[john2004]

Hi everyone,

Regarding the following, I am mainly concerned with the windows XP operating system.

I would like to as some questions regarding system restore snapshots and security. For example, lets say you have a private file, personal or business records, etc. on your hard drive and you securely delete the information with Eraser http://eraser.heidi.ie/ or some similar wiping program. At this point you think the file should basically be gone with no real chance of recovery. However, how do you know that the system restore function in windows XP did not create a snapshot of the very file that you thought you had wiped ?

The way I always understood it, system restore creates snapshots of system files and program files, but not document files such as pdf, word files, text files, pictures such as gif and jpeg files etc.. Is this correct ? I also thought that system restore never takes a snapshot of anything in the "My documents folder". Is this correct ?

Is there anyway to explore, search, and view the contents of the system restore drive to see exactly what has and has not been backed up for restore purposes ? Exactly what does and does not the system restore take sanpshots of ?

There is something written about this issue on the Sandboxie site..

http://www.sandboxie.com/index.php?PrivacyConcerns

They suggest to relocated the sandbox folder at C:\TEMP\SANDBOX instead of C:\SANDBOX since system restore does not usually monitor or copy TEMP files but I guess you could also locate the sandbox in the my documents folder.

I suppose that this type of scenario could also apply to a virus or malware. It may be possible to clean an infected document or system file only to find that the infected file is still on the D drive in a system restore snapshot. It could even be unknowingly restored at some point.

What can be done to minimize the likelihood of these types of problems and how can the system restore be searched so that you know there is no copied virus or private files present on the D drive ?

Any feedback would be appreciated.

Thanks
John

[midders]

Personally, I disable system restore on every system that I build; it is unreliable at the best of times, and generally causes more problems than it solves. You're much better off using third party software to do backups so that you can control exactly when and what is backed up or restored as well as using hard encryption to protect your privacy. I currently recommend Macrium Reflect Free edition, or the bought one if you want incremental backups.

You can view the contents of the system restore folder (System Volume Information in the root of each partition/drive) by changing the security settings on the folder to allow your user read access. This can be done by any administrator in XP Pro or by rebooting in safe-mode in XP home.

Slainte

midders
P.S. the System Volume Information folder, like the Recycled folder is created by windows whether you are using it or not; to prevent automatic recreation, the only fix I have found so far is to create a zero-length file of the same name and then remove all permission from the file so that windows can't replace it.

[Gizzy]

To see what's included and excluded in a restore point you can open the following file on your computer,
C:\WINDOWS\system32\Restore\Filelist.xml
That file can be edited to include/exclude any files/folders you want, Though of course like any windows files be very careful if you decide to edit it.

Here's some pages about system restore,
http://msdn.microsoft.com/en-us/library/ms997627.aspx
http://msdn.microsoft.com/en-us/libr...24(VS.85).aspx
http://msdn.microsoft.com/en-us/library/ms811705.aspx

For more about sandboxie and system restore see here,
Sandboxie and System Restore
As mentioned there, secure deleting a file or changing the directory to tmp or temp keeps files out of system restore.

And as for finding malware in the system restore, When you do a full scan with an AV it will find malware in there too, instead of having the AV fix it I would suggest just deleting all the restore points by turning off system restore, Restarting then turning it back on,
Since scanners (anti-virus) can break other restore points by fixing a file in system restore.

[john2004]

Thanks for your feedback guys,

Gizzy, when I went to C:\WINDOWS\system32\Restore\ the only thing I could see in the restore folder was..

"MachineGuid.txt
Rstrui.exe (System restore application)
Srdiag.exe (Tool to collect and CAB info for System Restore & SFP)
Srframe.mmf"

I then searched the entire C drive for filelist.xml with the windows desktop search and found nothing except C:\Program Files\HP Games\Ricochet Lost Worlds\readme_images. I then searched the C drive with the "everything" search tool http://www.voidtools.com/ and the filelist.xml file showed up at the correct path but it is not visible in the C:\WINDOWS\system32\Restore\ folder. I copied the filelist file from the search list and pasted it into a new folder on my desktop but it did not show up. I pasted it again and got a message that the file was already in the folder. However, the file is not visible. Why is this, it seems strange to me ?

The only way I could open the file was from the *everything* search list. When I opened it, I copied and pasted it into a text file which I have attached to this message. Does the file look correct ? Looking through the lines some of the the words I see that catch my eye are "wipeinfo", personal documents, history & internet casch , windir temp, %windir%\temp, %SystemDrive%\Documents And Settings\Default User\My Documents, %SystemDrive%\Documents And Settings\Default User\Local Settings\Temp, ZFSENDTOTARGET, & wipeslack.

It seems the thing might be recording everything, not just system and program files. However, I do not know enough about it to really be sure or to edit it if desirable. Can you give me an example of how to edit the file ? When I opened the file it opened in my browser. What program can I use to edit the file ?


Also, how long should my computer be running well before it should be safe to delete all of the restore points ? My computer has been running fine lately but some time ago it did recover from a few "serious errors" according to the startup message, but seemed to run fine after that.

It's seems strange to me that it's not possible for me to even see the filelist.xml file unless I use a third party application. Apparently, windows did not want me to even find it for some reason.

Any further feedback would be appreciated.

Thanks
John

[john2004]

I see now how the filelist.xml uses the <exclude> and <include> tags, so it's not recording as much as I thought.

[Gizzy]

The reason you can't see it is because it's a system file, sorry I forgot to say to unhide them,
To see system files,
Open an explorer window
Go to Tools > Folder Options > View tab
Uncheck the Hide protected operating system files (Recommended) option.


The file can be edited with notepad,
For an example and what I think would be the easiest way to include/exclude things is to edit the following part, (This may seem complicated if you're not familiar with xml)

Code:

    <DIRECTORIES>
        <Exclude>
            <REC></REC>

        </Exclude>
        <Include>
            <REC></REC>
        </Include>
    </DIRECTORIES>

enter a directory you don't want to be included in between a <REC></REC> under <Exclude>
And enter a directory you want to be included in betwen a <REC></REC> under <Include>
So it would be

Code:

    <DIRECTORIES>
        <Exclude>
            <REC>C:\Path\ExcludedDirectory</REC>

        </Exclude>
        <Include>
            <REC>C:\Path\IncludedDirectory</REC>
        </Include>
    </DIRECTORIES>

It also accepts the * wildcard so C:\path and *:\pa*h are the same thing.


If everything is running fine and there's no restore points you want/need then it should be alright to delete all the restore points, After you restart your computer and turn system restore back on a new restore point will automatically be created for you.


All that said though you should be fine with it at it's default since it doesn't backup personal files like txt files pdf files etc.
For a list of what filetypes it backs up it's in the filelist.xml file under (I'll post the list if you want, But I thought it would make this post too long.)

Code:

    <EXTENSIONS>
        <Include>
        </Include>
    </EXTENSIONS>

And if you use a program like eraser, As I understand it the file will be shredded/overwritten before it's deleted keeping it out of system restore.


EDIT - If you do decide to edit the filelist.xml file just be sure to save a copy of the original somewhere.

[john2004]

Hi Gizzy,

Thanks for the additional info. I had the "show hidden files and folders" option checked, but I did not see the option for hiding "protected system & operating" files.

Thanks for your info on how to edit the xml file, I may not need to edit it, but it's always nice to learn just in case. I figured I could edit it in notepad, but was wondering what program would save it as xml. I see my open-office program can save in that format though.

Quote:

For a list of what filetypes it backs up it's in the filelist.xml file under (I'll post the list if you want, But I thought it would make this post too long.)

Thanks but I can just look at the text file I attached to the thread :-) That's why I attached the text file, I thought it would make the post too long.

Quote:

And if you use a program like eraser, As I understand it the file will be shredded/overwritten before it's deleted keeping it out of system restore.

What I was thinking is that the system may do an automatic restore snapshot before any files are deleted, which would back them up on the D drive. However, I don't know how likely this is or how it would differ between something in or outside of sandboxie.

Thanks again for your help Gizzy, it's much appreciated.

John

[Gizzy]

You're Welcome.

Quote:

Originally Posted by john2004

I had the "show hidden files and folders" option checked, but I did not see the option for hiding "protected system & operating" files.

Should be 2 options below that, you'll have to scroll down.

Quote:

Originally Posted by john2004

Thanks for your info on how to edit the xml file, I may not need to edit it, but it's always nice to learn just in case. I figured I could edit it in notepad, but was wondering what program would save it as xml. I see my open-office program can save in that format though.

Notepad can save in xml too, You have 2 ways of doing it.

1. Change save as type to All files then just name it something.xml
2. When you name it put quotes around it so "name.xml"

Quote:

Originally Posted by john2004

What I was thinking is that the system may do an automatic restore snapshot before any files are deleted, which would back them up on the D drive. However, I don't know how likely this is or how it would differ between something in or outside of sandboxie.

Best thing to prevent against that I would think (assuming you want to keep using system restore) is to keep files that you don't want to be backed up in a folder that is excluded from system restore, Like was suggested in the sandboxie link you posted earlier about creating a folder named Temp or Tmp and moving the sandbox there, That can be done with any files you don't want put into system restore.
You can see the default locations in the filelist.xml file or add any extra folders you'd like.

[john2004]

Hi Gizzy,

Thanks for the tips on the notepad editing, I did not know about saving the file extensions that way.

Quote:

Should be 2 options below that, you'll have to scroll down.

I just meant I did not see the option the first time I looked, after you mentioned it the first time, I had no trouble scrolling down an finding it.

I successfully cleared all of my old restore points, and now I have started fresh with the sandboxie container folder located in a temp directory as recommended. I still have restore enabled, but it's now a clean slate with new restore points.

At http://www.sandboxie.com/index.php?PrivacyConcerns it also mentioned setting up the pagefile to be cleared on shutdown. I followed the Microsoft instructions here http://support.microsoft.com/kb/314834 and applied the simple registry change. I checked it twice to make sure it was right. I then completely shut down and restarted my computer twice. However, I noticed no significant change in shutdown time and the size of the pagefile did not seem to change. Both before and after making the reg change and rebooting the computer twice, when I right-click on the pagefile at C:\pagefile.sys and check the size, it said it was 1.4 GB every time.

How do I know if the pagefile is actually being cleared at shutdown each time ?

The sandboxie link also mentions the Hibernate File. I actually kind of like hibernate, but when I leave the house I always turn off the computer anyway. I also turn it off at night. Is the *away* feature just about as good as hibernate as far as power conservation ?

Can I use the away feature in order to avoid the snapshot issues with hibernate ?

Any further feedback you can provide would be appreciated.

Thanks
John

[Gizzy]

Quote:

Originally Posted by john2004

How do I know if the pagefile is actually being cleared at shutdown each time ?

I'm not sure if there is any way since,
The file stays the same size because that's the amount of space reserved for the file.
It gets deleted at shutdown because it's in use otherwise, and when your computer starts up it starts being used again.
The only way I know of would be a slower shutdown time.

Quote:

Originally Posted by john2004

Is the *away* feature just about as good as hibernate as far as power conservation ?

Hibernate saves everything in memory to the hibernate file and then turns off the computer,
So hibernate should use the same power as if you turned off the computer,
The away feature just turns off parts of the computer, so it uses less power than leaving the computer on but still more than hibernate.
I'm not sure exactly how much more power it uses though.

Quote:

Originally Posted by john2004

Can I use the away feature in order to avoid the snapshot issues with hibernate ?

Sure, I see no reason why not, as far as I know the away feature doesn't save anything to a file like hibernate does.