Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can't create restore points with WMIC on Windows Server

  • Please log in to reply
3 replies to this topic

#1 jakeharris74


  • Members
  • 1 posts
  • Local time:10:45 AM

Posted 27 August 2016 - 02:01 PM



I was looking to implement this on our client servers for safety and to prevent shadow copies from being deleted if any users got hit with CryptoWall. Just trying to find the best proactive ways to combat this growning headache(Was looking at CryptoPrevent too, but any tips would be appreciated).





My question is why can't I create Restore Points using WMIC on servers? The command works fine on workstations, but when I run it on servers I get the following:



Server 2012:

C:\Windows\system32>wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "My Shortcut Restore Point", 100, 7
Description = Not found
Server 2008:
>wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "My Shortcut Restore Point", 100, 7
Code = 0x80041002
Description = Not found
Facility = WMI
Another thought, if we are just renaming it, can't I just update the Task Scheduler tasks that are using VSSAdmin to create restore points to point to the new renamed file (Renamed whatever I want) and it's offering the same protection so I don't have to use WMIC and VSSAdmin commands executed by viruses no longer work?
Any thoughts or better ideas appreciated!


BC AdBot (Login to Remove)



#2 JohnnyJammer


  • Members
  • 1,111 posts
  • Gender:Male
  • Location:QLD Australia
  • Local time:12:45 AM

Posted 28 August 2016 - 10:44 PM

Before going into details, why worry about vssadmin if the user has no admin rights?

You need admin rights either domain or local to delete the snapshots so if users dont have them domain admin rights then they cant be deleting any shapshots.


Also if you have given them domain or local access rights then snapshots are the least of your worry mate LOL.

#3 Sig604


  • Members
  • 1 posts
  • Local time:06:45 AM

Posted 03 January 2017 - 02:18 PM

Just bumping this thread as I'm running into the same issue as well using the info found in the link from the original post. 


I've successfully renamed vssadmin but not shadow copies are no long creating, I've created the scheduled task to run the command


Wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "%DATE%", 100, 7


but it does not appear to work, I've tried entering this into an elevated command prompt as well and it errors stating "Not Found"


Thanks for any help!

#4 SleepyDude


  • Malware Response Team
  • 2,952 posts
  • Gender:Male
  • Location:Portugal
  • Local time:02:45 PM

Posted 04 January 2017 - 09:03 AM



There isn't System Restore in any Windows Server OS, on servers the Admin should take care of Backups...


Alternatively check this Windows Server 2012 – How to Create System Restore Point Using Windows Server Backup feature

• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

Proud graduate of GeekU and member of UNITE


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users