Tweaking.com Support Forums
Main Forum => General Computer Support => Topic started by: smccaffr39 on April 28, 2014, 07:45:02 am
-
this is a long shot, but thought i'd ask. i have a customer who was hit with cryptodefense. it deleted system restore points, but i was able to run a recovery to get 14.5GB of files from the "c:\system volume information" folder that were older than the infection. if i place those files back in that folder, can this program re-associate those restore points so that i can try to use "restore previous versions" to replace the encrypted files?
-
My program doesnt do anything like that with the system restore. best thing to do is make a copy of that fiel you have just in case then in safe mode, put the restore point back in that folder and reboot and see if system restore sees it.
MS is very very quite on how system restore works and what it needs, so there is no way to tell how or what it needs to see the restore point, so best to simply give it a try :-)
If it fails then the best thing to do would be to extract the files out of the restore point and restore them manually. :wink:
Shane
-
thank you very much for your input. i have tried to access the data manually, but the files are not set up the way that i've read they're supposed to be. the sizeable files have names like "{87105b49-abab-11e3-866e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}" without the "_restore" prefix. if you have some idea how to get at them without the use of the built-in system restore utility, i'd love to hear it! i'm trying to get 10 years of this guy's life back.
-
See if this helps :-)
http://www.sevenforums.com/tutorials/193282-system-restore-points-manually-extract-files-folders.html
Shane
-
thanks again, but all these tools rely on what windows tells it is available. i would need something that can look at a system restore file, outside of the affected system itself.
-
I cant find any tools that let you do that manually.
But there should be a file that says what each file name should be. What is the list of files that you have in the main restore point?
Shane
-
do you mean in the c:\system volume information folder? if so, i can't open any, but these are the contents:
folder:
Chkdsk
SPP
Windows Backup
WindowsImageBackup
files:
MountPointManagerRemoteDatabase
Syscache.hve
Syscache.hve.LOG1
Syscache.hve.LOG2
tracking.log
{13a61fae-c069-11e3-8e70-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{33cba087-c818-11e3-b640-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{3808876b-c176-4e48-b7ae-04046e6cc752}
{3d5a1014-3538-11e3-9f1d-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{3d629c0e-c405-11e3-940b-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{512e920f-cad8-11e3-806b-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{5c16f883-2c58-11e3-829d-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{87105b49-abab-11e3-866e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{9b302e9a-3523-11e3-ae06-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{bc5d45f8-c8d7-11e3-b3c5-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{d01636ec-2681-11e3-8b6d-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{e0ab5d90-17f5-11e3-ae38-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{e16c5471-1d0d-11e3-9f55-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f36c5cb4-ca7b-11e3-b40e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f36c5cc9-ca7b-11e3-b40e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f36c5d01-ca7b-11e3-b40e-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
{f8a632f2-3151-11e3-82e7-88532e5cda77}{3808876b-c176-4e48-b7ae-04046e6cc752}
-
OK here are a few things I found
http://encase-forensic-blog.guidancesoftware.com/2012/06/examining-volume-shadow-copies-easy-way.html
and
http://cwl.cc/2012/07/volume-shadow-copy-and-system-restore.html
Shane