System Restore Points are forensic time capsules — they capture registry hives, driver files, and system configuration at specific moments before significant changes. When an attacker modifies the registry, replaces system binaries, or tampers with security policy, the original state often survives in a restore point the adversary never knew existed.
What Are System Restore Points?
System Restore is a Windows feature introduced in Windows ME and substantially redesigned in Windows Vista to use the Volume Shadow Copy Service (VSS). It creates automatic snapshots of critical system files before events such as driver installations, Windows updates, and application installs. These snapshots contain copies of registry hives, system-protected files, COM+ databases, and WMI repositories — everything needed to roll the system back to a known-good state.
From a forensic perspective, restore points provide historical copies of registry hives and system files that may have since been modified by attackers, malware, or anti-forensics tools. If an adversary modifies HKLM\SYSTEM to install a malicious service, the pre-compromise version of the SYSTEM hive may still exist in a restore point created before the attack. Similarly, if a threat actor replaces sethc.exe with cmd.exe for sticky-key backdoor access, the original binary may survive in the restore point’s file store.
On modern Windows (Vista+), restore points are implemented as VSS snapshots stored in C:\System Volume Information\. The VSS framework maintains block-level differential snapshots of the volume, allowing the entire volume to be viewed as it existed at the snapshot time. Older Windows XP restore points used a file-copy mechanism that stored individual file backups in numbered RP### directories.
Restore points preserve historical copies of registry hives. If malware installed a service, added a Run key, or modified firewall rules in the registry, comparing the current hive to the restore-point copy reveals exactly what changed and when.
Location & Format
File Paths
| Component | Path | Notes |
|---|---|---|
| VSS Store | C:\System Volume Information\ | Contains VSS snapshot metadata and diff data; SYSTEM-only ACL |
| XP Restore Points | C:\System Volume Information\_restore{GUID}\RP###\ | Legacy file-copy restore points (Windows XP only) |
| XP Snapshot Files | RP###\snapshot\ | Contains registry hive copies: _REGISTRY_MACHINE_SYSTEM, _REGISTRY_MACHINE_SOFTWARE, etc. |
| XP Change Log | RP###\change.log | Binary log of file operations tracked for this restore point |
VSS Architecture (Vista+)
On Vista and later, System Restore uses VSS snapshots rather than file copies. The VSS provider maintains a copy-on-write differential store: when a block on the volume is about to be overwritten, the original block is saved to the diff area before the write proceeds. This means each snapshot represents the complete volume state at a point in time, accessible by mounting the shadow copy. The diff store grows as more blocks are modified between snapshots; Windows automatically purges the oldest snapshots when the allocated space (typically 5–10% of volume) is exceeded.
VSS snapshots are block-level differentials, not file copies. You cannot browse them directly on disk. They must be mounted using vssadmin, mklink to a shadow copy path, or accessed through forensic tools that support VSS enumeration (Arsenal Image Mounter, X-Ways, FTK Imager).
What It Reveals
System Restore Points answer forensic questions that cannot be answered by examining only the current system state:
- What did the registry look like before the compromise? — Comparing current hives to restore-point copies reveals every modification made by the attacker: new services, Run keys, firewall exceptions, scheduled tasks.
- Were system binaries replaced? — Hash comparison of critical executables (
sethc.exe,utilman.exe,osk.exe) between the current state and the restore point detects binary replacement attacks. - What drivers were installed? — The
SYSTEM\CurrentControlSet\Serviceskey in the restore-point SYSTEM hive shows which drivers existed before the attack. - When was the system last known-good? — The restore point creation timestamp establishes the latest point at which the system was in an uncompromised state.
- What Group Policy was in effect? — Registry-based policy settings captured in the SOFTWARE hive show pre-attack security configuration.
- Were security tools disabled? — Comparing Defender/AV registry keys between restore point and current state proves an attacker disabled protections.
- What user accounts existed? — The SAM hive in a restore point shows user accounts that existed at that time, revealing account creation/deletion activity.
- What network configuration was active? — TCP/IP parameters, DNS settings, and interface configurations are stored in the SYSTEM hive.
The highest-value forensic technique for restore points is registry diffing: loading both the current hive and the restore-point copy into a registry comparison tool and identifying every key and value that was added, modified, or deleted between the two states. This produces a precise change manifest of attacker activity.
Forensic Use Cases
1. Persistence Mechanism Discovery
An incident response engagement discovers a compromised host with no obvious persistence mechanism. The attacker has modified registry keys to install a service that loads a DLL from C:\Windows\Temp\. By mounting the most recent VSS snapshot and extracting the SYSTEM hive, the investigator compares the Services key tree and identifies the exact service entry that was added post-compromise, including the service name, DLL path, and start type.
2. Ransomware Pre-Encryption State Recovery
Ransomware typically deletes VSS snapshots as one of its first actions. However, if the ransomware execution was interrupted or if the vssadmin delete shadows command failed (e.g., due to insufficient privileges on the shadow copy provider), surviving snapshots contain the pre-encryption file system. Entire directories of unencrypted files can be recovered by mounting the surviving shadow copy.
3. Security Tool Tampering Timeline
An attacker disables Windows Defender by modifying HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware. The restore-point SOFTWARE hive shows this value did not exist before the attack, proving the attacker explicitly disabled endpoint protection. The restore point timestamp establishes the latest known-good configuration.
4. Backdoor Binary Detection
An attacker replaces C:\Windows\System32\utilman.exe with a copy of cmd.exe to enable unauthenticated command-line access at the login screen. The restore-point copy of utilman.exe has a different hash than the current file, proving the replacement. The legitimate file can be recovered from the shadow copy for hash verification against Microsoft’s catalog.
5. Deleted File Recovery
Files deleted after a restore point was created may still exist in the shadow copy. If the restore point was taken at 14:00 and the attacker deleted their tooling at 16:00, mounting the 14:00 shadow copy provides access to the original files. This is particularly valuable for recovering malware samples that the attacker cleaned up.
Acquisition Methods
C:\System Volume Information\ has a SYSTEM-only ACL. Even administrators cannot access it without taking ownership or using a forensic tool that bypasses NTFS permissions. On a live system, enumerate shadow copies with vssadmin list shadows and mount them via symbolic link. On a forensic image, use tools that support VSS enumeration natively.
Live System — VSS Enumeration
:: List all available shadow copies vssadmin list shadows :: Create a symbolic link to access a specific shadow copy mklink /d C:\ShadowMount \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\ :: Extract registry hives from the shadow copy copy C:\ShadowMount\Windows\System32\config\SYSTEM C:\Evidence\VSS_SYSTEM copy C:\ShadowMount\Windows\System32\config\SOFTWARE C:\Evidence\VSS_SOFTWARE copy C:\ShadowMount\Windows\System32\config\SAM C:\Evidence\VSS_SAM :: Remove the symbolic link when done rmdir C:\ShadowMount
Forensic Image — VSS Extraction
# Use libvshadow to enumerate shadow copies in a forensic image vshadowinfo /path/to/image.E01 # Mount a specific shadow copy vshadowmount /path/to/image.E01 /mnt/vss # List available shadow copies (appear as vss1, vss2, etc.) ls /mnt/vss/ # Mount a specific VSS volume mount -o ro,loop /mnt/vss/vss1 /mnt/shadow1 # Extract registry hives from the shadow copy cp /mnt/shadow1/Windows/System32/config/SYSTEM /analysis/vss/ cp /mnt/shadow1/Windows/System32/config/SOFTWARE /analysis/vss/
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| Arsenal Image Mounter | Arsenal Recon | Free/Commercial | Mounted drive | Mounts forensic images with full VSS support; can expose all shadow copies |
| libvshadow | Joachim Metz | Open source | Mountable volumes | Linux-native VSS access; vshadowmount exposes each snapshot as a device |
| X-Ways Forensics | X-Ways | Commercial | GUI + export | Native VSS enumeration within forensic images |
| FTK Imager | Exterro | Free | GUI | Can mount and browse VSS snapshots from forensic images |
| RegRipper | Harlan Carvey | Open source | Text | Parse extracted registry hives from restore points |
| Registry Explorer | Eric Zimmerman | Free | GUI | Compare two registry hives side-by-side for diffing |
Registry Diff Analysis
# Mount VSS hive and current hive, then compare Services keys reg load HKLM\VSS_SYSTEM C:\Evidence\VSS_SYSTEM reg load HKLM\CURRENT_SYSTEM C:\Evidence\CURRENT_SYSTEM # Export both Services trees reg export HKLM\VSS_SYSTEM\ControlSet001\Services C:\Analysis\vss_services.reg reg export HKLM\CURRENT_SYSTEM\ControlSet001\Services C:\Analysis\current_services.reg # Diff the exports to find new/modified services fc /N C:\Analysis\vss_services.reg C:\Analysis\current_services.reg > C:\Analysis\services_diff.txt
Retention & Persistence
| Property | Windows XP | Windows Vista – 10 | Windows 11 |
|---|---|---|---|
| Mechanism | File-copy snapshots | VSS block-level differentials | VSS block-level differentials |
| Default space | ~12% of volume | ~5–15% of volume | ~5–15% of volume |
| Automatic triggers | Software install, driver install, scheduled (24hr) | Windows Update, driver install, app install | Windows Update, driver install, app install |
| Survives reboot | Yes | Yes | Yes |
| Purge mechanism | Oldest RP directories deleted when space exceeded | Oldest VSS snapshots purged when diff area is full | Oldest VSS snapshots purged when diff area is full |
Version Differences
| Feature | Windows XP | Windows Vista+ |
|---|---|---|
| Technology | File-level copy to _restore{GUID}\RP###\ | Volume Shadow Copy Service (VSS) |
| Registry hives | Explicit copies in snapshot\ directory | Accessible via mounted shadow copy at original paths |
| File recovery | Only monitored file types backed up | Entire volume state available at block level |
| Access method | Direct file browsing in RP directory | Must mount shadow copy via vssadmin or forensic tool |
| Forensic tool support | Rp.log parser, manual extraction | libvshadow, Arsenal Image Mounter, X-Ways, FTK |
Anti-Forensics Resilience
System Restore and VSS snapshots are commonly targeted by ransomware and sophisticated attackers, making them a moderate-resilience artifact.
| Tool/Action | Destroys Restore Points? | Explanation |
|---|---|---|
Ransomware (vssadmin delete shadows) | Yes | Most ransomware families delete all VSS snapshots as a first step |
wmic shadowcopy delete | Yes | Alternative WMI-based shadow copy deletion method |
| Disk Cleanup | Partial | Removes all but the most recent restore point |
| CCleaner | Optional | Can delete restore points if user enables that option |
| System Restore disabled | Prevents creation | Disabling System Restore purges existing points and prevents new ones |
| Manual deletion | Yes | Admin can delete specific or all shadow copies |
The absence of VSS snapshots on a system that should have them is itself a forensic finding. If System Restore was enabled and Windows Update recently ran, but no shadow copies exist, the most likely explanation is that they were deliberately deleted — a hallmark of ransomware or destructive attacks. Check Event ID 8194 (VSS) and 7036 (service stop) for corroboration.
MITRE ATT&CK Detection Mapping
System Restore analysis supports detection of the following techniques:
| Technique | Name | Restore Point Evidence |
|---|---|---|
T1490 T1490 | Inhibit System Recovery | Deleted VSS snapshots; vssadmin delete shadows in event logs |
T1112 T1112 | Modify Registry | Registry diff between current and restore-point hives reveals attacker modifications |
T1543.003 T1543.003 | Windows Service | New services visible in current SYSTEM hive but absent from restore-point copy |
T1562.001 T1562.001 | Disable or Modify Tools | Security tool registry keys modified between restore point and current state |
T1547.001 T1547.001 | Registry Run Keys | New Run/RunOnce entries visible in registry diff |
Related Artifacts & Cross-References
| Artifact | Relationship | Cross-Correlation Value |
|---|---|---|
| Registry Hives | Restore points contain historical copies of SYSTEM, SOFTWARE, SAM, SECURITY | Registry diffing reveals attacker modifications between known-good and compromised state |
| Event Logs | Event ID 8194 (VSS), 7036 (service state changes) | Confirm restore point creation/deletion timing |
| $MFT | File system metadata at time of snapshot | Shadow copy preserves historical $MFT state for file timeline analysis |
| Prefetch | Historical Prefetch files accessible via shadow copy | Execution evidence from before attacker cleanup |
| Scheduled Tasks | Task XML files in shadow copy vs. current state | Detects persistence tasks added by attacker |
References
- Microsoft, “Volume Shadow Copy Service” — https://learn.microsoft.com
- libvshadow, “Library and tools to access VSS” — https://github.com/libyal/libvshadow
- Arsenal Recon, “Arsenal Image Mounter” — https://arsenalrecon.com
- SANS Institute, “VSS Forensics” — https://www.sans.org/blog/
- Harlan Carvey, “RegRipper” — https://github.com/keydet89/RegRipper3.0
- Eric Zimmerman, “Registry Explorer” — https://ericzimmerman.github.io/
- 13Cubed, “Volume Shadow Copy Forensics” — https://www.13cubed.com/
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in VSS forensics, registry diffing, and pre-compromise state recovery for ransomware and APT investigations.
mjolnirsecurity.com — 24/7: +1 833 403 5875