Windows – What does Windows System Restore exactly back up and restore

system-restorewindows

I just had to do a system restore on a Windows XP machine infected by some malware or virus. Among other things, the virus had hidden all files and folders on all drives, removed all shortcuts in the start menu, and somehow blanked and locked the desktop. After fixing some things manually (but not the desktop issue) I thought about System Restore.
Performing the System Restore was successful and also fixed the desktop issue.

But this left me with the questions:

  • What exactly does System Restore restore and not restore?
  • Are there any notable differences between Windows XP and Windows Vista/7 System Restore?

Edit: I know in general what System Restore restores: you Windows configuration but not your files. I am interested in more detailed information, like does it also resets meta property of files (like read-only, hidden), if it restores programs what parts of the program are restored (only .exe file, or also related files in 'application data', …?), …

Best Answer

Restored:

  • Registry (note: some current values will persist)
  • Profiles (local only—roaming user profiles not impacted by restore)
  • COM+ DB
  • WFP.dll cache
  • WMI DB
  • IIS Metabase
  • Files with extensions listed in the Monitored File Extensions list

Not Restored:

  • DRM settings
  • SAM hives (does not restore passwords)
  • WPA settings (Windows authentication information is not restored)
  • Contents of the My Documents folder(s)
  • Specific directories/files listed in the Monitored File Extensions list
  • Any file with an extension not listed in the Monitored File Extensions list
  • Items listed in both Filesnottobackup and KeysnottoRestore (HKLM->System->ControlSet001->Control->BackupRestore->Filesnottobackup and keysnottorestore)
  • User-created data stored in the user profile
  • Contents of redirected folders