System Restore

[Enrique]

Is there a way to turn off system restore remotely? I have a virus that was
detected on several machines and while the virus has been cleared, it still
show up in the System Volume Information directory. Once I stop and restart
System Restore the problem goes away.

Thanks in advance,
Enrique

 

[Feng Mao]

Hi Enrique,

Thank you for posting here!

According to the below article in Microsoft Knowledge base:

How to Disable the System Restore Configuration User Interface
http://support.microsoft.com/default.aspx?kbid=283073

There are three methods to perform this task:

Method 1: Use Group Policy Editor
======================================================================
Click Start, click Run, type gpedit.msc, and then click OK.
Expand Computer Configuration, expand Administrative Templates, expand
System, and then click System Restore.
Double-click Turn off System Restore, and then on the Setting tab, select
Enable.
Double-click Turn off Configuration, and then on the Setting tab, select
Enable.

For more information about what these settings do, click the Explain tab on
the Properties dialog box.
Click Apply, and then click OK.
If users try to access System Restore Configuration, the System Properties
dialog box is present, but the System Restore tab is not present.


Method 2: Create a Customized Microsoft Management Console
======================================================================
Click Start, click Run, type mmc, and then click OK.
In Microsoft Management Console (MMC), on the Console menu, click
Add/Remove Snap-in.
On the Standalone tab, click Add, click Group Policy under Available
Standalone Snap-ins, and then click Add.
Accept the default of Local Computer in the Group Policy Object box, and
then click Finish.
Close the Add Standalone Snap-in dialog box, and then click OK on the
Add/Remove Snap-in dialog box.
Under Console Root, expand Local Computer Policy, expand Computer
Configuration, expand Administrative Templates, expand System, and then
click System Restore.
Double-click Turn off System Restore, and then on the Setting tab, select
Enable.
Double-click Turn off Configuration, and then on the Setting tab, select
Enable.
Click Apply, and then click OK.
On the Console menu, click Save as, type the name of the new console, and
accept the Administrative Tools folder as the default location in which to
save this file.

To access the new console, click Start, click More Programs, and then click
Administrative Tools.
If users try to access System Restore Configuration, the System Properties
dialog box is present, but the System Restore tab is not present.

Method 3: Use Registry Editor to Disable System Restore
======================================================================
WARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using
Registry Editor incorrectly. Use Registry Editor at your own risk.

Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT

Under Windows NT, create a new key:
On the Edit menu, click New, and then click Key.
For the name of the new key, type SystemRestore.
Create a new DWORD value:
On the Edit menu, click New, and then click DWORD Value.
Double-click the new key to open the Edit DWORD Value dialog box.
Under Value name, type DisableConfig, under Value data, type 1, and then
click OK.

You can use method 1 to disable System Restore by Group Policy in the
domain and then restore it. You can use method 3 to remote change the
registry key and disable it.

I hope it is helpful.

Have a nice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Enrique" <[email protected]>
| Subject: System Restore
| Date: Thu, 2 Sep 2004 12:03:34 -0500
| Lines: 9
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <uv#[email protected]>
| Newsgroups: microsoft.public.windowsxp.general
| NNTP-Posting-Host: securezone.sabinevalley.org 63.68.180.98
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.windowsxp.general:1073759
| X-Tomcat-NG: microsoft.public.windowsxp.general
|
| Is there a way to turn off system restore remotely? I have a virus that
was
| detected on several machines and while the virus has been cleared, it
still
| show up in the System Volume Information directory. Once I stop and
restart
| System Restore the problem goes away.
|
| Thanks in advance,
| Enrique
|
|
|

 

[Kelly]

Probably so, but that should have been the procedure to follow before
running your cleaners. What you could check into is a scheduled task for
Disk Cleanup which removes them as well.

Manual:

Right click your Root drive/Properties/Disk Cleanup ... let it run. Then
click on More Options/System Restore/Clean up.