Jump to content

[Solved] Win 98/98SE System Restore


Monroe

Recommended Posts

CharlotteTheHarlot ... understand ... I know how to add, change and delete items in the registry but as to what should actually be in the registry or how it should be there ... I wouldn't have a clue. I just follow what you and others suggest for this or that. I remember some time back you and others posted about deleting some "unnecessary" registry entries, I did follow what was posted but there is no way I could ever look in the registry and make that call. ... thanks.

... just would like to add about the System Restore guide that I posted. I covered everything that I had knowledge of ... if someone has further questions or runs into any "new" problems during the install or afterwards, please post for PROBLEMCHYLD to be of help to you. It's his project, glad he took it on. I tried fooling around with System Restore right after Windows Me first came out ... wanted to see if I could get it to work in 98SE ... like I said, I just fooled around, I wasn't even close to getting anything to work on 98SE ... thanks for taking the interest and making the program work for those that might like to use it.

Edited by duffy98
Link to comment
Share on other sites


I got a System Restore update from PROBLEMCHYLD ... he has put everything in a nice step by step set of instructions.

This should be the final say I guess ...

You might want to revise the instructions as I have done so below.

1. Create a folder and name it System Restore.

2. Download the patched VXDMON.VXD and copy it to the System Restore folder.

3. Download the update 290700USAM.EXE then extract the files to the System Restore folder.

4. Extract the Pchealth.inf from PRECOPY1.CAB and copy it to the C:\Windows\Inf folder.

5. Extract these 3 files from BASE2.CAB to the System Restore folder.

CHECKSR.BAT

EBD.CAB

EBDUNDO.EXE

6. Copy the whole Win9X folder to the C:\directory. (You must have a WinME CD for the necessary files.)

7. Copy everything from inside the System Restore folder to the Win9X folder.

8. Run this command:

C:\windows\rundll.exe setupx.dll,InstallHinfSection PCHealth.Install 132 C:\WINDOWS\INF\PCHealth.inf

9. When asked for any files, point to the Win9X folder in C:\directory where all the updated files are.

10.Now copy the patched VXDMON.VXD from the System Restore folder to the C:\Windows\System\Vmm32 folder.

Restart computer.

11. Now run the 290700UP.INF, restart when done.

12. After running all above instructions you should get a successful installation of System Restore for Win98\98SE which will lead to a successful restoration and no problems or errors.

13. You will need 98SE2ME for two reasons:

-to have the options (Disk Space Usage) in System Restore to configure the settings

-to disable System Restore, which will then allow older restore points created to be deleted

because it installs some system files that are needed.

If you just want to create Restore Points + Restore them back,

then 98SE2ME is not needed, but if you want those two options then 98SE2ME is needed.

If you followed all instructions step by step, you shouldn't have any problems. I just did all of these steps

and got a successful restoration.

Thanks to dencorso for patching the VXDMON.VXD.

I'll add ... thanks to PROBLEMCHYLD for figuring it all out.

Edited by duffy98
Link to comment
Share on other sites

By

11. Now run the 290700UP.INF, restart when done.

do you mean...

11. Run this command:

C:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\System Restore\290700UP.INF

? dubbio.gif

Link to comment
Share on other sites

I sent a message to PROBLEMCHYLD about your question ... either he will read that or see your question here. I was confused about that earlier also ... I asked him about that in Post #11 and never got a clear answer so I just ran 290700USAM.EXE and did nothing else, from what I remember. The SR program was working for me ... I just assumed that running 290700USAM.EXE installed 290700UP.INF or took care of that step. I have SR installed on one computer to test ...but that was using the last set of instructions that I posted in post #27. I had SR installed on two computers but I had to redo a computer with my Ghost backup because of another problem (not SR related) and I decided to put PowerQuest Second Chance v2.07 on that computer ... I always liked that backup-restore program, I read that some people think the whole idea of SR came from the PowerQuest Second Chance program, I don't know ... but I wanted to fool around with it again along with testing SR.

Edited by duffy98
Link to comment
Share on other sites

11. Run this command:

C:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\System Restore\290700UP.INF

If this is how you run the command line for the 290700UP.INF and everything installs correctly, then yes your are right.

I have never ran it like this because I don't know command switches that well. I always ran it manually.

But thanks for shedding some light outr way as usual.

Link to comment
Share on other sites

  • 1 year later...

Here is System Restore on my hybrid system. It witness the same bug as in WinME and WinXP with the infamous restoration was unsuccessful :} I'm going to invest some time into this to prevent the bug altogether. Sometimes it works sometimes it don't. I also want to strip it down to core files only. There is no need for Help and Support center. One fix at a time :thumbup

Edited by PROBLEMCHYLD
Link to comment
Share on other sites

After doing hours of searching, I think that most of the time System Restore doesn't work is because restore points get corrupted. And if one restore point get corrupted, then all of the points get corrupted. This is what causes the restoration was unsuccessful. If we can figure out why and how restore points get corrupted, we can come up with a solution.

Edited by PROBLEMCHYLD
Link to comment
Share on other sites

Does anyone know of a tool that will monitor System Restore actions?

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable :lol: ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

Link to comment
Share on other sites

Does anyone know of a tool that will monitor System Restore actions?

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable :lol: ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

I have already patched the COMMAND.COM in Win98 and already included them in the SP. I will follows your method and report back after I release 3.12. Thanks CTH :yes:
Link to comment
Share on other sites

  • 2 weeks later...

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable :lol: ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

I followed your instructions using WINDIFF.EXE 6.0.6000.16384 and here are the changes after System Restore has been run
BOOTLOG.TXT 71,081 [Before System Restore]
BOOTLOG.TXT 73,973 [After System Restore]

INFO2 2,260 [Before System Restore]
INFO2 2,820 [After System Restore]

USER.DAT 204,832 [Before System Restore]
USER.DAT 208,928 [After System Restore]

WORDPAD.LGC 12,195 [Before System Restore]
WORDPAD.LGC 12,251 [After System Restore]

RSTRUI.LGC 74,058 [After System Restore]

MYDOCU~1.MYD 0 [After System Restore]

RG50CA~1.CAB 3,877,888 [After System Restore]

RESTOR~1.LOG 65 [After System Restore]

A0000026.CPY 235 [After System Restore]
A0000030.CPY 0 [After System Restore]

Make note, that depending on how many restore points you have saved, the *.CAB file name will change.

All registry keys are created after running System Restore

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\StateMgr\ReservedDiskSpace]
"UIFreezeSize"=dword:00000032

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
"MenuText"="@shdoclc.dll,-864@0,Show &Related Links"
"MenuStatusBar"="@shdoclc.dll,-865@0,Shows links related to the current page."
"ButtonText"="@shdoclc.dll,-866@0,Related"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache"=hex:e9,fd,00,00,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1]
00,00,00,00,00,00,94,95,45,00,00,00,00,00,5f,04,00,00,07,00,00,00,e0,d0,57,\
23,bd,01,00,00,02,00,00,00,19,00,22,45,3a,5c,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,29,38,e8,00,00,00,02,00,00,00,14,00,2e,1e,20,20,ec,21,\
ea,3a,69,10,a2,dd,08,00,2b,30,30,9d,2f,01,00,00,02,00,00,00,14,00,2e,80,a0,\
ff,2c,99,57,f5,1a,10,88,ec,00,dd,01,0c,cc,48,76,01,00,00,02,00,00,00,14,00,\
2e,80,36,b7,11,e2,fd,43,d1,11,9e,fb,00,00,f8,75,7f,cd,76,01,00,00,02,00,00,\

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\14]
00,00,00,00,00,00,00,f0,f0,f0,f0,14,00,03,00,6a,01,00,00,00,00,00,00,00,00,\
2e,45,58,45,00,e8,00,00,00,02,00,00,00,29,00,32,00,1a,b7,04,00,8d,41,2e,a1,\
20,00,46,49,4c,45,4c,49,53,54,31,2e,54,58,54,00,46,49,4c,45,4c,49,7e,31,2e,\
54,58,54,00,2f,01,00,00,02,00,00,00,20,00,32,00,38,79,53,00,8d,41,57,a1,20,\
00,52,45,47,31,2e,72,65,67,00,52,45,47,31,2e,52,45,47,00,76,01,00,00,02,00,\
00,00,1c,00,32,00,00,6e,b6,03,8a,41,19,44,20,00,55,39,38,53,45,53,50,33,2e,\
45,58,45,00,00,8f,01,00,00,96,00,00,00,29,00,32,00,e8,b8,04,00,8d,41,92,a1,\
20,00,46,49,4c,45,4c,49,53,54,32,2e,54,58,54,00,46,49,4c,45,4c,49,7e,32,2e,\
54,58,54,00,8f,01,00,00,96,00,00,00,00,00,bf,7f

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"HRZR_EHACNGU"=hex:02,00,00,00,46,00,00,00,60,d1,c6,45,6e,d9,cd,01
"HRZR_HVFPHG"=hex:02,00,00,00,22,00,00,00,a0,2f,ba,3b,6e,d9,cd,01
"HRZR_EHAJZPZQ"=hex:02,00,00,00,21,00,00,00,60,43,ba,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,130"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,132"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf"=hex:02,00,00,00,06,00,00,00,00,eb,b5,10,\
6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf"=hex:02,00,00,00,06,00,00,00,\
00,eb,b5,10,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,191"=hex:02,00,00,00,08,00,00,00,60,43,ba,44,6e,d9,cd,01
00,00,00,06,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\Qrfxgbc\\OOO.ONG"=hex:02,00,00,00,0b,00,00,00,20,1f,\
1e,31,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\ERTRQVG.rkr"=hex:02,00,00,00,07,00,00,00,60,d1,c6,\
45,6e,d9,cd,01
"HRZR_EHACVQY"=hex:02,00,00,00,08,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\FLFGRZ\\ERFGBER\\EFGEHV.RKR"=hex:02,00,00,00,06,00,\
00,00,e0,b3,c6,10,6e,d9,cd,01

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"

Link to comment
Share on other sites

I followed your instructions using WINDIFF.EXE 6.0.6000.16384 and here are the changes after System Restore has been run

When you Windiff the filelists you should get the file locations, dates/times in addition to the sizes, but they are not showing there. Can you confirm that the DIR filelists are complete?

Without seeing the filepaths I will assume that this is activity under _Restore directory. Was this a "Save" or "Restore" operation? I am going to guess it is a "Save" because the user registry hive is larger "after" the operation. So I guess these files you list were saved to the _Restore directory? But it did not save the System hive which is very important IMHO. Actually I don't see any system file changes at all.

At the minimum, a System Restore should save both ( on Win98 ) or all three ( WinME ) registry hives, as well as key files like SYSTEM.INI, WIN.INI, and it should be able to do quite a few more like VMM32.VXD just for an example. We could crowd source a nice complete list, but I thought that the WinME System Restore already had it built-in.

Link to comment
Share on other sites

When you Windiff the filelists you should get the file locations, dates/times in addition to the sizes, but they are not showing there. Can you confirm that the DIR filelists are complete?

It does, I was just being lazy. :thumbup
Without seeing the filepaths I will assume that this is activity under _Restore directory. Was this a "Save" or "Restore" operation? I am going to guess it is a "Save" because the user registry hive is larger "after" the operation. So I guess these files you list were saved to the _Restore directory? But it did not save the System hive which is very important IMHO. Actually I don't see any system file changes at all.
It was System Restore.

The system hive is placed inside a .cab file in the _Restore folder. If you notice the change in the file sizes I posted above, it lets you know system restore has written new data. I only made minor changes, to speed up the process.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...