System Restore Off / Disable
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1System Restore Off5/17/2016 7:44:34 AM
2System Restore Off5/17/2016 7:52:08 AM
3System Restore Off / Disable5/17/2016 7:54:24 AM

Description

Developer Documentation for System Restore Off

Author(s): Sean Seymour

Document Version: 2.3

Last Updated: 04/05/2016

Overview

System Restore has been found to cause issues with disk space on certain devices and issues with restoring old versions of programs on other devices. This package fixes the System Restore state if it has been disabled incorrectly, then deletes all system restore points and disables it correctly. On Windows 7 devices, it also disables the built in scheduled task that periodically creates restore points.

Affected Device(s)

·         Any device with System Restore Information > 10 MB

·         Any Win7+ device that has registry data or scheduled tasks indicating System Restore is active (details below)

Files Installed

Some temporary files are created, then executed and deleted.

Installation and Operation

From the BigFix console, Take Action on the System Restore Off fixlet. The client will run the actionscript, which does the following:

Windows XP

·         Sets HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DiskPercent to 1

·         Temporarily sets HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR to 0

·         If the System Restore service is running, restarts it. Otherwise it sets the System Restore service to automatically start then starts it

·         Disables the System Restore service via WMI, which also deletes all System Restore points and sets the DisableSR registry value back to 1.

Windows 7+

·         Disables the Microsoft\Windows\SystemRestore\SR scheduled task

·         Removes any values in HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients

·         Attempts to remove existing restore points using vssadmin delete shadows /all /quiet

·         Creates a scheduled task to run on the next reboot that:

o   Deletes the contents of any remaining System Volume Information folders on the drives’ root folders

o   Deletes any temporary files that were created

o   Deletes the scheduled task

Known Issues

It’s possible that something in the filesystem continues to use the System Restore files even after a reboot, which would prevent deletion. If this amount of data is more than 10 MB then the result of the BigFix action will show as Failed. In these rare cases I would suggest running the fixlet again. If the issue persists, connect to the device and attempt to delete the existing restore points and disable System Restore manually through the System control panel.

Rollback Procedures

Configure System Restore via the control panel, or create a fixlet to re-enable it.

Notes

·         This fixlet requires a restart before completing fully.

Document Changelog

·         04/05/2016, Sean Seymour: Version 2.3 - Fixed a bug in the actionscript command to create the scheduled task that runs after the reboot.

·         03/16/2016, Sean Seymour: Version 2.2 - Added Win7+ info

·         11/03/2015, Sean Seymour: Version 2.1  - Clarified that the DisableSR registry value gets set back to 1.

·         10/28/2015, Sean Seymour: Version 2.0 with updated information regarding the WMI step

·         09/22/2015, Sean Seymour: Version 1.0 of this document created


Property Details

ID20643
StatusProduction - Fully Tested and Ready for Production
TitleSystem Restore Off / Disable
SourceInternal
Source Release Date5/17/2016 7:54:24 AM
Keywordssystem restore shadow copies vssadmin
Added by on 5/17/2016 7:54:24 AM
Last Modified by on 5/17/2016 7:55:08 AM
Counters 4181 Views / 13 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1118 fixlets and 526 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 3 fixlets   * Results in a true/false
Show indented relevance
((sum of sizes of descendants of folder "C:\System Volume Information" / (1024*1024)) > 10) or ((windows of operating system and version of operating system >= "6.1") and (exists value whose (name of it is "RPSessionInterval" and it > 0) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" of native registry) or (exists values of keys "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients" of native registry) or exists scheduled task whose (path of it is "\Microsoft\Windows\SystemRestore\SR" and enabled of it))

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
if {name of operating system as string starts with "WinXP"}
    parameter "ServiceName" = "srservice"
    
// Enable System Restore first, since it may be in a semi-disabled state
// which can seem off but is actually creating unregulated restore points.
// This can result in System Restore actually filling up all remaining drive
// space with restore points until it brings down the device.
    regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]" "DiskPercent"=dword:1
    regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]" "DisableSR"=dword:0
    
// Need the service available to make these changes.
    if {exists running service (parameter "ServiceName")}
        parameter "ServiceState" = "Running"
    else
        if {exists service (parameter "ServiceName")}
// If the service is disabled, we need to change the configuration first.
            if {start type of service (parameter "ServiceName") = "disabled"}
                waithidden cmd /s /c "sc config "{parameter "ServiceName"}" start= demand && sc start "{parameter "ServiceName"}""
            else
                waithidden cmd /c sc start "{parameter "ServiceName"}"
            endif
            parameter "ServiceState" = "{state of service (parameter "ServiceName")}"
        else
            parameter "ServiceState" = "Unknown"
        endif
    endif
    
    continue if {(parameter "ServiceState") is not "Unknown"}
endif

// Check if PowerShell exists. Otherwise we will use vbscript.
if {exists key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" whose (value "PowerShellVersion" of it as string as version >= "2.0") of native registry}
    parameter "PowerShellExists" = "True"
else
    parameter "PowerShellExists" = "False"
endif

if {(parameter "PowerShellExists") is "True"}
    waithidden powershell -executionpolicy bypass "[System.IO.DriveInfo]::GetDrives() | ? {{$_.DriveType -eq 'Fixed'} | % {{Disable-ComputerRestore -Drive $_}"
else    
// Disable System Restore via wmi & vbcript.
    delete __createfile
    delete run.vbs
    
    createfile until _end_
' Original source: http://windowsitpro.com/scripting/rem-disabling-system-restore
Option Explicit
Dim SystemRestoreEnabled, objRP, ReturnCode

' Check if computer has any restore points.
SystemRestoreEnabled = False
For Each objRP In GetObject("winmgmts:{{impersonationlevel=impersonate}!root/default").InstancesOf("SystemRestore")
SystemRestoreEnabled = True
Exit For
Next

ReturnCode = 0

If SystemRestoreEnabled Then
' Disable System Restore for all drives on the computer
ReturnCode = GetObject("winmgmts:{{impersonationLevel=impersonate}!root/default:SystemRestore").Disable("")
End If

Wscript.Quit ReturnCode
    _end_
    
    move __createfile run.vbs
    
    override wait
    hidden=true
    completion=job
    wait cscript.exe run.vbs
endif

// The above code for Win7 simply disables the ability to restore system restore points.
// There is additional work needed to:
// 1. Disable the built in scheduled task that periodically creates restore points.
// 2. Remove a registry key that may have some drives as System Restore 'clients'.
// 3. Delete any existing restore points.
// 4. Clean up the System Volume Information folders after the next reboot.
if {windows of operating system and version of operating system >= "6.1"}
// 1. Disable the built in scheduled task that periodically creates restore points.
    parameter "SysRestoreTaskPath" = "\Microsoft\Windows\SystemRestore\SR"    
    if {exists scheduled task whose (path of it is (parameter "SysRestoreTaskPath") and enabled of it)}
        waithidden schtasks /change /tn {parameter "SysRestoreTaskPath"} /disable
    endif
    
// 2. Remove a registry key that may have some drives as System Restore 'clients'.
    action uses wow64 redirection false
    parameter "SysRestoreClientPath" = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients"
    waithidden reg delete "{parameter "SysRestoreClientPath"}" /va /f

// 3. Delete any existing restore points.
    waithidden vssadmin delete shadows /all /quiet

// 4. Clean up the System Volume Information folders.
// Any remaining files in the System Volume Information folders are usually
// locked / in use until the next reboot. So create a scheduled task that
// will delete the files at startup then delete itself (the task).
    parameter "SysVolInfoBasename" = "DeleteSysVolInfoContents"
    parameter "OutputFolder" = "{storage folder of client as string & "\SystemRestoreOff"}"
    parameter "TaskScriptPath" = "{parameter "OutputFolder"}\{parameter "SysVolInfoBasename"}.bat"
    
    if {not exist folder (parameter "OutputFolder")}
     folder create "{parameter "OutputFolder"}"
    endif

// Create a script to delete the contents of all files in the System Volume Information
// folder on the root of any fixed drive.
    if {(parameter "PowerShellExists") is "True"}
        parameter "ScriptCall" = "powershell -executionpolicy bypass -file {"%22"}%~n0.ps1{"%22"}"
        parameter "ScriptPath" = "{parameter "OutputFolder"}\{parameter "SysVolInfoBasename"}.ps1"
        delete __createfile
        createfile until _end_
[System.IO.DriveInfo]::GetDrives() | ? {{$_.DriveType -eq 'Fixed'} | % {{Get-ChildItem -Path (Join-Path $_ 'System Volume Information') -Recurse | Remove-Item -Force -Recurse}
_end_
    else
        parameter "ScriptCall" = "cscript {"%22"}%~n0.vbs{"%22"}"
        parameter "ScriptPath" = "{parameter "OutputFolder"}\{parameter "SysVolInfoBasename"}.vbs"

        delete __createfile
        createfile until _end_
option explicit
on error resume next
const FixedDrive = 2
dim file, folder, objDrive, objFolder, sysVolInfoPath
dim objFSO: set objFSO = CreateObject("Scripting.FileSystemObject")
dim colDrives: set colDrives = objFSO.Drives

for each objDrive in colDrives
    if FixedDrive = objDrive.DriveType then
        sysVolInfoPath = objDrive.RootFolder & "System Volume Information"

        set objFolder = objFSO.GetFolder(sysVolInfoPath)

        for each folder in objFolder.SubFolders
            objFSO.DeleteFolder folder.path, true
        next

        for each file in objFolder.Files
            objFSO.DeleteFile file.path, true
        next
    end if
next
_end_
    endif
    
// Copy fails if the file exists, so delete it first.
// Delete calls do not fail if the file is not there.
    delete "{parameter "ScriptPath"}"
    move __createfile "{parameter "ScriptPath"}"
    
// Create the batch file that the scheduled task will use to execute the script.
// When it's done it will delete the task, itself and any helper files in that dir.
// In some instances the call to vssadmin doesn't work pre-reboot, so throw it in here again.
    delete __createfile
    createfile until _end_
@echo off
cd /d "%~dp0"
vssadmin delete shadows /all /quiet
{parameter "ScriptCall"}
schtasks /delete /tn "%~n0" /f
cd /d %systemdrive%\
start cmd /c rd /s/q "%~dp0"&exit /b
_end_
    
// Copy the batch file to the predefined path for the scheduled task.
    delete "{parameter "TaskScriptPath"}"
    move __createfile "{parameter "TaskScriptPath"}"

// Create the startup task.
// The tr argument requires the quotes to be escaped if there are spaces in the path.
    waithidden schtasks /create /ru System /tn "{parameter "SysVolInfoBasename"}" /sc onstart /tr "\"{parameter "TaskScriptPath"}"\" /f
    
    action requires restart "SystemRestoreOff"
endif
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.


Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
jgallas -
Yeah I figured it was actually disabled and that this registry key was in the relevance so it showed as failed. I have added the following to the end of your fixlet to prevent the failure notification: // Set RPSessionInterval to 0 and delete LastIndex key if {exists value whose (name of it is "RPSessionInterval" and it > 0) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" of native registry} regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]" "RPSessionInterval"=dword:0 regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]" "LastIndex" endif action requires restart "SystemRestoreOff" endif
Sean -
As far as I know, the RPSessionInterval specifies how often System Restore Points are created. So I would think if System Restore has been disabled, it wouldn't matter that that registry key was left behind. I didn't check, but if it happened to you then it probably happened when we rolled this out also. That being said, System Restore was successfully disabled on our systems so I don't think it is a concern.
jgallas -
This seems to work great at removing System Restore points and disabling however I did have an issue on one of the 2 systems I tested on so far. It failed on one and when I looked at the RPSessionInterval it was set to 1 instead of 0 in the registry. Any idea why this would happen or is this even a concern?