System Restore: All Restore Points gone and no new ones made

[ClarkVent]

For the past few days, I've been struggling with the installation
(replacement) of a TV Tuner card in my PC. Actually installation was a
breeze, but getting all programs to work with it wasn't that easy.

I installed/reinstalled Orb, AC3Filter, IRXpress (IrDA driver) en a few
other applications. Today I uninstalled everything related to the IrDA
driver but that somehow left a background program that can't be
uninstalled. So I decided to restore from a Restore Point. I actually do
that a lot since System Checkpoints are made automatically daily and I'm
always able to go back days, weeks and sometimes months.

But when I started System Restore, I saw there were no restore points
prior to two days ago. There were three on the day before yesterday (one
"System Checkpoint", the others were made by apps I installed), two
yesterday (one "System Checkpoint" and one I made myself) and none for
today. My computer has been ON and idle most of the day and it has been
setup to make a Restore Point every 24 hours. And even though it has
been more than 24 hours after the last Restore Point, it didn't create a
new one. I still hasn't.

The only thing I did yesterday was delete all files from the
C:\Documents and Settings\<MyUserName>\Local Settings\Temp folder, and I
started in Safe Mode a few days ago (can't remember exactly when). And
of course, I've been installing/reinstalling all kinds of apps and drivers.

Here's a checklist:
- Both Task Scheduler and the System Restore services are enabled and
running.
- System Restore has been set up to monitor C: (43Gb free) and F: (4Gb
free).
- Most of the time my PC idles at 2%-3% CPU usage.
- There are NO errors or warnings pertaining "sr" or "srservice" in the
System Event Viewer.
- My system date is correct
- I did not run a Disk Cleanup
- Disk space usage on both drives have been set to 12%
- I don't have Zone Alarm running, nor any Norton apps

Ok, I really have no idea if no Restore Points have been made in the
past 3 months (I can't really remember when the last time was I did a
System Restore, but I'm pretty sure it was less than 3 months ago) or if
all Restore Points were deleted.

But in any case, what could have caused this?

(PS: I have read http://bertk.mvps.org/index.html)

Thanks,

 

[Bert Kinney]

Hi,

Well it certainly looks like you have done your homework!

Lets generate a system restore Cab file using the following procedure:

1. Click Start, click Run.

2. Type or paste the following: "%windir%\system32\restore\srdiag.exe"
(without the quotation marks) and either press Enter or click OK.

3. A CMD window will open while the Srdiag.exe runs. The CMD session will
automatically close when complete, and the .CAB file will be created as
desired in your 'Windows\system32\restore' directory. Please be patient as
this could take several minutes.

These are the files to look for. The SP-RP.log will show all restore point
and when they were created which should tell you if restore points were
created in the last several months.

Sr-reg.txt: Contains the System Restore registry settings
Rstrlog.txt: Contains the restore log file for the last completed restore
Drivetable.txt: Contains the status of each drive
Fifo.log: Contains the FIFO (first in – first out) restore points if there
are any
Rp.log or SP-RP.log: Contains the list of restore points. Name/type/time.
SR-chglog.log: Contains the change log of file operations on each drive for
all restore points
SR-filelist.log: contains a list of all the files that were collected by Srdiag

Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org
Member: http://dts-l.org

 

[ClarkVent]

Hi Bert,

Thank you for your answer!

Sr-reg.txt: Contains the System Restore registry settings

My (untrained) eye didn't see anything out of the ordinary. Automatic
System Restore is enabled and its interval is set to 24 hours. Maybe
there's something in there that explains why it isn't making any System
Checkpoints anymore (it hasn't created one in over 48 hours now) so if
you think it's necessary, I can post the contents here (with some things
snipped of which I suspect I shouldn't post on the internet).

Rstrlog.txt: Contains the restore log file for the last completed restore

Nothing strange there.

Drivetable.txt: Contains the status of each drive

Looks normal.

Fifo.log: Contains the FIFO (first in – first out) restore points if
there are any

Wow. That explains where all my restore points before Feb 22 went.
Apparantly *something* deleted *all* restore points on both drives.
Here's how the fifo.log file looks (summarized):

02/21/07-23:43:15 : Fifoed RP101 on drive C:\
02/21/07-23:43:16 : Fifoed RP102 on drive C:\
02/21/07-23:43:16 : Fifoed RP103 on drive C:\
..
..
..
02/21/07-23:43:49 : Fifoed RP188 on drive C:\
02/21/07-23:43:50 : Fifoed RP189 on drive C:\
02/21/07-23:43:50 : Fifoed RP190 on drive C:\
02/21/07-23:43:50 : Fifoed RP101 on drive F:\
02/21/07-23:43:50 : Fifoed RP102 on drive F:\
02/21/07-23:43:50 : Fifoed RP103 on drive F:\
..
..
..
02/21/07-23:43:52 : Fifoed RP187 on drive F:\
02/21/07-23:43:52 : Fifoed RP188 on drive F:\
02/21/07-23:43:52 : Fifoed RP190 on drive F:\

In less than 40 seconds, 173 restore points where deleted. I have no
clue who or what did that (or why for that matter).

Rp.log or SP-RP.log: Contains the list of restore points. Name/type/time.

They just show the 10 or so that are available. Nothing ordinary.

SR-chglog.log: Contains the change log of file operations on each drive
for all restore points

That just shows operations for RP191 and up.

SR-filelist.log: contains a list of all the files that were collected by
Srdiag

Don't see anything strange there. Then again, I wouldn't know how
"anything strange" would look like in this file.

Anyway, Apparently something deleted all my restore points. Is there any
way I can find out what it was? Also, what should I look for in
troubleshooting why no automatic restore points are being made?

Thanks again,

 

[Bert Kinney]

Normally the SR and SRService event logs give a hint on why the restore
points were deleted. You may want to look all the event logs created at the
time the 173 RP were deleted for a clue.

I would suggest setting System Restore to only monitor the partition Windows
is installed on.

You have most likely seen these pages, but they focus on the problem at hand.
Troubleshooting steps to take when System Restore fails to create an
automatic restore point:
http://bertk.mvps.org/html/srauto.html

Troubleshooting missing restore points:
http://bertk.mvps.org/html/missingrps.html

Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org
Member: http://dts-l.org

 

[ClarkVent]

Normally the SR and SRService event logs give a hint on why the restore
points were deleted. You may want to look all the event logs created at
the time the 173 RP were deleted for a clue.

I had already checked the Event Viewer and all its logs and thought it
was very suspicious there were *no* events for that particular date and
time.

The restore points were deleted at 02/21/07-23:43. Here are the lines
from my log files around that time:

Application:
Information 21-2-2007 23:30:39 btwdins None 0
Error 22-2-2007 3:29:31 None 0

Security:
Empty

System:
Warning 21-2-2007 22:57:56 disk None 51
Information 22-2-2007 3:30:51 eventlog None 6006

Internet Explorer:
Empty

WinCE Log:
Information 21-2-2007 23:30:39 btwdins None 0
Error 22-2-2007 3:29:31 None 0


What becomes apparent is that there are *no* log entries between 23:30
and 3:30. Of course, gaps in the logs files are not uncommon - if
there's nothing to log, then there's nothing to log. But it's at least
very strange that the SR service is deleting restore points without a
mention in the log files as to why...

I would suggest setting System Restore to only monitor the partition
Windows is installed on.

Good advice and I have stopped monitoring the second drive.

You have most likely seen these pages, but they focus on the problem at
hand.
Troubleshooting steps to take when System Restore fails to create an
automatic restore point:
http://bertk.mvps.org/html/srauto.html

Troubleshooting missing restore points:
http://bertk.mvps.org/html/missingrps.html

Yes, I had read those pages already and they didn't provide a clue why
the restore points have been deleted or why it fails to create new ones.
As for the latter, I was wondering what Windows considers "idle" state.
My CPU "idles" at 4%-5%. But that's something that hasn't changed
recently. It's always been like that.

Thanks,

 

[Bert Kinney]

Well it may be time to perform a clean boot to troubleshoot further.

How to perform a clean boot in Windows XP
http://support.microsoft.com/kb/310353

How to perform advanced clean-boot troubleshooting in Windows XP
http://support.microsoft.com/kb/316434

How to troubleshoot by using the System Configuration utility in Windows XP
http://support.microsoft.com/kb/310560


Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org
Member: http://dts-l.org