I'm trying to figure out a way to get a Windows 7 system restore point from a Ghost image back on to my "c-drive" so that I can use that restore point to roll back my computer to a previous time.  The reason for this is a program that has developed a problem that I traced to several weeks ago, but have not been able to resolve via normal methods of uninstall/reinstall, sfc /scannow, virus checking, and various others.  The only way that I can figure out how I might be able to get back to a time predating when the problem began to appear in the Windows error logs is rolling back my system to an earlier date.  However, I do not want to restore the entire image because I'd lose all other information on my drive for the past few weeks.

I tried to make the restore points on the Ghost image accessible to "system restore" by copying the "system volume information" folder from the backup onto the "c-drive."  Copying the folder was successfully accomplished from a Dos prompt in Windows Repair, but when Windows rebooted, it overwrote all of the files I copied with new ones generated during the boot.

I also tried restoring the Ghost image "system volume information" folder onto my desktop of the "c-drive," but I can't find a way to get "System Restore" to see those points.  "System Restore" doesn't give you any option of finding restore points that aren't already in the list provided by Windows.

I'm posting here, in addition to on Microsoft's forum, because the issue relates to restoring files from a Ghost backup.  After several hours of effort, I've not been able to identify a solution.  If anyone has successfully accomplished what I'm trying to do, please tell me how.

If I recover the entire image, I lose everything that's been done on the drive since the image date (4 weeks ago).  All I want is to get the "system restore" feature that undoes program modifications and registry entries since that time, without losing the data.  Thanks for the suggestion though.

Well in that case you are not going to do it with Ghost.

What you could have done is to run incremental backups which would have saved your data in a .v2i file and you could have  then recovered the data.

I always keep my data on a seperate drive to the pc and only connect when I want to write to it and backup.

Deric

I appreciate your attempt to help, but data isn't the issue, as I said. 

Anyone else know a way to recover the "system volume information" folder from a Ghost backup image so that Windows 7 sees the "system restore" points?

If you noticed, windows 7 "system volume information" is a lot different than it was in XP.

In XP you had different folders for each restore point and it was very easy to get to the registry backups.  In windows 7 everything is in one file and not only is it difficult to extract, it is linked to necessary entries in the system registry.

As you found, you can't just restore the folder because it will be unusable since the coresponding registry entries and pointers are not present.

Basically, there are 2 parts of system restore.  One part is restoring the registry, another part makes changes to files.

Files that are not currently present may be restored and perhaps non-user files (certain program files) are removed if they didn't exist in the restore point.

(I'm actually not sure about that last part, I'm not a big fan of system restore).

If you want to do the first part (registry replacement), thats pretty easy to do.

But don't even bother with tryng to get them out of "system volume information", use the files in the:

system32\config folder of the image.

The registry hives (files) are called: Default, SAM, Security, Software, and System, those files have no extentions.

I'm leaving out the "current user" registry, thats in another location and normally not needed for a recovery.

Also be aware that if your using windows file encryption you can easily loose access to encrpted files doing this.

In fact, for software problems or windows problems you may want to just replace Software and System if the image is fairly recent.

Make a full image as a backup in case you screw things up worse then they are.

Open the system image in the recovery point browser and extract the system32\config folder to your desktop.

Take Software and System (or all 5) and rename them to add a .new extention on them.

Then move or copy them into the real system32\config folder.

Boot to windows 7 startup repair disk and get to the command prompt.

Change the prompt into the system32\config folder

Rename the registry files in use (the ones with no extentions) to give them a .old extention.

ex:  ren software software.old

ren system system.old

Replace with the backups by removing the .new extention

ren software.new software

ren system.new system

If you want to do all of them, go ahead and do the rest.

Boot windows and you will be using the older registry.

If you reread my first paragraph, you will notice that it "may" be possible at this point to replace the "SVI" folder and have it "recognized" by windows since the older registry "should" contain the entries and pointers to it.

I have never tried that step myself and I wouldn't reccomend trying it.

Either way, please proceed at your own risk, I'm not reccomending you do any of this, and make sure you take a full image of the system before you proceed.

Dave

Dave, thanks for the comprehensive suggestion.  One particular part of your comment that seems particularly interesting is the point that System Restore probably establishes the viewable restore points based on registry entries.  It seems to make sense that restoring the registry hive files manually and restoring the system volume information file at the same time might fool Windows into seeing the old restoration points in System Restore.  Nevertheless, restoring the registry hives to a copy that's several weeks old, but itself, seems like a bad idea since any other programs/features changed since the backup date would still be on the system without their corresponding registry entries.  That sounds like a recipe for mass instability.

My hope was that there was some straightforward way to simply point System Restore to a file extracted from the image and let Windows handle the registry roll-back as well as uninstalling affected programs.  Having used System Restore before, that seems to be what the process accomplishes.   Unless I can find a way to actually get System Restore to "see" a restoration point and let Windows do the process automatically, it probably isn't worth the risk of going from bad to worse.

Another option is paying to get Office 2013 to see if that fixes the instability issues I'm experiencing, and if not, I'd at least have an option to get an MS support engineer to diagnose the issue.

I appreciate your thoughtful response.

---

sjm1 wrote:

Dave, thanks for the comprehensive suggestion.  One particular part of your comment that seems particularly interesting is the point that System Restore probably establishes the viewable restore points based on registry entries.  It seems to make sense that restoring the registry hive files manually and restoring the system volume information file at the same time might fool Windows into seeing the old restoration points in System Restore.  Nevertheless, restoring the registry hives to a copy that's several weeks old, but itself, seems like a bad idea since any other programs/features changed since the backup date would still be on the system without their corresponding registry entries.  That sounds like a recipe for mass instability.

 

Not really because I'm pretty sure thats how system restore works anyway.  At least it did that in XP.

After using system restore to go back in time, it's common to have to reinstall any programs that were since installed for that very reason, they no longer work because the registry entries are not present.

That in itself should not cause system instability because everything is really controlled by the registry, the program files are just like any other files sitting on the hard drive.  Program files or even drivers that are not listed anywhere in the registry have no way to cause instability.

 

Also, when I said I wasn't sure if existing program files are "removed" if they did not exist at the time of the restore point creation.  I'm actually fairly certain they never are removed, If I were designing it I would opt for leaving files behind or you would be in a bigger mess if the user chose to "roll back" the system restore.

 

However, I did try to make it clear that was something I don't reccomend.  (at least for other people, I'm a glutton for punishment and I usually don't learn anything until I break something) 

 

My hope was that there was some straightforward way to simply point System Restore to a file extracted from the image and let Windows handle the registry roll-back as well as uninstalling affected programs.  Having used System Restore before, that seems to be what the process accomplishes.   Unless I can find a way to actually get System Restore to "see" a restoration point and let Windows do the process automatically, it probably isn't worth the risk of going from bad to worse.

 

I'm pretty sure you will not find a straightforward way to do that because system restore is not very straightforward to begin with.   I didn't have time to get into all the working of it earlier, but the files that it does restore are really not in the "system volume information" folder to begin with.

Windows 7 creates "shadow copies" of files, when you right click a file and select "properties", on some files you see "previous versions" that are availible.  (I'm in XP at the moment, I'm going from memory)

Those shadow copies were created when restore points were made and volume shadow copy retained those older versions but I think they may actually reside in the NTFS file system or alternate streams.

 

If your interested, there is a very  interesting free tool called "system restore explorer" that lets you see everything in windows 7 restore points. But for the reasons I just gave I don't think it will work on your "unattached" SVI folder.

http://nicbedford.co.uk/software/systemrestoreexplorer/

 

Another option is paying to get Office 2013 to see if that fixes the instability issues I'm experiencing, and if not, I'd at least have an option to get an MS support engineer to diagnose the issue.

 

I appreciate your thoughtful response.

---

I hate to tell you this but the "correct" way to fix your problem may be to image your system how it is, restore the old image, then extract any new or changed folders or files from the image you just made and reinstall any programs that were not present in the old image.

I know that can be a lot of work but in the future making more frequent images may save you from having to go though it again.

The reason I'm not very familiar with system restore is because I never use it, I have ghost make daily images.

I found that system restore seems to never work when you need it, or you can't get it to do what you want.

Best of luck,

Dave

I'm trying to figure out a way to get a Windows 7 system restore point from a Ghost image back on to my "c-drive" so that I can use that restore point to roll back my computer to a previous time.  The reason for this is a program that has developed a problem that I traced to several weeks ago, but have not been able to resolve via normal methods of uninstall/reinstall, sfc /scannow, virus checking, and various others.  The only way that I can figure out how I might be able to get back to a time predating when the problem began to appear in the Windows error logs is rolling back my system to an earlier date.  However, I do not want to restore the entire image because I'd lose all other information on my drive for the past few weeks.

I tried to make the restore points on the Ghost image accessible to "system restore" by copying the "system volume information" folder from the backup onto the "c-drive."  Copying the folder was successfully accomplished from a Dos prompt in Windows Repair, but when Windows rebooted, it overwrote all of the files I copied with new ones generated during the boot.

I also tried restoring the Ghost image "system volume information" folder onto my desktop of the "c-drive," but I can't find a way to get "System Restore" to see those points.  "System Restore" doesn't give you any option of finding restore points that aren't already in the list provided by Windows.

I'm posting here, in addition to on Microsoft's forum, because the issue relates to restoring files from a Ghost backup.  After several hours of effort, I've not been able to identify a solution.  If anyone has successfully accomplished what I'm trying to do, please tell me how.

Sorry if it is stated somewhere above, but I just want to point out that hot backups made with Ghost do NOT include the information in the System Volume Information folders. That is why there are no Windows restore points when you restore an image.

---

sjm1 wrote:

I appreciate your attempt to help, but data isn't the issue, as I said. 

 

Anyone else know a way to recover the "system volume information" folder from a Ghost backup image so that Windows 7 sees the "system restore" points?

---

Although you lost me in the fog, you are very lucky to have guys like DaveH and Redk that can advise you with your quest for what I would call, in my limited Windows experience, an unrelated Ghost issue.

I didn't quite get your drift as you appreciated and I hold my hands up for that.

When I read Dave's reply that is outside my comfort zone, thanks to Dave and Red for sorting you out.

I did say however in message 4 it would have been better to run incrementals and fully commit to Ghost, it saves a lot of work "messing arround".

Deric

You all have provided a lot of insight with good guidance.  To answer some of the points in recent posts, I acutally do image every night to a network drive with Ghost (all of my machines).  The problem in my case was that the program instability that developed with Outlook didn't initially show a pattern.  Occasionally, it would freeze, and other times it would just close itself.  As one often does in cases like this, you just reboot the program and/or Windows, write it off to an anomaly, and move on.  In the past couple weeks, the problems became more frequent, and that's when I decided to try diagnostic approaches.

When I ran the "Windows Reliability History" in chart form (a phenominal tool in Windows 7 that I wasn't previously aware of...if you've never noticed or tried it, you absolutely should check it out as a great basis for troubleshooting), I tracked the issue immediately to a particular date in December, and reversed all of the program updates, etc. on that date and the previous day.  Unfortunately, that didn't fix the issues I was having, and other repair protocols for the program likewise failed.  Reviewing crash dump files just led me to major Windows kernels causing the crashes without enough breadcrumbs to get to the end of the trail.  That led me to see if I could run system restore to roll-back whatever had been done to the system that didn't appear in the event logs, which is certainly no guarantee of a fix either.  So, to the point of running frequent images and keeping them...did that, and I have them. 

Yes, I could restore the old image and try to update anything that's been done in the past several weeks, but I'd be left with the nagging question of "did I miss something."  Yes, I could restore the hives and try to identify and reinstall

Bottom line is that I have now learned a limitation of the file restoration aspects of Ghost images.  You can easily restore the entire drive, and you can easily get a backed up file.  Restoring an individual Windows feature that interacted with registry, such as System Restore, is not something that can be easily accomplished, which is fine.  It's just a limitation of the ability of any program to backup Windows, not just Ghost.  So yes, it is a "Windows" related issue, but it is also instructive to know how that affects the capabilities of Ghost, which is why I posted here in addition to MS support forums.

My path forward at this point will be looking at Office 2013.  At some point I'd upgrade anyway, so this is a good reason to look at it.

Thanks for all of the insight, delivered in a very professional manner.  I wish that all technical support forums were this good and had such good people working them.

---

redk9258 wrote:

Sorry if it is stated somewhere above, but I just want to point out that hot backups made with Ghost do NOT include the information in the System Volume Information folders. That is why there are no Windows restore points when you restore an image.

---

I can't speak from personal experience having looked at this exact issue, but doesn't a drive image produce an exact replica of the drive, that would include "System Restore" points, "System Restore" funcationality and a perfect snapshot of the registry, etc.?  Makes no sense to me that an image wouldn't perfectly reproduce what was on the drive at the time the image was made...I always thought that was the point of imaging.  Am I missing something?

When you do a recovery from a hot image, there are things omitted....

pagefile.sys

hyberfil.sys

etc...

Look at these registry keys for more...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot

Some people are mad because Windows update no longer shows the history of all of the hotfixes, etc.

---

redk9258 wrote:

When you do a recovery from a hot image, there are things omitted....

 

pagefile.sys

hyberfil.sys

etc...

 

Look at these registry keys for more...

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot

 

Some people are mad because Windows update no longer shows the history of all of the hotfixes, etc.

 

---

Interesting.  I didn't realize that key affected Ghost imaging.