In an effort to improve recoverability in the event of malfunctioning drivers or system software, Microsoft introduced the concept of a System Restore Point. This serves as a checkpoint in the history of a computer's configuration, saving files and settings which will enable the Restoration of the System to a Point in time (hence, System Restore Point). This document describes the format a System Restore Point takes on-disk.
A System Restore Point is stored by the operating system as a folder with a series of saved files, registry hives and log files.
The files stored within a SRP are not the files that result from the change. The stored files are backups of the files from prior to the change being made. So to return to the system state immediately before the change, we would restore all of the files and registry entries from the SRP. Windows will create an SRP for the current system state before it restores the old state, so it is possible to switch back and forth.
The master log file for a SRP is 'rp.log'. This file contains the type of SRP, a description of the reason for the SRP being created and the date the SRP was created.
| Offset | Length | Description |
|---|---|---|
| 0 | 4 bytes | Unknown - seems to be 0x64 for a system checkpoint, 0x66 for a software installation |
| 4 | 4 bytes | Type - 0x00000000 = Application Installation - 0x00000001 = Application Uninstallation - 0x00000007 = System Checkpoint |
| 8 | 4 bytes | Unknown - seems to be 0x00000000 for a software install |
| 12 | 4 bytes | Unknown - seems to be 0x00000000 for a software install |
| 16 | 512 bytes | Name of SRP - unicode, null-terminated (padded to 512 bytes with what appears to be memory slack) |
| 528 | 8 bytes | Creation time of SRP (windows date/time record) |
12 bytes are unknown. Highly unlikely that they serve no purpose...
The accumulated size of the changes to the system stored within the SRP is written as a 64-bit little-endian integer to this file.
The following bytes would indicate a SRP that contains almost 416 MB of backup files.
11 22 FB 19 00 00 00 00
The change.log file is created in the current SRP folder and added to until the computer is restarted. At this point, the change.log file is renamed to change.log.x where x is a number starting at 1 and incremented until the next SRP folder is created (when the number resets to 1).
A change log is a series of records of the form (length; type; payload; length). For want of an authoritive name, we shall term this record a change log record. A change log record therefore has the form:
| Offset | Length | Description |
|---|---|---|
| 0 | 4 bytes | Length of record (n) |
| 4 | 4 bytes | Record Type - 0x00000000 for a change log header - 0x00000001 for a change event |
| 8 | 4 bytes | Change log record signature (0xABCDEF12) |
| 12 | n-16 bytes | Payload of record |
| n-4 | 4 bytes | Length of record (repeated) |
The payload of the record takes a different form depending on the record type. In each case, it consists of a type-specific preamble and a sequence of fields in the form (length; type; value).
This record type is the change log header. The only information found in this record is the change log's original filename.
The record payload has the below format.
| Offset | Length | Description |
|---|---|---|
| 0 | 4 bytes | 0x00000002 (preamble for type) |
| 4 | 4 bytes | Field Length (n) |
| 8 | 4 bytes | Field Type (0x00000002 = change log filename) |
| 12 | n-8 bytes | Field Value (filename of change log) |
This record type is a change event.
| Offset | Length | Description |
|---|---|---|
| 0 | 4 bytes | Change type - 0x00000001 = Modify File - 0x00000002 = Update ACL - 0x00000004 = Update Attributes - 0x00000010 = Delete File - 0x00000020 = Create File - 0x00000040 = Rename File - 0x00000080 = Create directory - 0x00000100 = Rename directory - 0x00000200 = Delete directory - 0x00000400 = MNT-CREATE (appears to relate to filesystem attachment points) |
| 4 | 4 bytes | Flags |
| 8 | 4 bytes | Attributes Where 0xFFFFFFFF, no attribute information is stored with the event. Otherwise is a 'file permission field' as defined in a NTFS $STANDARDINFORMATION attribute. |
| 12 | 4 bytes | Event record ID (seq. number) |
| 16 | 36 bytes | Unknown, but appears to always be 0, so may be padding |
| Fields repeat as below until end of record payload length | ||
| x | 4 bytes | Field Length (n) |
| x+4 | 4 bytes | Field Type - 0x00000003 = long original filename - 0x00000004 = long new filename - 0x00000005 = backup filename - 0x00000006 = ACL - 0x00000009 = short filename - 0x0000000A = short new filename |
| x+8 | n-8 bytes | Field Value |