System Restore Point Log Decoding

In an effort to improve recoverability in the event of malfunctioning drivers or system software, Microsoft introduced the concept of a System Restore Point. This serves as a checkpoint in the history of a computer's configuration, saving files and settings which will enable the Restoration of the System to a Point in time (hence, System Restore Point). This document describes the format a System Restore Point takes on-disk.

Folder Structure

A System Restore Point is stored by the operating system as a folder with a series of saved files, registry hives and log files.

The files stored within a SRP are not the files that result from the change. The stored files are backups of the files from prior to the change being made. So to return to the system state immediately before the change, we would restore all of the files and registry entries from the SRP. Windows will create an SRP for the current system state before it restores the old state, so it is possible to switch back and forth.


The master log file for a SRP is 'rp.log'. This file contains the type of SRP, a description of the reason for the SRP being created and the date the SRP was created.

File Format

04 bytesUnknown - seems to be 0x64 for a system checkpoint, 0x66 for a software installation
44 bytesType
- 0x00000000 = Application Installation
- 0x00000001 = Application Uninstallation
- 0x00000007 = System Checkpoint
84 bytesUnknown - seems to be 0x00000000 for a software install
124 bytesUnknown - seems to be 0x00000000 for a software install
16512 bytesName of SRP - unicode, null-terminated (padded to 512 bytes with what appears to be memory slack)
5288 bytesCreation time of SRP (windows date/time record)


12 bytes are unknown. Highly unlikely that they serve no purpose...


The accumulated size of the changes to the system stored within the SRP is written as a 64-bit little-endian integer to this file.


The following bytes would indicate a SRP that contains almost 416 MB of backup files.

11 22 FB 19 00 00 00 00


The change.log file is created in the current SRP folder and added to until the computer is restarted. At this point, the change.log file is renamed to change.log.x where x is a number starting at 1 and incremented until the next SRP folder is created (when the number resets to 1).

File Format

A change log is a series of records of the form (length; type; payload; length). For want of an authoritive name, we shall term this record a change log record. A change log record therefore has the form:

04 bytesLength of record (n)
44 bytesRecord Type
- 0x00000000 for a change log header
- 0x00000001 for a change event
84 bytesChange log record signature (0xABCDEF12)
12n-16 bytesPayload of record
n-44 bytesLength of record (repeated)

The payload of the record takes a different form depending on the record type. In each case, it consists of a type-specific preamble and a sequence of fields in the form (length; type; value).

Record Type = 0x00000000

This record type is the change log header. The only information found in this record is the change log's original filename.

The record payload has the below format.

04 bytes0x00000002 (preamble for type)
44 bytesField Length (n)
84 bytesField Type (0x00000002 = change log filename)
12n-8 bytesField Value (filename of change log)

Record Type = 0x00000001

This record type is a change event.

04 bytesChange type
- 0x00000001 = Modify File
- 0x00000002 = Update ACL
- 0x00000004 = Update Attributes
- 0x00000010 = Delete File
- 0x00000020 = Create File
- 0x00000040 = Rename File
- 0x00000080 = Create directory
- 0x00000100 = Rename directory
- 0x00000200 = Delete directory
- 0x00000400 = MNT-CREATE (appears to relate to filesystem attachment points)
44 bytesFlags
84 bytesAttributes
Where 0xFFFFFFFF, no attribute information is stored with the event. Otherwise is a 'file permission field' as defined in a NTFS $STANDARDINFORMATION attribute.
124 bytesEvent record ID (seq. number)
1636 bytesUnknown, but appears to always be 0, so may be padding
Fields repeat as below until end of record payload length
x4 bytesField Length (n)
x+44 bytesField Type
- 0x00000003 = long original filename
- 0x00000004 = long new filename
- 0x00000005 = backup filename
- 0x00000006 = ACL
- 0x00000009 = short filename
- 0x0000000A = short new filename
x+8n-8 bytesField Value