Unscheduled System Restore at Every Startup?

[Guest]

This XP SP2 OS on an HP Pavilion notebook (zd8123ea) has taken to performing
a System Restore at every startup... but no changes have been apparent -
event log says "A restoration to "(unknown)" restore point occurred
successfully." (all restore points having disappeared)

Big question: How do I stop this?

Smaller question: What has gone wrong?

Thanks,

Julian
[More stuff if interested follows...]

Disabling System Restore via the System control panel - did not work;
another restore occurred after restarting [so system restore was re-enabled]

FYI The event log also shows an error that occurred before the first restart

The System Restore filter encountered the unexpected error '0xC0000010'
while processing the file 'Britannica' on the volume 'LxrJD31mE'. It has
stopped monitoring the volume.

This is a folder on a removable USB memory stick (which was correctly
removed with the "Safely Remove Hardware" utility).

Even when a USB drive is plugged in (Drive E System Restore in the System
Control panel only says C: is being monitored. Why was the volume E being
monitored? Did that error cause the system restore points to disappear?

 

[Bert Kinney]

Hi Julian,

Check the following registry keys (Start - Run regedit) for
"C:\WINDOWS\system32\restore\rstrui.exe -c"

If found, backup each key by right clicking on it and selecting Export.
Then delete the key. Reboot the system.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/Default.aspx?kbid=179365

Was CCleaner used on the system by chance?

Tips Fixes and FAQ: Should I let System Restore monitor my external hard
drive?
http://bertk.mvps.org/html/tips.html#ExternalDrive

 

[Guest]

Hi Bert,

Spot on! I discovered the registry entry with RegRun and realised what was
happening. I cleared it by a reboot into safe mode (no registry editing
required - though that was why I was going into safe mode)... and yes
CCleaner had been used (attempting to purge al traces of a Nokia's PC Suite -
legitimate but appallingly behaved application - and installer!) - but I
reviewed all changes and don't know why this should have happened.

The System Restore issue also noted...! I have just started using the USB
drive for data backup on a regular basis - data not modified anywhere else
and the drive was always properly removed (since one partition is encrypted
the application is 1st shut down, then the hardware is "safely removed") but
I guess that either something is wrong with the Jump Drive secure aplication
or XP does not handle the unmount correctly.

I note the workaround for stopping XP monitoring external drives and that it
"usually works but not always"!! Sounds like the default behaviour is the
wrong way round - should be no monitoring unless specifically enabled.

However, I also use Steganos Security Suite which provides an encrypted
drive from a resident (C: drive) datafile.... wonder if that could cause a
similar problem (it unmounts on hibernation). Time will tell now that I know
what to watch for

Anyway - 100% answer! Thank you!

Julian

Hi Julian,

Check the following registry keys (Start - Run regedit) for
"C:\WINDOWS\system32\restore\rstrui.exe -c"

If found, backup each key by right clicking on it and selecting Export.
Then delete the key. Reboot the system.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/Default.aspx?kbid=179365

Was CCleaner used on the system by chance?

Tips Fixes and FAQ: Should I let System Restore monitor my external hard
drive?
http://bertk.mvps.org/html/tips.html#ExternalDrive

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

This XP SP2 OS on an HP Pavilion notebook (zd8123ea) has taken to
performing a System Restore at every startup... but no changes have
been apparent - event log says "A restoration to "(unknown)" restore
point occurred successfully." (all restore points having disappeared)

Big question: How do I stop this?

Smaller question: What has gone wrong?

Thanks,

Julian
[More stuff if interested follows...]

Disabling System Restore via the System control panel - did not work;
another restore occurred after restarting [so system restore was
re-enabled]

FYI The event log also shows an error that occurred before the first
restart

The System Restore filter encountered the unexpected error
'0xC0000010' while processing the file 'Britannica' on the volume
'LxrJD31mE'. It has stopped monitoring the volume.

This is a folder on a removable USB memory stick (which was correctly
removed with the "Safely Remove Hardware" utility).

Even when a USB drive is plugged in (Drive E System Restore in the
System Control panel only says C: is being monitored. Why was the
volume E being monitored? Did that error cause the system restore
points to disappear?

 

[Bert Kinney]

Hi Bert,

Spot on! I discovered the registry entry with RegRun and realised
what was happening. I cleared it by a reboot into safe mode (no
registry editing required - though that was why I was going into safe
mode)... and yes CCleaner had been used (attempting to purge al
traces of a Nokia's PC Suite - legitimate but appallingly behaved
application - and installer!) - but I reviewed all changes and don't
know why this should have happened.

The System Restore issue also noted...! I have just started using
the USB drive for data backup on a regular basis - data not modified
anywhere else and the drive was always properly removed (since one
partition is encrypted the application is 1st shut down, then the
hardware is "safely removed") but I guess that either something is
wrong with the Jump Drive secure aplication or XP does not handle the
unmount correctly.

By default System Restore in WinXP monitors all partitions it sees,
including most jump drives and external drives. Some smaller jump drives
are not monitored. As it turns out this was not the best approach. And
WinXP should be the last OS to do this.

I note the workaround for stopping XP monitoring external drives and
that it "usually works but not always"!! Sounds like the default
behaviour is the wrong way round - should be no monitoring unless
specifically enabled.

Agreed, as stated above.

However, I also use Steganos Security Suite which provides an
encrypted drive from a resident (C: drive) datafile.... wonder if
that could cause a similar problem (it unmounts on hibernation).
Time will tell now that I know what to watch for

Using hibernation with a external drive connected sounds problematic.
Let us know how this works out.
I would also suggest regularly testing System Restore to make sure
restore point corruption has not accrued.

Tips Fixes and FAQ: How do I Test System Restore's functionality?
http://bertk.mvps.org/html/tips.html#HowToTest

Anyway - 100% answer! Thank you!

You are very welcome.

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

Hi Julian,

Check the following registry keys (Start - Run regedit) for
"C:\WINDOWS\system32\restore\rstrui.exe -c"

If found, backup each key by right clicking on it and selecting
Export. Then delete the key. Reboot the system.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/Default.aspx?kbid=179365

Was CCleaner used on the system by chance?

Tips Fixes and FAQ: Should I let System Restore monitor my external
hard drive?
http://bertk.mvps.org/html/tips.html#ExternalDrive

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

This XP SP2 OS on an HP Pavilion notebook (zd8123ea) has taken to
performing a System Restore at every startup... but no changes have
been apparent - event log says "A restoration to "(unknown)" restore
point occurred successfully." (all restore points having
disappeared)

Big question: How do I stop this?

Smaller question: What has gone wrong?

Thanks,

Julian
[More stuff if interested follows...]

Disabling System Restore via the System control panel - did not
work; another restore occurred after restarting [so system restore
was re-enabled]

FYI The event log also shows an error that occurred before the first
restart

The System Restore filter encountered the unexpected error
'0xC0000010' while processing the file 'Britannica' on the volume
'LxrJD31mE'. It has stopped monitoring the volume.

This is a folder on a removable USB memory stick (which was
correctly removed with the "Safely Remove Hardware" utility).

Even when a USB drive is plugged in (Drive E System Restore in the
System Control panel only says C: is being monitored. Why was the
volume E being monitored? Did that error cause the system restore
points to disappear?

 

[Guest]

Hi Bert

Using hibernation with a external drive connected sounds problematic.
Let us know how this works out.

No, I don't hibernate the system with an exteranl drive connected: it is the
Steganos "Safe" that auto-dismounts on hibernation.

I followed your advice on stopping the USB drive being monitored. One
clarification might be useful: the USB drive should remain IN through the
reboot - it doesn't work if the assignment is made with diskmgmt while the
USB is plugged plugged in, and then the drive is unmounted and the system
rebooted - and the USB plugged back in.

Despite concerns about the encrypted partition on the USB drive (mounted by
the JumpDrive Secure application) and the Steganos safe, the restore point I
made 1st thing this morning has not disappeared, despite using the USB and
Steganos Safe as previously described.

Ta,

Julian

Hi Bert,

Spot on! I discovered the registry entry with RegRun and realised
what was happening. I cleared it by a reboot into safe mode (no
registry editing required - though that was why I was going into safe
mode)... and yes CCleaner had been used (attempting to purge al
traces of a Nokia's PC Suite - legitimate but appallingly behaved
application - and installer!) - but I reviewed all changes and don't
know why this should have happened.

The System Restore issue also noted...! I have just started using
the USB drive for data backup on a regular basis - data not modified
anywhere else and the drive was always properly removed (since one
partition is encrypted the application is 1st shut down, then the
hardware is "safely removed") but I guess that either something is
wrong with the Jump Drive secure aplication or XP does not handle the
unmount correctly.

By default System Restore in WinXP monitors all partitions it sees,
including most jump drives and external drives. Some smaller jump drives
are not monitored. As it turns out this was not the best approach. And
WinXP should be the last OS to do this.

I note the workaround for stopping XP monitoring external drives and
that it "usually works but not always"!! Sounds like the default
behaviour is the wrong way round - should be no monitoring unless
specifically enabled.

Agreed, as stated above.

However, I also use Steganos Security Suite which provides an
encrypted drive from a resident (C: drive) datafile.... wonder if
that could cause a similar problem (it unmounts on hibernation).
Time will tell now that I know what to watch for

Using hibernation with a external drive connected sounds problematic.
Let us know how this works out.
I would also suggest regularly testing System Restore to make sure
restore point corruption has not accrued.

Tips Fixes and FAQ: How do I Test System Restore's functionality?
http://bertk.mvps.org/html/tips.html#HowToTest

Anyway - 100% answer! Thank you!

You are very welcome.

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

Hi Julian,

Check the following registry keys (Start - Run regedit) for
"C:\WINDOWS\system32\restore\rstrui.exe -c"

If found, backup each key by right clicking on it and selecting
Export. Then delete the key. Reboot the system.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/Default.aspx?kbid=179365

Was CCleaner used on the system by chance?

Tips Fixes and FAQ: Should I let System Restore monitor my external
hard drive?
http://bertk.mvps.org/html/tips.html#ExternalDrive

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

Julian wrote:
This XP SP2 OS on an HP Pavilion notebook (zd8123ea) has taken to
performing a System Restore at every startup... but no changes have
been apparent - event log says "A restoration to "(unknown)" restore
point occurred successfully." (all restore points having
disappeared)

Big question: How do I stop this?

Smaller question: What has gone wrong?

Thanks,

Julian
[More stuff if interested follows...]

Disabling System Restore via the System control panel - did not
work; another restore occurred after restarting [so system restore
was re-enabled]

FYI The event log also shows an error that occurred before the first
restart

The System Restore filter encountered the unexpected error
'0xC0000010' while processing the file 'Britannica' on the volume
'LxrJD31mE'. It has stopped monitoring the volume.

This is a folder on a removable USB memory stick (which was
correctly removed with the "Safely Remove Hardware" utility).

Even when a USB drive is plugged in (Drive E System Restore in the
System Control panel only says C: is being monitored. Why was the
volume E being monitored? Did that error cause the system restore
points to disappear?

 

[Bert Kinney]

Thanks for the feedback Julian.

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

Hi Bert

Using hibernation with a external drive connected sounds problematic.
Let us know how this works out.

No, I don't hibernate the system with an exteranl drive connected: it
is the Steganos "Safe" that auto-dismounts on hibernation.

I followed your advice on stopping the USB drive being monitored. One
clarification might be useful: the USB drive should remain IN through
the reboot - it doesn't work if the assignment is made with diskmgmt
while the USB is plugged plugged in, and then the drive is unmounted
and the system rebooted - and the USB plugged back in.

Despite concerns about the encrypted partition on the USB drive
(mounted by the JumpDrive Secure application) and the Steganos safe,
the restore point I made 1st thing this morning has not disappeared,
despite using the USB and Steganos Safe as previously described.

Ta,

Julian

Hi Bert,

Spot on! I discovered the registry entry with RegRun and realised
what was happening. I cleared it by a reboot into safe mode (no
registry editing required - though that was why I was going into
safe mode)... and yes CCleaner had been used (attempting to purge al
traces of a Nokia's PC Suite - legitimate but appallingly behaved
application - and installer!) - but I reviewed all changes and don't
know why this should have happened.

The System Restore issue also noted...! I have just started using
the USB drive for data backup on a regular basis - data not
modified anywhere else and the drive was always properly removed
(since one partition is encrypted the application is 1st shut down,
then the hardware is "safely removed") but I guess that either
something is wrong with the Jump Drive secure aplication or XP does
not handle the unmount correctly.

By default System Restore in WinXP monitors all partitions it sees,
including most jump drives and external drives. Some smaller jump
drives are not monitored. As it turns out this was not the best
approach. And WinXP should be the last OS to do this.

I note the workaround for stopping XP monitoring external drives and
that it "usually works but not always"!! Sounds like the default
behaviour is the wrong way round - should be no monitoring unless
specifically enabled.

Agreed, as stated above.

However, I also use Steganos Security Suite which provides an
encrypted drive from a resident (C: drive) datafile.... wonder if
that could cause a similar problem (it unmounts on hibernation).
Time will tell now that I know what to watch for

Using hibernation with a external drive connected sounds problematic.
Let us know how this works out.
I would also suggest regularly testing System Restore to make sure
restore point corruption has not accrued.

Tips Fixes and FAQ: How do I Test System Restore's functionality?
http://bertk.mvps.org/html/tips.html#HowToTest

Anyway - 100% answer! Thank you!

You are very welcome.

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

:

Hi Julian,

Check the following registry keys (Start - Run regedit) for
"C:\WINDOWS\system32\restore\rstrui.exe -c"

If found, backup each key by right clicking on it and selecting
Export. Then delete the key. Reboot the system.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup
http://support.microsoft.com/Default.aspx?kbid=179365

Was CCleaner used on the system by chance?

Tips Fixes and FAQ: Should I let System Restore monitor my external
hard drive?
http://bertk.mvps.org/html/tips.html#ExternalDrive

--
Regards,
Bert Kinney MS-MVP Shell/User
http://bertk.mvps.org

Julian wrote:
This XP SP2 OS on an HP Pavilion notebook (zd8123ea) has taken to
performing a System Restore at every startup... but no changes
have been apparent - event log says "A restoration to "(unknown)"
restore point occurred successfully." (all restore points having
disappeared)

Big question: How do I stop this?

Smaller question: What has gone wrong?

Thanks,

Julian
[More stuff if interested follows...]

Disabling System Restore via the System control panel - did not
work; another restore occurred after restarting [so system restore
was re-enabled]

FYI The event log also shows an error that occurred before the
first restart

The System Restore filter encountered the unexpected error
'0xC0000010' while processing the file 'Britannica' on the volume
'LxrJD31mE'. It has stopped monitoring the volume.

This is a folder on a removable USB memory stick (which was
correctly removed with the "Safely Remove Hardware" utility).

Even when a USB drive is plugged in (Drive E System Restore in
the System Control panel only says C: is being monitored. Why
was the volume E being monitored? Did that error cause the system
restore points to disappear?