System Restore Points

[Guest]

I recently re-installed Defender and found that it was creating 4 to 5 system
restore points a day....apparently for no reason, as it never found anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a big
problem but does use an enormous amout of hard disk space when it restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop the
automatic resotral points from being created? Am I the only one with this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Steve Dodson [MSFT]]

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Guest]

Surely a "REG_DWORD" can only be set to a number, not a word?
I found that the whole of that section of the registry was set to read only,
even for administrators. I gave everyone full control, but I'm still getting
this error in the Application Evcent log every time I start up -

Windows Defender Real-Time Protection checkpoint has encountered an error
and failed to start.
User: AshfieldCourt\Dave Hawley
Checkpoint Id: 7
Error Code: 0x80070005
Error description: Access is denied.

Is this related to this problem?
After giving full control to all the Windows Defender registry keys I'm
still getting the error.
I tried putting "true" in as a REG_SZ value under the key quoted, but it
hasn't made any difference either...............

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop the
automatic resotral points from being created? Am I the only one with this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Bill Sanderson MVP]

Set the Reg_Dword value to "1", I believe.

You are correct that the permissions must be modified to allow you to make
the change. After creating the new value and setting it to "1", I'd
recommend resetting the permissions. What I did was give my user "full"
permissions to the "scan" object, and then unchecked that afterwards.

I'm not sure, however, about your error message--I am sure that your user
does not need permissions in those keys--but I'll see if I'm getting an
error of that sort--I doubt it.

--

Surely a "REG_DWORD" can only be set to a number, not a word?
I found that the whole of that section of the registry was set to read
only,
even for administrators. I gave everyone full control, but I'm still
getting
this error in the Application Evcent log every time I start up -

Windows Defender Real-Time Protection checkpoint has encountered an error
and failed to start.
User: AshfieldCourt\Dave Hawley
Checkpoint Id: 7
Error Code: 0x80070005
Error description: Access is denied.

Is this related to this problem?
After giving full control to all the Windows Defender registry keys I'm
still getting the error.
I tried putting "true" in as a REG_SZ value under the key quoted, but it
hasn't made any difference either...............

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it
restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop
the
automatic resotral points from being created? Am I the only one with
this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Guest]

Thanks Bill.
Actually I am the only "user" of the system, with full administrative
control of course, which makes the error message even more puzzling........

Set the Reg_Dword value to "1", I believe.

You are correct that the permissions must be modified to allow you to make
the change. After creating the new value and setting it to "1", I'd
recommend resetting the permissions. What I did was give my user "full"
permissions to the "scan" object, and then unchecked that afterwards.

I'm not sure, however, about your error message--I am sure that your user
does not need permissions in those keys--but I'll see if I'm getting an
error of that sort--I doubt it.

--

Surely a "REG_DWORD" can only be set to a number, not a word?
I found that the whole of that section of the registry was set to read
only,
even for administrators. I gave everyone full control, but I'm still
getting
this error in the Application Evcent log every time I start up -

Windows Defender Real-Time Protection checkpoint has encountered an error
and failed to start.
User: AshfieldCourt\Dave Hawley
Checkpoint Id: 7
Error Code: 0x80070005
Error description: Access is denied.

Is this related to this problem?
After giving full control to all the Windows Defender registry keys I'm
still getting the error.
I tried putting "true" in as a REG_SZ value under the key quoted, but it
hasn't made any difference either...............

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it
restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop
the
automatic resotral points from being created? Am I the only one with
this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Guest]

It would be nice if Steve Dodson could give the Beta testing community the
rational why WD is setting a System Restore point every time you boot your
computer. It has come up dor discussion many times in this WD newsgroup.
Looks like WD can place multiple restore points on a computer every day. Will
that behavior be removed in the final version, or used before WD makes any
local computer changes, or become a choice each user could set at his or her
discretion?
--
John E. Van Kirk

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop the
automatic resotral points from being created? Am I the only one with this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Guest]

Hopefully Microsoft will give the user the option to establish or not
establish these System Restore Points prior to final version.

Surely MS will not leave it as is, where anyone who does not want to
establish System Restore points has to go in and do all this "Mickey Mouse"
stuff with the registry to prevent.

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop the
automatic resotral points from being created? Am I the only one with this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Guest]

Just an update on this.
I have experimented with changing the security restrictions on all the
registry entries for WD, and the error message in the Application Event Log
wehen I start up will not go away, even with all restrictions removed!
The only thing that WILL make it go away is to un-check the "System
Configuration" option in the WD General Settings' "Real time protection
options".
Any suggestions?

Thanks Bill.
Actually I am the only "user" of the system, with full administrative
control of course, which makes the error message even more puzzling........

Set the Reg_Dword value to "1", I believe.

You are correct that the permissions must be modified to allow you to make
the change. After creating the new value and setting it to "1", I'd
recommend resetting the permissions. What I did was give my user "full"
permissions to the "scan" object, and then unchecked that afterwards.

I'm not sure, however, about your error message--I am sure that your user
does not need permissions in those keys--but I'll see if I'm getting an
error of that sort--I doubt it.

--

Surely a "REG_DWORD" can only be set to a number, not a word?
I found that the whole of that section of the registry was set to read
only,
even for administrators. I gave everyone full control, but I'm still
getting
this error in the Application Evcent log every time I start up -

Windows Defender Real-Time Protection checkpoint has encountered an error
and failed to start.
User: AshfieldCourt\Dave Hawley
Checkpoint Id: 7
Error Code: 0x80070005
Error description: Access is denied.

Is this related to this problem?
After giving full control to all the Windows Defender registry keys I'm
still getting the error.
I tried putting "true" in as a REG_SZ value under the key quoted, but it
hasn't made any difference either...............

:

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it
restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop
the
automatic resotral points from being created? Am I the only one with
this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Guest]

Quite right, Dave!

Only a geeky programmer (like myself lol) would set a DWORD to "TRUE". He
must mean set it to numeric 1 (altho' in some languages it might be -1). This
is the 2nd stupid answer I've seen from a so-called Microsoft "Professional",
so you can't always trust what they say.

I've just made that setting after giving the Scan key Full Control to
Administrators (myself). Altho' I'm on XP Home I installed something from
Microsoft to give me control of Permissions of files and Registry without
using Safe Mode. I cannot yet tell if it works; I'll let you know. Also I
haven't yet rebooted so I canot tell if Defender fails to start in the way
you experienced.

 

[Guest]

It's now a few hours and 2 reboots since I did this Registry setting and,
Hurrah, it seems to have worked

No more Restore Points have appeared, even after doing a scan, and I did not
get the Application Event log failure that you got upon starting Defender. I
left the permission of the Scan key to Full Control.

 

[Guest]

Thanks for that.
Unfortunately, I'd already tried doing what you've done, and it didn't make
my start-up error messages go away.
I am actually a bit puzzled by "restore points", as I've never seen any
evidence that my copy of WD is actually generating any, and I don't think
that it has ever done so!
Where would I look to see a record of them?
If my system isn't generating restore points, that could well be a symptom
caused by whatever is causing the error messages, which seem to be saying
that the checkpoint system has failed to start.
As I said earlier, the error does go away if I un-check "system
configuration" in the real-time scan options, if that is any clue........

 

[Guest]

Look for System Restore in your Start Menus, probably under System Tools and
run it.

Click on Next and explore the bold dates in the displayed calender. Does it
show up any "Windows Defender Checkpoints"? If so, you got them and you can
see how many and how frequent?

Did they stop after you did the DWORD DisableRestorePoint = 1 change?

MAKE SURE you exit System Restore by clicking Cancel.

I can't explain your start-up error; I just don't get them. Yours only seems
to occur when real-time protection wants to monitor System Config. You might
live with switching that off.

Other than that, a Support Staff would probably suggest the catch-all
sledgehammer approach of uninstalling and reinstalling WD. That's no more
than a guess and has no more chance than any other, but it might be worth a
try if all logic fails. More worthwhile if you NEVER had any WD Restore
Points, which could indicate WD not working at all.

 

[Guest]

Ah, thank you, that explains all (probably)!
I am on Windows 2000, which does not have "system restore" as part of the
OS, it was only introduced with XP.
I had assumed that the "system restore points" we were discussing in this
thread were something specific to WD, not the normal (for XP) operating
system ones.

Which leads me to the next obvious question, am I getting these error
messages BECAUSE I'm using Windows 2000, and the WD system is trying to use a
facility which doesn't exist on my system?
If that's so, then it needs sorting if MS are going to continue to say (as
they do now) that WD works under Windows 2000 and doesn't need XP...........

 

[Guest]

Ah! That I can't say; it needs a Microsofter to answer.
As long as you are running under Windows 2000 Service Pack 4, M/S claims WD
is supported.

 

[Bill Sanderson MVP]

I don't know what the effects may be of leaving the permissions lax on that
key. I suspect that nothing will break, but the security of your system
will be weakened--i.e. code executing with the permissions of the current
user (i.e. you) will be able to make changes to Windows Defender
functionality more easily.

--

 

[Bill Sanderson MVP]

I have SR set to absolute minimum space. I've three days worth of
checkpoints, and none of them is from Windows Defender.

So--there's some specific interaction going on here, which I suspect the
engineers understand well, resulting in these checkpoints. If you reset
your options to the defaults--by which I suspect I mean going to basic
spynet membership, and unchecking the two additional notification
options--for unknown and changes to the system by knowns--does that change
the restore point behavior?

--

Hopefully Microsoft will give the user the option to establish or not
establish these System Restore Points prior to final version.

Surely MS will not leave it as is, where anyone who does not want to
establish System Restore points has to go in and do all this "Mickey
Mouse"
stuff with the registry to prevent.

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

I recently re-installed Defender and found that it was creating 4 to 5
system
restore points a day....apparently for no reason, as it never found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not really a
big
problem but does use an enormous amout of hard disk space when it
restores
that often.

I could turn off automatic scanning, but is that safe? Will that stop
the
automatic resotral points from being created? Am I the only one with
this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,

 

[Guest]

Maybe. I allowed Full Control to Administrators only.

That's the usual permission for most other HKLM/Software/Microsoft keys
including the critical Windows/Current Version ones. WD is out on a limb here.

However the permissions of keys is not part of the original problem of too
many System Restores; it is only part of the workaround. If Microsoft had got
this right first time we wouldn't be having this discussion.

 

[Richard in AZ]

Sorry, I came in late on this discussion and cannot find the prior posts.
What key is the suggested DWORD being applied to?

 

[Guest]

Tis above in this thread.

:

Dan,
In the registry editor,
Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/

 

[Joe Faulhaber[MSFT]]

Hi Dave,

Apparently, WD can't access your hosts file. Checkpoint 7 is WD's hosts
file monitoring. The hosts file is usually at
\windows\system32\drivers\etc.
You probably want to check it out - I think it's unusal to set security on
hosts so you can't read it.

Please let us know what was in there, if it's interesting.

Regards,
Joe

Just an update on this.
I have experimented with changing the security restrictions on all the
registry entries for WD, and the error message in the Application Event
Log
wehen I start up will not go away, even with all restrictions removed!
The only thing that WILL make it go away is to un-check the "System
Configuration" option in the WD General Settings' "Real time protection
options".
Any suggestions?

Thanks Bill.
Actually I am the only "user" of the system, with full administrative
control of course, which makes the error message even more
puzzling........

Set the Reg_Dword value to "1", I believe.

You are correct that the permissions must be modified to allow you to
make
the change. After creating the new value and setting it to "1", I'd
recommend resetting the permissions. What I did was give my user
"full"
permissions to the "scan" object, and then unchecked that afterwards.

I'm not sure, however, about your error message--I am sure that your
user
does not need permissions in those keys--but I'll see if I'm getting an
error of that sort--I doubt it.

--

Surely a "REG_DWORD" can only be set to a number, not a word?
I found that the whole of that section of the registry was set to
read
only,
even for administrators. I gave everyone full control, but I'm still
getting
this error in the Application Evcent log every time I start up -

Windows Defender Real-Time Protection checkpoint has encountered an
error
and failed to start.
User: AshfieldCourt\Dave Hawley
Checkpoint Id: 7
Error Code: 0x80070005
Error description: Access is denied.

Is this related to this problem?
After giving full control to all the Windows Defender registry keys
I'm
still getting the error.
I tried putting "true" in as a REG_SZ value under the key quoted, but
it
hasn't made any difference either...............

:

Dan,

In the registry editor,

Create a "REG_DWORD" Key named "DisableRestorePoint" and set it to
TRUE
under the following location in the registry.

HKLM/Software/Microsoft/Windows Defender/Scan/


--
-steve

Steve Dodson [MSFT]
Windows Defender Beta Lead
MCSE, CISSP
http://blogs.technet.com/stevedod
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to
this
message are best directed to the newsgroup/thread from which they
originated.
I recently re-installed Defender and found that it was creating 4
to 5
system
restore points a day....apparently for no reason, as it never
found
anything
malicious.

Does anyone have any idea why Defender is doing this. It's not
really a
big
problem but does use an enormous amout of hard disk space when it
restores
that often.

I could turn off automatic scanning, but is that safe? Will that
stop
the
automatic resotral points from being created? Am I the only one
with
this
problem? Found nothing in the FAQ's that addresses this problem.

Any info would be much appreciated,