This chapter covers System Restore Points, a critical feature for troubleshooting and recovery in Windows operating systems. For the CompTIA A+ 220-1102 exam, understanding System Restore is part of Objective 1.2 (Operating Systems). Approximately 5-10% of exam questions touch on system recovery tools, with System Restore being a key topic. You must know how to create, configure, and use restore points, as well as understand their limitations and interaction with other recovery tools.
Jump to a section
Think of System Restore as a checkpoint system in a video game. When you reach a safe room, you can save your progress. If you later die or make a mistake, you can reload that save to undo the damage. System Restore works similarly: it creates a snapshot of critical system files, registry settings, and drivers at a point in time. If a new driver or update causes instability, you can 'reload' that snapshot to revert those changes without affecting your personal files. The Volume Shadow Copy Service (VSS) is the game engine that takes the snapshot—it coordinates with all running applications to ensure data consistency. Just as a game save might corrupt if you save during a loading screen, a restore point can be inconsistent if VSS doesn't get cooperation from all writers. The restore process is like loading a save: the system reboots and uses the restore point data to overwrite current system files, rolling back to the earlier state. However, unlike a game save that overwrites everything, System Restore selectively reverts only system files, leaving your documents and media untouched.
What is System Restore?
System Restore is a Windows feature that allows you to revert the operating system to a previous state without affecting personal files like documents, photos, or emails. It accomplishes this by creating and managing restore points—snapshots of critical system files, registry settings, and drivers. Restore points are essentially before-images of the system state that can be applied to undo changes that may have caused instability.
System Restore is not a backup solution for user data; it is a system recovery tool. It monitors changes to the system and automatically creates restore points before significant events such as:
Installing new applications or drivers
Installing Windows Updates
Performing a system restore operation itself (to allow undo)
Manually by the user or by scheduled tasks
How System Restore Works Internally
The core mechanism behind System Restore is the Volume Shadow Copy Service (VSS). VSS is a framework that coordinates with VSS-aware applications (called writers) to create consistent snapshots of volumes. When a restore point is created, the following sequence occurs:
The System Restore service (srservice) triggers a VSS snapshot of the system volume(s).
VSS notifies all registered writers (e.g., Registry Writer, COM+ Class Registration Database Writer, Windows Update Writer) to prepare their data for snapshot.
Writers freeze their I/O operations momentarily and flush data to disk, ensuring the snapshot captures a consistent state.
VSS creates a shadow copy of the volume at that instant.
The shadow copy is stored in a hidden, protected system folder named System Volume Information on each volume.
The restore point metadata (description, timestamp, event type) is recorded in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore.
When you perform a system restore, the process is: 1. Windows boots into a minimal environment (Safe Mode or Windows Recovery Environment) if necessary. 2. The System Restore service reads the restore point metadata and identifies which files and registry keys need to be reverted. 3. Using VSS, the original files from the shadow copy are copied back to their original locations, overwriting the current ones. 4. The registry is restored from the snapshot. 5. The system reboots to apply the changes.
Key Components, Values, Defaults, and Timers
Restore Point Storage: Restore points are stored in System Volume Information folder. This folder is hidden and protected; even administrators cannot browse it normally. The folder contains VSS snapshots and change journal files.
Disk Space Allocation: Windows allocates a percentage of disk space for restore points. By default, on drives 64 GB or larger, 5% of the drive space is reserved. On drives smaller than 64 GB, the default is 3%. This space is managed by VSS and is shared with other VSS snapshots (e.g., from Windows Backup).
Automatic Restore Points: Windows automatically creates a restore point every 7 days if no other restore points have been created in that period. Additionally, restore points are created before:
- Installing an unsigned driver
- Installing Windows Update (sometimes)
- Running System Restore itself
- Manual Creation: Users can manually create a restore point via the System Protection tab in System Properties. This is useful before making significant system changes.
- Restore Point Retention: Restore points are automatically deleted when the allocated disk space is full. The oldest restore points are deleted first. Also, restore points are deleted if the drive runs low on space or if System Protection is turned off for the volume.
- Registry Keys: The following registry key controls System Restore settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
Key values include:
- SystemRestorePointCreationFrequency: Default is 1440 minutes (24 hours) – this sets the minimum time between automatic restore point creations.
- RPGlobalInterval: Default is 604800 seconds (7 days) – the maximum time before an automatic restore point is created if none have been made.
- DiskPercent: Default is 5 (for drives >= 64GB) – percentage of drive space for restore points.
Configuration and Verification Commands
To configure System Restore, you can use the GUI or command-line tools.
GUI Method: - Right-click 'This PC' > Properties > System Protection > Configure. - Here you can enable/disable System Protection, set disk space usage, and delete all restore points.
Command-Line Method:
- vssadmin is the primary command for managing shadow copies.
- vssadmin list shadows – lists all VSS snapshots (restore points) on the system.
- vssadmin delete shadows /for=C: /oldest – deletes the oldest shadow copy on C:.
- wmic (deprecated but still functional) or PowerShell can also be used.
- PowerShell: Get-ComputerRestorePoint – lists restore points.
- PowerShell: Enable-ComputerRestore -Drive "C:\" – enables System Protection on C:.
- PowerShell: Checkpoint-Computer -Description "Before Driver Install" -RestorePointType MODIFY_SETTINGS – creates a manual restore point.
Interaction with Related Technologies
Windows Backup and Restore: System Restore is separate from file backup. Windows Backup can back up user files and system images, while System Restore only protects system state. They can be used together: a system image can restore the entire system, while System Restore can revert specific changes without affecting user data.
Windows Recovery Environment (WinRE): If the system fails to boot, you can access System Restore from WinRE. This allows you to restore to a previous point even when Windows won't start normally.
Driver Rollback: Device Manager allows rolling back a driver to a previous version, but this is per-device. System Restore can roll back multiple drivers and system settings at once.
System Restore and Virtualization: In virtual machines, System Restore works similarly, but snapshots from the hypervisor (e.g., Hyper-V checkpoints) are different—they capture the entire VM state, including memory.
Limitations
System Restore does not protect user files. If a user deletes a document, System Restore will not recover it.
It only monitors certain file extensions and registry keys. Not all system changes are tracked.
Restore points can become corrupted, especially if the disk has errors or if VSS writers fail.
System Restore cannot undo a Windows upgrade (e.g., from Windows 10 to Windows 11). It also cannot revert to a state before a feature update after 10 days.
If System Protection is disabled, all existing restore points are deleted.
Exam-Relevant Details
For the 220-1102 exam, you should know:
The default disk space allocation (5% on drives >= 64GB, 3% on smaller drives).
The default automatic restore point creation interval (every 7 days).
That System Restore can be accessed from WinRE if Windows fails to boot.
That System Restore does not affect personal files.
The difference between System Restore and a system image backup.
How to create a restore point manually: System Properties > System Protection > Create.
How to perform a system restore: System Properties > System Protection > System Restore, or from WinRE.
That System Restore is not available in Safe Mode with Command Prompt (only through WinRE or normal mode).
Enable System Protection
Before you can create restore points, System Protection must be enabled for the desired drive. Open System Properties (sysdm.cpl), go to the System Protection tab, select the drive, and click Configure. Choose 'Turn on system protection' and adjust the max usage slider (default is 5% for drives 64GB+). This enables VSS to allocate space for shadow copies. If System Protection is off, no restore points are created and existing ones are deleted. The exam expects you to know this prerequisite.
Trigger Restore Point Creation
Restore points can be created automatically by Windows or manually by the user. Automatic creation occurs before certain events (e.g., unsigned driver installation) or on a schedule (every 7 days if no other restore point was created). Manual creation is done by clicking 'Create' in the System Protection tab. You must provide a description (e.g., 'Before driver install'). The system then calls VSS to create a snapshot. The snapshot captures the state of system files, registry, and monitored components.
VSS Coordinates Snapshot
The Volume Shadow Copy Service (VSS) coordinates with VSS-aware writers. It sends a PrepareForSnapshot notification to all writers, which then flush their data and freeze I/O. After a brief freeze (typically seconds), VSS creates the shadow copy. The snapshot is stored in the System Volume Information folder. The restore point metadata is saved in the registry. If any writer fails to respond, the snapshot may be inconsistent, and System Restore may not work correctly later.
Initiate System Restore
To revert to a restore point, open System Restore via System Properties or from WinRE. You can also run `rstrui.exe` from the command line. The wizard displays a list of available restore points with timestamps and descriptions. You can choose a recommended restore point or select a different one. Optionally, click 'Scan for affected programs' to see which applications and drivers will be removed or restored. This step is crucial for the exam: you must know how to access System Restore from both normal mode and WinRE.
Apply the Restore Point
After selecting a restore point, confirm the action. The system will reboot into a minimal environment (if needed) and begin the restore process. VSS copies the original files from the shadow copy back to their original locations. The registry is restored. This process can take several minutes. Once complete, the system reboots normally. If the restore fails, you can try a different restore point or use other recovery tools. The exam may ask about the sequence: reboot, restore, reboot again.
In enterprise environments, System Restore is often used as a quick recovery tool for desktop support. For example, a helpdesk technician receives a call about a user's computer becoming unstable after installing a new printer driver. Instead of troubleshooting the driver manually, the technician can perform a System Restore to revert the system to its state before the driver installation. This is fast and often resolves the issue without needing to uninstall the driver manually. However, if System Restore is disabled (common in some corporate images to save disk space), the technician must use other tools like Driver Rollback or Safe Mode.
Another scenario: A software update from a third-party application causes registry corruption. The user cannot boot normally. The technician boots into WinRE (by pressing F11 or using a recovery drive) and accesses System Restore from the Troubleshoot menu. They select a restore point from before the update, and the system recovers. This is a common exam scenario: using System Restore from WinRE when Windows fails to boot.
In a managed IT environment, Group Policy can disable System Restore entirely to standardize systems or preserve disk space. For example, a financial firm might disable System Restore on all workstations because they use full-disk encryption and have strict compliance requirements. However, this removes a valuable recovery tool. Technicians must be aware of this policy and have alternative recovery plans, such as using a system image backup or a recovery partition.
Performance considerations: On systems with limited disk space, restore points can quickly fill the allocated quota. Old restore points are deleted automatically, but if the system is under heavy churn (frequent driver installations, updates), the available restore points may only cover a short window. Technicians should monitor disk space and adjust the max usage slider accordingly. For SSDs, the impact of VSS snapshots on wear is minimal, but the space consumption still matters.
Misconfiguration: If System Protection is turned off after restore points exist, all restore points are deleted. This can be catastrophic if a problem occurs later. Also, if the System Volume Information folder becomes corrupted (e.g., due to disk errors), restore points may become unusable. Running chkdsk and sfc /scannow can help maintain disk health.
For the 220-1102 exam, System Restore falls under Objective 1.2 (Operating Systems). You must understand the following:
Default settings: The exam expects you to know the default disk space allocation (5% for drives 64GB and larger, 3% for smaller drives) and the automatic restore point creation interval (every 7 days). These numbers appear verbatim in some questions.
What System Restore does and does not do: It reverts system files, registry, and drivers. It does NOT affect personal files (documents, photos, emails). This is a common trick: a question might say 'A user wants to recover a deleted document using System Restore.' The correct answer is that System Restore cannot help; they need a file backup.
Access methods: System Restore can be accessed from:
- Normal Windows (via System Properties or rstrui.exe)
- Windows Recovery Environment (WinRE) under Troubleshoot > Advanced Options > System Restore
- It is NOT available in Safe Mode (only through WinRE if the system is unbootable). However, you can run rstrui.exe from Safe Mode with Networking? Actually, Safe Mode does allow System Restore? Wait: In Windows 10/11, System Restore can be run from Safe Mode. The exam may test this: System Restore can be run from Safe Mode. But many older sources say it cannot. As of Windows 10, it is available in Safe Mode. However, the most reliable method from an unbootable system is WinRE. The exam may have a question: 'Which recovery tool can be used to revert system changes without affecting user files?' Answer: System Restore.
Common wrong answers:
Choosing 'System Image Recovery' when the question asks for a tool that reverts system changes without affecting user files. System Image Recovery restores the entire system, including user files, and requires a previously created image.
Choosing 'File History' when the question is about system state. File History only backs up user files.
Thinking that System Restore can undo a Windows upgrade after 10 days. It cannot; the upgrade removal option is only available for 10 days.
Edge cases:
If System Protection is disabled, restore points are deleted. So you cannot perform a system restore if protection was off.
System Restore cannot be used to revert a domain-joined computer's group policy settings? Actually, it can revert registry changes, but group policy may reapply after reboot.
The 'Scan for affected programs' feature shows which applications will be removed or restored. This is useful for the exam: you can use it to see if a problematic driver will be removed.
How to eliminate wrong answers: Focus on the scope. If the question mentions personal files, System Restore is not the answer. If it mentions a full system recovery (including OS and all files), System Image Recovery is correct. If it mentions rolling back a single driver, Device Manager Driver Rollback is correct. If it mentions undoing a Windows update, go to Settings > Update & Security > View update history > Uninstall updates.
System Restore creates restore points via VSS; stored in System Volume Information folder.
Default disk space allocation: 5% on drives >=64GB, 3% on smaller drives.
Automatic restore points are created every 7 days if none exist.
System Restore does not affect personal files; only system files, registry, and drivers.
Access System Restore from System Properties or WinRE (Troubleshoot > Advanced Options).
Manual restore point creation: System Properties > System Protection > Create.
System Restore cannot undo Windows feature upgrades after 10 days.
Disabling System Protection deletes all existing restore points.
Use 'Scan for affected programs' to see what changes will be made.
System Restore can be run from Safe Mode in Windows 10/11.
These come up on the exam all the time. Here's how to tell them apart.
System Restore
Reverts only system files, registry, and drivers
Does not affect personal files
Requires no prior backup of user data
Quick to perform (minutes)
Can be accessed from WinRE if system fails to boot
System Image Backup
Restores entire system drive, including user files
Replaces all data on the drive
Requires a previously created image file
Takes longer to restore (can be hours)
Also accessible from WinRE, but overwrites everything
Mistake
System Restore backs up all user files.
Correct
System Restore only monitors and restores system files, registry, and drivers. It does not affect user files like documents, photos, or emails. To back up user files, use File History or Windows Backup.
Mistake
System Restore can undo any change to the system, including Windows upgrades.
Correct
System Restore cannot undo a Windows feature upgrade (e.g., from Windows 10 to Windows 11) after the 10-day rollback period. It also cannot revert changes made by some system updates. It is designed for driver and application changes, not major OS upgrades.
Mistake
Restore points are stored in the System32 folder.
Correct
Restore points are stored in the hidden `System Volume Information` folder at the root of each protected volume. This folder is inaccessible even to administrators by default.
Mistake
System Restore is the same as a system image backup.
Correct
A system image backup is a complete copy of the entire system drive, including user files and the OS. System Restore only reverts system state to a previous point without affecting personal files. They serve different purposes.
Mistake
You cannot create a restore point manually.
Correct
You can manually create a restore point at any time from System Properties > System Protection > Create. This is recommended before making significant system changes.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Open System Properties (right-click This PC > Properties > System Protection). On the System Protection tab, click Create. Enter a description (e.g., 'Before driver install') and click Create again. This triggers a VSS snapshot. Ensure System Protection is enabled for the drive first; otherwise, the Create button is grayed out.
No. System Restore only reverts system files, registry, and drivers. It does not monitor or recover user files like documents, photos, or emails. For file recovery, use File History, Windows Backup, or a third-party backup solution. If you need to recover a deleted file, check the Recycle Bin first.
Boot into the Windows Recovery Environment (WinRE) by pressing F11 during startup (or using a recovery drive). From WinRE, go to Troubleshoot > Advanced Options > System Restore. You will then be able to choose a restore point. Alternatively, you can boot from a Windows installation media and select Repair your computer > Troubleshoot > Advanced Options > System Restore.
When the allocated space for VSS snapshots is full, the oldest restore points are automatically deleted to make room for new ones. You can also manually delete all restore points by going to System Protection > Configure and clicking Delete. To prevent space issues, adjust the max usage slider or disable System Protection if not needed.
Yes, in Windows 10 and 11, you can run System Restore from Safe Mode. Simply open System Restore via the Start menu or run `rstrui.exe`. However, if the system is unbootable, you should use WinRE. Note that some older versions of Windows did not support System Restore in Safe Mode, but current versions do.
System Restore can revert system files that may have been modified by malware, but it is not a reliable method for virus removal. Malware can persist in user files or other areas not monitored by System Restore. It is better to use antivirus software. Also, restore points may contain infected files; restoring an infected point could reintroduce the malware. Always scan with antivirus before and after restore.
System Restore reverts only system files and settings to a previous point without affecting personal files. A system image is a complete copy of the entire drive, including the OS, applications, and all user data. Restoring a system image overwrites everything. System Restore is faster and does not require a separate backup, while a system image provides full recovery but needs prior creation.
You've just covered System Restore Points — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?