This step-by-step article describes how System Restore in Microsoft Windows XP interacts with your virus scanning software. This article also describes how to remove infected files that you cannot clean from the System Restore data archive. As a result, you can continue to restore your computer to uncompromised restore points. This article also describes how you can revert to a previous infected restore point. This procedure is useful if you must restore an infected file.
back to the top
To help protect critical computer and program files, System Restore monitors, records, and in some cases copies these files before they are modified. For example, when a procedure or a program (such as an upgrade, an inadvertent user change, a driver installation, or a virus) modifies a critical computer file or program file, System Restore records and saves a copy of the file before the change occurs. If a problem occurs, a restore operation can replace files with previously saved versions of those files. Antivirus programs use auto-detection or scanning mechanisms to monitor critical and personal files on the computer for signs of infection. The antivirus program then takes action to clean, remove, or quarantine (isolate) files that known viruses have infected. System Restore also tracks an antivirus program when it modifies (cleans), moves, or deletes a monitored, critical, computer or program file.
During a restoration, an active antivirus program scans for infected files. If the antivirus program detects any infected files, the antivirus program tries to modify, move, or delete the infected files. If the antivirus program successfully cleans the infected files, System Restore restores the cleaned files. However, if the antivirus software cannot clean a file, the antivirus software deletes or quarantines the file. As a result, the restoration does not work because these actions to the file cause an inconsistent restoration state. As a result, System Restore reverts to the state immediately before the restoration.
Signature files for antivirus programs are updated as viruses become known. As a result, a restoration that did not work several days ago might succeed after the antivirus program is updated. However, if you undo and retry a restoration to a point that succeeded before, the restoration may not work if a new signature or definition detects a virus that the antivirus program cannot clean on a backed-up file.
back to the top
- When you turn off System Restore, you remove all the restore points. When you turn on System Restore again, new restore points are created as the schedule and events require.
- Verify that all the signature or the definition files are current. Make sure that your antivirus program is configured to exclude the System Volume Information (SVI) folder (a hidden computer folder that is located in the computer root, or %SYSTEMDRIVE%).
- Click Start, and then click Control Panel.
- Click Performance and Maintenance, and then double-click System.
- Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box.
- Click OK, and then click Yes to initiate the restore point deletion.
back to the top
- Microsoft does not recommend that you turn off antivirus protection under most conditions. Turn off antivirus protection only temporarily to restore a computer.
- Before you disable an antivirus program, disconnect the computer from any network to help prevent the infection of other computers.
To restore a computer to a previously infected restore point, follow these steps:
- Disconnect the computer from any network to help prevent the infection of other computers.
- Disable your antivirus program. Typically, to do this, right-click the antivirus icon in the Notification Area, and then click Exit or Disable. For more information about how to disable your antivirus program, see your product documentation.
- Use System Restore to restore to the appropriate restore point.
- After the restoration has completed and the Success screen appears, re-enable your antivirus program.
- Make sure that the antivirus program scans all the files that System Restore modified. To do so, run a manual scan of all the drives that System Restore monitors.
For more information about how to create and name your own restore points, see the System Restore document on the following TechNet Web page:For additional information about how your antivirus software interacts with System Restore in Microsoft Windows Millennium Edition, click the following article number to view the article in the Microsoft Knowledge Base:
263455 Antivirus Tools Cannot Clean Infected Files in the _Restore Folderback to the top
Article ID: 831829 - Last Review: Sep 23, 2011 - Revision: 1