Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Accessing contents of W7 System Restore Points


  • Please log in to reply
9 replies to this topic

#1 tbird1757

tbird1757

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 26 October 2014 - 09:01 AM

Hi Guys and Gals,

 

Need some help. Just finished taking care of a CryptoWall infection (method: reformat). I was able to recover System Restore Points from the System Volume Information folder. Only the archives, not the meta data files. I have tried moving them back to the original (now reformatted) computer, to use programs like ShadowExplorer and System Restore Explorer to extract the files from them. However, they are not able to see those points, just the new restore points that the system creates. Are there any utilities that can open these like regular archives? The two programs I mention are able to see viable restore points, but not the copied ones.

 

I believe that due to the size of these System Restore Points and the creation date, that there are possibly viable unencrypted copies of the documents within them; however I cannot seem to place them into the System Volume Information folder for the system or helper programs above to read them. These restore points are viable archives, I just need to get into them.

 

Any suggestions?

 

x/post: http://www.bleepingcomputer.com/forums/t/532879/cryptowall-new-variant-of-cryptodefense/page-35



BC AdBot (Login to Remove)

 


#2 ElfBane

ElfBane

  • Members
  • 775 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:20 PM

Posted 27 October 2014 - 04:02 AM

This thread has the procedure for taking ownership of the SVI file. It might help you, http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/how-do-i-delete-huge-files-from-system-volume/2d31b256-2cb6-486e-af97-e6018f594581 .

 

I have no idea if an imported Restore point can even be used, and if it does load, will it be stable? Good Luck.

Also, using a Restore point from and infected machine may re-introduce the malware to the new install.


Edited by ElfBane, 27 October 2014 - 04:04 AM.


#3 old rocker

old rocker

  • Members
  • 489 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:East Tennessee
  • Local time:12:20 PM

Posted 27 October 2014 - 01:23 PM

Hi,

 

Perhaps this may prove helpful: http://www.techrepublic.com/blog/windows-and-office/recover-data-files-in-windows-7-with-system-restore-explorer/

 

 

Best of luck and Please keep BC posted!



#4 tbird1757

tbird1757
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 27 October 2014 - 02:20 PM

This thread has the procedure for taking ownership of the SVI file. It might help you, http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/how-do-i-delete-huge-files-from-system-volume/2d31b256-2cb6-486e-af97-e6018f594581 .

 

I have no idea if an imported Restore point can even be used, and if it does load, will it be stable? Good Luck.

Also, using a Restore point from and infected machine may re-introduce the malware to the new install.

No worries there, it is in a blank Windows 7 environment, so even reinfection is not an issue if it did happen. The restore points are day of infection and week before. I am able to get the restore points so no need to get access to the SVI folder, but thanks for thinking of it.

 

 

Hi,

 

Perhaps this may prove helpful: http://www.techrepublic.com/blog/windows-and-office/recover-data-files-in-windows-7-with-system-restore-explorer/

 

 

Best of luck and Please keep BC posted!

Thanks for the reply, but as listed in my post, that was one of the first programs tried. No joy :(

 

I did e-mail the gentleman at the contact site for Shadow Explorer and he was kind enough to reply on a Sunday even. Unfortunately for the program it is, it is just an alternative UI to the Windows Shadow Copies.


Edited by tbird1757, 27 October 2014 - 02:23 PM.


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:20 AM

Posted 29 October 2014 - 05:53 PM

Well...I think there's a misunderstanding about what happens if the restore data is infected.  Infection would defeat the purpose of even trying to do what I believe you are attempting.

 

Louis



#6 tbird1757

tbird1757
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 29 October 2014 - 06:37 PM

Well...I think there's a misunderstanding about what happens if the restore data is infected.  Infection would defeat the purpose of even trying to do what I believe you are attempting.

 

Louis

 

Hi Louis,

 

No misunderstanding. The restore points are on an isolated, clean machine. I am aware that the restore points may contain the virus, but the restore points are from an earlier creation date, some months old (which yes may be infected also). So while the chance is there, the odds are low, should it happen again from the rescued data, all that would be lost is a "blank install" of Windows 7 and some time. If the files can be rescued all that are wanted are word documents and photographs, not programs or executables. And it will make a grandmother very happy to see the pictures that have been lost.

 

Tyler



#7 hamluis

hamluis

    Moderator


  • Moderator
  • 56,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:11:20 AM

Posted 30 October 2014 - 11:03 AM

If...the files are on the system and all are data files...seems to me that the strategy might be to use recovery software to find and move such files vian data-recovery software, rather than fooling around with SR, which, IMO, at best is unreliable.

 

That's the approach that most would take, IMO.

 

Data Recovery , GParted, AA - http://www.bleepingcomputer.com/forums/topic474881.html

 

Data Recovery Using Puppy Linux, Brooks - http://www.bleepingcomputer.com/forums/t/489067/dual-boot-system-bluescreens-1-of-my-startup-choices

 

Recuva - Undelete, Unerase, File and Disk Recovery - Free Download - http://www.piriform.com/recuva

 

Louis



#8 Wand3r3r

Wand3r3r

  • Members
  • 2,027 posts
  • OFFLINE
  •  
  • Local time:09:20 AM

Posted 30 October 2014 - 11:21 AM

tbird1757 system restore points are not backups.  They don't contain any of your files.  If you had wanted to do file recovery you should not have formatted the drive.  You would have attached the drive to a different system and copied the files off.  Something to know for next time.

 

http://msdn.microsoft.com/en-us/library/windows/desktop/aa378910(v=vs.85).aspx


Edited by Wand3r3r, 30 October 2014 - 11:21 AM.


#9 tbird1757

tbird1757
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:20 AM

Posted 30 October 2014 - 02:46 PM

Okay guys, may we please focus on the issue as presented instead of playing "educate the newb" here. The details I refrained from telling you (so that we didn't get into a TL;DR type of post) were that the user/owner was quizzing me about the encryption viruses and how to resolve them. I snidely quipped reformat. Little did I know that he was going to do that. So YES of course an image of the drive would be best, duh, but I too am handling the problem as it is presented to me and trying to overcome it.

 

Louis, yes IMHO I agree system restores are not backups. Being a technician for nearly three decades now, I would certainly agree, but it has its merits too. I do appreciate your assistance as you did at least read my post. I just need to parse this file to get into it, the forensic folks I have contacted are at least believing that my idea has merit :)

 

Wand3r3r, while you are partially correct, I would tred lightly when spreading the Gospel according to Microsoft. To quote Scotty, "there be whales here captain!" System Restore may only restore previous system states by default, but they do contain user files and have for some time. This is also where (when SR is given enough disk space to breathe) the Previous Versions of files will be kept. As the virus encrypted/changed a large amount of files (in the profile document folders), I am betting that within the snapshot there are files and they are in tact if I can get to them. If I am correct and we can get a tool that will access it, then it may be something that can help the community as a whole.

 

However, if you wish to debate technique, and how we got here, along with the woulda, shoulda, and coulda then please go post somewhere else I am trying to fix the problem as it was given to me. Here is your "something to know" for next time ;)

 

http://nicbedford.co.uk/software/systemrestoreexplorer/


Edited by tbird1757, 30 October 2014 - 06:32 PM.


#10 markcromwell

markcromwell

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:20 PM

Posted 21 March 2017 - 08:29 AM

Hi,

 

Did you ever manage to get this issue sorted? If so, what software / company did you use?

 

Thanks,

 

Mark






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users