there.

The application is only at V0.1, but after a virus and malware scan I installed it and took that peek...

Woah! It looked like my whole C drive was there - specifically including all my music, which hasn't been touched in months. Of course it couldn't all be there, but there was enough to apparently account for the lack of space. I restored one music file just to establish it really was in ShadowStorage and the file played perfectly, so I have no reason to doubt that everything else that appeared to be there really was filed away (and of no use to Vista HP users whatsoever)

So, I have an answer to why I have so few restore points - Vista HP is eating ShadowStorage space with copies of files that Vista HP itself would never let me get at!

Which leads to the Great Unanswered Questions of the day: why?, and how do I stop it?

I'll let you know when I find out - and in the meantime, thanks to Mark and the currently unknown author or ShadowExplorer.

And Mr Microsoft, if you are reading this - could you perhaps explain what is going on?

More Stuff later... perhaps.