Windows PowerShell for Administration: The Personal Trainer (2015)
Chapter 10. Creating and Using System Restore Checkpoints
System Restore is only available with desktop versions of Windows. With System Restore enabled, a desktop computer makes periodic snapshots of the system configuration. These snapshots are called restore points. These restore points include Windows settings, lists of programs that have been installed, and so on. If the computer has problems starting or isn’t working properly because of a system configuration change, you can use a restore point to restore the system configuration to the point at which the snapshot was made. For example, suppose your system is working fine and then you install a new service pack release for Microsoft Office. Afterward, the computer generates errors, and Office applications won’t run. You try to uninstall the update, but that doesn’t work, so you decide to run System Restore. Using System Restore, you can restore the system using a snapshot taken before the update.
System Restore automatically creates several types of restore points. These include the following:
· Scheduled Checkpoints scheduled by the operating system and occurring at regular intervals
· Windows Update Checkpoints created before applying Windows updates
· Application Install Checkpoints created before installing applications
· Application Uninstall Checkpoints created before uninstalling applications
· Device Install Checkpoints created before installing devices
· Device Uninstall Checkpoints created before uninstalling devices
You should create restore points manually before performing an operation that might cause problems on the system.
System Restore manages restore points on a per-drive basis. Each drive with critical applications and system files should be monitored for configuration changes. By default, System Restore is enabled only for the System drive. You can modify the System Restore configuration by turning on monitoring of other drives as needed. If a drive isn’t configured for System Restore monitoring, configuration changes are not tracked, and the disk cannot be recovered if problems occur.
NOTE Unlike Windows 7, System Restore with Wndows 8 and later no longer includes Previous Versions as a subcomponent. With Windows 8 and later, you create previous versions of personal files using File History backups.
Commands for Configuring System Restore
At an elevated, administrator PowerShell prompt, you can view and work with System Restore using the following commands:
· Enable-ComputerRestore Turns on the System Restore feature on one or more fixed, internal drives. You cannot enable System Restore on external or network drives.
Enable-ComputerRestore [-Drive] DriveStrings
· Disable-ComputerRestore Turns off the System Restore feature on one or more file system drives. As a result, attempts to restore the computer do not affect the specified drive.
Disable-ComputerRestore [-Drive] DriveStrings
· Get-ComputerRestorePoint Gets one or more restore points on the local computer, or displays the status of the most recent attempt to restore the computer.
Get-ComputerRestorePoint [-RestorePoint] SequenceNumber
Get-ComputerRestorePoint -LastStatus
· Checkpoint-Computer Creates a system restore point on the local computer. The –RestorePointType parameter optionally specifies the type of restore point.
Checkpoint-Computer [[-RestorePointType] Type] [-Description]
Description
· Restore-Computer Restores the local computer to the specified system restore point. A restart of the computer is performed to complete the restore. The –RestorePoint parameter specifies the sequence number of the restore point.
Restore-Computer [-RestorePoint] SequenceNumber
The system process responsible for monitoring configuration and application changes is the System Restore service. This service is configured for automatic startup and runs under the Local System account. System Restore won’t work properly if this service isn’t running or configured appropriately.
System Restore saves system checkpoint information for all monitored drives and requires at least 300 MB of disk space on the System volume to save restore points. System Restore reserves additional space for restore points as necessary, up to 10 percent of the total disk capacity, but this additional space is always available for user and application storage. System Restore frees up additional space for you as necessary. If System Restore runs out of available space, the operating system overwrites previously created restore points.
Enabling and Disabling System Restore
You can enable System Restore for a volume using Enable-ComputerRestore. The basic syntax is
Enable-ComputerRestore [-Drive] DriveStrings
With the –Drive parameter, specify one or more drive letters, each followed by a colon and a backslash and enclosed in quotation marks, as shown in the following example:
enable-computerrestore –drive "C:\", "D:\"
To enable System Restore on any drive, it must be enabled on the system drive, either first or concurrently. When you enable System Restore, restore points are created automatically as discussed previously.
You can disable System Restore for a volume using Disable-ComputerRestore. The basic syntax is
Disable-ComputerRestore [-Drive] DriveStrings
With the –Drive parameter, specify one or more file system drive letters, each followed by a colon and a backslash and enclosed in quotation marks, as shown in the following example:
disable-computerrestore –drive "C:\", "D:\"
You cannot disable System Restore on the System volume without disabling System Restore on all other volumes.
Although these commands don’t support the –ComputerName parameter, you can use the remoting techniques discussed in Windows PowerShell: The Personal Trainer, to invoke System Restore–related commands on remote computers. Here is an example:
invoke-command -computername techpc24 -scriptblock
{ enable-computerrestore -drive "C:\", "D:\" }
Here, you enable System Restore on the C and D drives of TechPC25.
Creating and Using Checkpoints
You can manually create a restore point by typing checkpoint-computer followed by a description of the checkpoint. Consider the following example:
checkpoint-computer "Modify PowerShell"
Here, you create a “Modify PowerShell” checkpoint. Windows PowerShell displays a progress bar while the restore point is being created. Optionally, you can specify the type of restore point using the –RestorePointType parameter. The default is APPLICATION_INSTALL. Valid values are as follows:
· APPLICATION_INSTALL, for when you are planning to install an application
· APPLICATION_UNINSTALL, for when you are planning to uninstall an application
· DEVICE_DRIVER_INSTALL, for when you are planning to modify device drivers
· MODIFY_SETTINGS, for when you are planning to modify configuration settings
You can use Get-ComputerRestorePoint to list all available restore points or a specific restore point by its sequence number. The sequence number is simply an incremented value that makes it possible to track a specific instance of a restore point.
To list all available restore points, type get-computerrestorepoint, as shown in the following example and sample output:
get-computerrestorepoint
CreationTime Description SequenceNumber EventType RestorePointType
------------ ----------- ------------- --------- ----------------
5/19/2015 2:53:46 PM Windows Update 48 BEGIN_SYSTEM_C... 18
6/1/2015 8:58:08 AM Windows Update 49 BEGIN_SYSTEM_C... 18
6/8/2015 9:22:51 AM Scheduled Checkpoint 50 BEGIN_SYSTEM_C... 7
From the output, you can see restore points are listed by creation time, description, sequence number, event type, and restore point type. Once you identify a restore point that you want to work with, note its sequence number. Using the –RestorePoint parameter, you can get that specific restore point. In this example, you get restore point 289:
get-computerrestorepoint 289
As each value returned for a restore point is set in a like-named property, you can filter the output of Get-ComputerRestorePoint using Where-Object. In the following example, you get all restore points created in the last three days:
$date = (get-date).adddays(-3)
get-computerrestorepoint | where-object {$_.creationtime –gt $date}
In the following example, you get restore points with a specific description:
get-computerrestorepoint | where-object {$_.description –eq
"Modify PowerShell"}
To get restore points by description, you need to know the numeric value that denotes a specific type. These values include the following:
· 0 for application install checkpoints, which include Windows Update check points
· 1 for application uninstall checkpoints
· 7 for scheduled checkpoints
· 10 for device driver install checkpoints
· 12 for modify settings checkpoints
In the following example, you get all restore points for application installs:
get-computerrestorepoint | where-object {$_.restorepointtype –eq 0}
Recovering from Restore Points
To recover a computer from a restore point, type restore-computer followed by the sequence number of the restore point to restore. Use Get-ComputerRestorePoint to display a list of available restore points by their sequence number if necessary. In the following example, you initiate a restore of the computer using restore point 353:
restore-computer 353
Here, you initiate a restore of EngPC85 to restore point 276:
invoke-command -computername engpc85 -scriptblock
{ restore-computer 276 }
During the restoration, System Restore shuts down the computer. After the restore is complete, the computer is restarted using the settings from the date and time of the snapshot. After the computer restarts, you can type get-computerrestorepoint -laststatus to check the status of the restore operation. Read the message provided to confirm the restore was successful. If the restore was unsuccessful, this is stated explicitly, such as
The last restore was interrupted.
If Windows isn’t working properly after a restore, you can apply a different restore point or reverse the restore operation by repeating this procedure and selecting the restore point that was created automatically before applying the current system state.