Windows System Restore

Adam Jones - Systems Engineer

Windows restore points can save you some big time headaches. Case in point, I received an urgent message from a client expressing that their system was “fried” and “it doesn’t look good!” The error was “Windows XP could not start because the following file is missing or corrupt \Windows\System32\CONFIG\SYSTEM”. While this error is quite scary, it can be relatively easy to recover from if you have a valid restore point.

When Windows creates a restore point it is making a backup of your system files and registry which can aid you in undoing any system changes, software installations or updates that may have damaged Windows. There were several much needed changes to System Restore that were introduced with Windows Vista and were carried over into Windows 7. These changes allowed the process to be much more successful than in previous versions because of the use of block level shadow copies to create the restore points as opposed to using a file filter that monitored for changes and copied them to the restore point folder before they could be overwritten. Another nice change was to allow you to restore your computer using the System Recovery Options menu in case you have trouble booting into Windows.

Assuming that you are running XP like in the example above and you don’t have the luxury of using the SRO menu, you can still recover from your registry corruption issue using system restore recovery points. You will need to the help of a third party boot disk such as ERD Commander, UBCD or similar that will allow you to browse the windows partition on your hard drive. Next, you will need to navigate to the hidden “System Volume Information” folder in the root directory which contain your restore points in folders named _restore {XXXXX…}. Pick the most recent restore point by the date that it was modified and navigate to RP1\Snapshot. Inside of this folder you will find your registry backups by the names of _Registry_Machine_System for instance. Copy this file and navigate to the Windows\System32\Config folder, rename the existing file “SYSTEM” to “SYSTEM.old”, paste the previously copied file into this folder and rename it to SYSTEM.  Once completed, reboot your computer. You should now have a bootable Windows XP computer. You should always perform a full system restore to the most recent restore point just in case there are any inconsistencies in the other registry hives etc.

Microsoft has also released the KB article KB307545 that outlines this fix using the command based Windows Recovery Console in case you do not have access to a third party boot disk.

Remember to keep an eye on your System Restore settings! It will really come in handy the next time you install that unsigned driver or catch some nasty malware!