Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

[Solved] Win 98/98SE System Restore

- - - - -

  • Please log in to reply
42 replies to this topic

#26
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,793 posts
  • OS:98SE
  • Country: Country Flag

Donator

One blank line at the end of a registry file always has been enough here... :w00t:

One is usually enough. Two is bullet-proof!

Btw, whenever I (extremely rarely) install Windows ME, the first thing I do is get rid of that PC Health and System Restore. :thumbup


I do, too! On Win ME (with OPPCOMME) and on Win XP (together with WFP and DEP). (And I'm trying to find out how to do it on 7... But that's way off-topic! :blushing:) I consider SR a nuisance to be avoided (I do create system and data images regularly, as back-ups, obsessively, though), but grant it may be useful to some. And, yes, I do appreciate it was a worthy challenge to port it to Win 98 FE/SE, of course!

Now, credit where credit's due: although I did patch that one VxD at his request (and never touched it afterwards), System Restore on Win 98 FE/SE always was ProblemChyld's project, and it was only due to his research, persistence and hard work that it came int being. So all kudos ought to go to him. And to duffy98 who first tested it on various other machines, proving it's mature. This thread is now listed in the Important / "Stickified" / Pinned Windows 95/98/98 SP1/98 SE/ME Topics list, as warranted. :yes:

But now that things are working and the main issues identifyed and solved, I'd like to ask duffy98 to write a wrap-up post, a one-post how-to, to help other users who may be willing to try it on their systems. I reckon there are many important details scattered throughout this thread (and maybe the previous one quoted on post #1), so a wrap-up would be most helpful.

Later edit: Thanks a lot, duffy98, for providing the one-post how-to! :thumbup


How to remove advertisement from MSFN

#27
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 868 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

Getting System Restore To Work On Windows 98 / 98SE

When Windows Me came along there was a new program called System Restore that Microsoft included with the OS. System Restore can provide a way to "go back" or repair damage that has occurred from a bad software install or if you installed a program to try out and then decided to remove it. However, System Restore is not a 100% guarantee that everything will be the way it was when going back to an earlier Restore Point. It can be a "hit and miss" thing ... but it may be of use to some 98 users.

Thanks to some smart and crafty MSFN Forum people ... System Restore can now work (run) on Windows 98FE / 98SE. You will need a Windows Me Installation CD, the patched version of the "vxdmon file" and the 290700usam.exe from Microsoft.

vxdmon file (patched)

290700usam.exe



If all goes well then that may be all you really need, in my case I also needed some other files and a registry fix to get System Restore up and running.

First ... extract or copy "PCHealth.inf" from your WinMe CD to C:\Windows\Inf

Then run this command:

C:\windows\rundll.exe setupx.dll,InstallHinfSection PCHealth.Install 132 C:\WINDOWS\INF\PCHealth.inf

This is where the missing files may start showing up and you will have to have the WinMe CD handy ... it will be asking for the Windows 98SE Installation Disk but you will be using the WinMe CD instead. I had trouble with these two missing files ... checksr.bat + ebdundo.exe ... so I extracted them and put them in a folder to have handy. All the other missing files should be automatically found on the WinMe CD.

After the above command has finished running, then go to Windows\System\Vmm32 and remove the "vxdmon file" and replace it with the patched "vxdmon file".

Then install "290700usam.exe" and you should be good to go. I will add here that "290700usam.exe" would not install for me until I used KernelEx Final to change the compatibility to Windows Millennium. It then installed with no problem.

The System Restore tab will be in the Start\Programs\Accessories\System Tools area.

Now there could be another problem which may or may not show up when you open System Restore. When you open the earlier Restore Points area you should be seeing a newly created Restore Point only a few minutes old ... since you just installed the System Restore program. However, you might see no Restore Points and the date Saturday December 30, 1899. Also, if you click on the "Help" tab in the upper right area, you may see only blank white pages. If you are seeing the 1899 date and blank pages then you will have to do a quick registry fix that should correct the problem.

Back up your registry first if you have COP or some other registry backup program ... just to be on the safe side and then add this fix: Just what is between the lines ... dencorso also made a small registry fix download ... either will work.

1899 Registry fix

--------------------------------------------------------------------------------
REGEDIT4

[HKEY_CLASSES_ROOT\.htc]
"Content Type"="text/x-component"

[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/x-component]
"CLSID"="{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}"
"Extension"=".htc"

[HKEY_CLASSES_ROOT\CLSID\{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}]
@="Microsoft Html Component"

[HKEY_CLASSES_ROOT\CLSID\{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}\InProcServer32]
@="C:\WINDOWS\\SYSTEM\\MSHTML.DLL"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.htc]
"Content Type"="text/x-component"


--------------------------------------------------------------------------------

This procedure worked for me ... provided by PROBLEMCHYLD

PROBLEMCHYLD said this about dencorso: All credit goes to dencorso, without him patching the vxd file, we would not be running system restore on Win98SE.
Thanks dencorso.

... and dencorso said this about PROBLEMCHYLD: Now, credit where credit's due: although I did patch that one VxD at his request (and never touched it afterwards), System Restore on Win 98 FE/SE always was ProblemChyld's project, and it was only due to his research, persistence and hard work that it came into being. So all kudos ought to go to him.

So we can appreciate having the System Restore program for Windows 98FE / SE finally.

.... Some follow up information. I was wondering if after awhile the Restore Points would start to build up and a person might like to delete some of the older Restore Points eventually. Also can the disk space usage setting be adjusted from the MS default setting, if someone wanted to do this. I got this information from PROBLEMCHYLD:

In order to have the option (Disk Space Usage) in System Restore you will need 98SE2ME also in order to disable System Restore, which will then allow older points created to be deleted. You need 98SE2ME because it installs some system files. If you just want to create Restore Points + Restore them back, then 98SE2ME is not needed, but if you want those two options then 98SE2ME is needed.

Edited by duffy98, 27 February 2011 - 12:30 PM.


#28
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag
Just FYI, these two are the same thing ...

 

[HKEY_CLASSES_ROOT\.htc]
"Content Type"="text/x-component"

[HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.htc]
"Content Type"="text/x-component"

... Let him who hath understanding reckon the Number Of The Beast ...


#29
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 868 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

Hi CharlotteTheHarlot ... I got that registry fix from the MS Support page .... so I just went with what they supplied ... if it can be altered or changed, I don't know. It's a bit over my head. They show a manual registry fix and then the REGEDIT4 fix, which I decided to use. There are two fixes in that REGEDIT4 ... the 1899 date fix and the blank Help pages fix, so that may have some bearing on why MS supplied that particular fix, I can't say for sure.

System Restore Shows Date of Saturday, December 30, 1899

http://support.microsoft.com/kb/275646


To merge all the information at one time, you can copy and paste the following text into Microsoft Notepad, and then save it as a .reg file:

REGEDIT4

[HKEY_CLASSES_ROOT\.htc]
"Content Type"="text/x-component"

[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/x-component]
"CLSID"="{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}"
"Extension"=".htc"

[HKEY_CLASSES_ROOT\CLSID\{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}]
@="Microsoft Html Component"

[HKEY_CLASSES_ROOT\CLSID\{3050f4f8-98b5-11cf-bb82-00aa00bdce0b}\InProcServer32]
@="C:\WINDOWS\\SYSTEM\\MSHTML.DLL"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.htc]
"Content Type"="text/x-component"


-------------------------------------------------------------------------------------------------------------------------------------

Edited by duffy98, 27 February 2011 - 05:15 AM.


#30
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

Hi CharlotteTheHarlot ... I got that registry fix from the MS Support page .... so I just went with what they supplied ... if it can be altered or changed, I don't know. It's a bit over my head. They show a manual registry fix and then the REGEDIT4 fix, which I decided to use. There are two fixes in that REGEDIT4 ... the 1899 date fix and the blank Help pages fix, so that may have some bearing on why MS supplied that particular fix, I can't say for sure.


Understood. There is nothing wrong with what they did, you can put the identical entry in over and over, don't matter a wit.

It's just interesting that the last key is using HKLM but all previous were HKCR. The last one seems to have been tacked on later for some reason even though it needn't be there.

Just a curiosity, nothing more. Anyone else reading this intending to use the script can ignore this!

... Let him who hath understanding reckon the Number Of The Beast ...


#31
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 868 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

CharlotteTheHarlot ... understand ... I know how to add, change and delete items in the registry but as to what should actually be in the registry or how it should be there ... I wouldn't have a clue. I just follow what you and others suggest for this or that. I remember some time back you and others posted about deleting some "unnecessary" registry entries, I did follow what was posted but there is no way I could ever look in the registry and make that call. ... thanks.

... just would like to add about the System Restore guide that I posted. I covered everything that I had knowledge of ... if someone has further questions or runs into any "new" problems during the install or afterwards, please post for PROBLEMCHYLD to be of help to you. It's his project, glad he took it on. I tried fooling around with System Restore right after Windows Me first came out ... wanted to see if I could get it to work in 98SE ... like I said, I just fooled around, I wasn't even close to getting anything to work on 98SE ... thanks for taking the interest and making the program work for those that might like to use it.

Edited by duffy98, 27 February 2011 - 12:25 PM.


#32
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 868 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

I got a System Restore update from PROBLEMCHYLD ... he has put everything in a nice step by step set of instructions.
This should be the final say I guess ...

You might want to revise the instructions as I have done so below.

1. Create a folder and name it System Restore.

2. Download the patched VXDMON.VXD and copy it to the System Restore folder.

3. Download the update 290700USAM.EXE then extract the files to the System Restore folder.

4. Extract the Pchealth.inf from PRECOPY1.CAB and copy it to the C:\Windows\Inf folder.

5. Extract these 3 files from BASE2.CAB to the System Restore folder.
CHECKSR.BAT
EBD.CAB
EBDUNDO.EXE

6. Copy the whole Win9X folder to the C:\directory. (You must have a WinME CD for the necessary files.)

7. Copy everything from inside the System Restore folder to the Win9X folder.

8. Run this command:
C:\windows\rundll.exe setupx.dll,InstallHinfSection PCHealth.Install 132 C:\WINDOWS\INF\PCHealth.inf

9. When asked for any files, point to the Win9X folder in C:\directory where all the updated files are.

10.Now copy the patched VXDMON.VXD from the System Restore folder to the C:\Windows\System\Vmm32 folder.
Restart computer.

11. Now run the 290700UP.INF, restart when done.

12. After running all above instructions you should get a successful installation of System Restore for Win98\98SE which will lead to a successful restoration and no problems or errors.

13. You will need 98SE2ME for two reasons:
-to have the options (Disk Space Usage) in System Restore to configure the settings
-to disable System Restore, which will then allow older restore points created to be deleted
because it installs some system files that are needed.
If you just want to create Restore Points + Restore them back,
then 98SE2ME is not needed, but if you want those two options then 98SE2ME is needed.

If you followed all instructions step by step, you shouldn't have any problems. I just did all of these steps
and got a successful restoration.

Thanks to dencorso for patching the VXDMON.VXD.

I'll add ... thanks to PROBLEMCHYLD for figuring it all out.

Edited by duffy98, 06 March 2011 - 03:23 PM.


#33
dencorso

dencorso

    Adiuvat plus qui nihil obstat

  • Super Moderator
  • 5,793 posts
  • OS:98SE
  • Country: Country Flag

Donator

By

11. Now run the 290700UP.INF, restart when done.

do you mean...

11. Run this command:
C:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\System Restore\290700UP.INF

? Posted Image

#34
monroe

monroe

    Friend of MSFN

  • MSFN Sponsor
  • 868 posts
  • OS:XP Pro x86
  • Country: Country Flag

Donator

I sent a message to PROBLEMCHYLD about your question ... either he will read that or see your question here. I was confused about that earlier also ... I asked him about that in Post #11 and never got a clear answer so I just ran 290700USAM.EXE and did nothing else, from what I remember. The SR program was working for me ... I just assumed that running 290700USAM.EXE installed 290700UP.INF or took care of that step. I have SR installed on one computer to test ...but that was using the last set of instructions that I posted in post #27. I had SR installed on two computers but I had to redo a computer with my Ghost backup because of another problem (not SR related) and I decided to put PowerQuest Second Chance v2.07 on that computer ... I always liked that backup-restore program, I read that some people think the whole idea of SR came from the PowerQuest Second Chance program, I don't know ... but I wanted to fool around with it again along with testing SR.

Edited by duffy98, 07 March 2011 - 09:13 AM.


#35
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag

11. Run this command:
C:\windows\rundll.exe setupx.dll,InstallHinfSection DefaultInstall 132 C:\System Restore\290700UP.INF

If this is how you run the command line for the 290700UP.INF and everything installs correctly, then yes your are right.
I have never ran it like this because I don't know command switches that well. I always ran it manually.
But thanks for shedding some light outr way as usual.

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#36
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag
Here is System Restore on my hybrid system. It witness the same bug as in WinME and WinXP with the infamous restoration was unsuccessful :} I'm going to invest some time into this to prevent the bug altogether. Sometimes it works sometimes it don't. I also want to strip it down to core files only. There is no need for Help and Support center. One fix at a time :thumbup

Edited by PROBLEMCHYLD, 21 November 2012 - 11:26 AM.

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#37
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag
After doing hours of searching, I think that most of the time System Restore doesn't work is because restore points get corrupted. And if one restore point get corrupted, then all of the points get corrupted. This is what causes the restoration was unsuccessful. If we can figure out why and how restore points get corrupted, we can come up with a solution.

Edited by PROBLEMCHYLD, 22 November 2012 - 11:50 AM.

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#38
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag
Does anyone know of a tool that will monitor System Restore actions?

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#39
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

Does anyone know of a tool that will monitor System Restore actions?

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable :lol: ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

... Let him who hath understanding reckon the Number Of The Beast ...


#40
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag

Does anyone know of a tool that will monitor System Restore actions?

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable :lol: ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

I have already patched the COMMAND.COM in Win98 and already included them in the SP. I will follows your method and report back after I release 3.12. Thanks CTH :yes:

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#41
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag

I seem to remember Mark Russinovich saying something about Win9x call-hooking being unreliable, and this was the reason that ProcMon only worked on NT, and that FileMon and RegMon didn't capture 100% of the events or allow boot logging.

This is why long ago I decided to skip attempts at realtime capture ( Win9x really doesn't need another destabilizing variable :lol: ) and just do before and after logs.

Save a complete Registry Export and also a complete FileList ( DIR C:\ /a /s >FILELIST.TXT ). The FileList should be done using a patched COMMAND.COM naturally. See here and here.

Then you can WinDiff them at your leisure later rather than the substantial risk of a realtime monitor which by design must use a custom driver VXD. Risking a BSOD during a System Restore is a nomination for a Darwin Award! Just my IMHO.

I followed your instructions using WINDIFF.EXE 6.0.6000.16384 and here are the changes after System Restore has been run
BOOTLOG.TXT 71,081 [Before System Restore]
BOOTLOG.TXT 73,973 [After System Restore]

INFO2 2,260 [Before System Restore]
INFO2 2,820 [After System Restore]

USER.DAT 204,832 [Before System Restore]
USER.DAT 208,928 [After System Restore]

WORDPAD.LGC 12,195 [Before System Restore]
WORDPAD.LGC 12,251 [After System Restore]

RSTRUI.LGC 74,058 [After System Restore]

MYDOCU~1.MYD 0 [After System Restore]

RG50CA~1.CAB 3,877,888 [After System Restore]

RESTOR~1.LOG 65 [After System Restore]

A0000026.CPY 235 [After System Restore]
A0000030.CPY 0 [After System Restore]

Make note, that depending on how many restore points you have saved, the *.CAB file name will change.

All registry keys are created after running System Restore

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\StateMgr\ReservedDiskSpace]
"UIFreezeSize"=dword:00000032

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
"MenuText"="@shdoclc.dll,-864@0,Show &Related Links"
"MenuStatusBar"="@shdoclc.dll,-865@0,Shows links related to the current page."
"ButtonText"="@shdoclc.dll,-866@0,Related"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache"=hex:e9,fd,00,00,2e,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\1]
  00,00,00,00,00,00,94,95,45,00,00,00,00,00,5f,04,00,00,07,00,00,00,e0,d0,57,\
  23,bd,01,00,00,02,00,00,00,19,00,22,45,3a,5c,00,00,00,00,00,00,00,00,00,00,\
  00,00,00,00,00,00,00,29,38,e8,00,00,00,02,00,00,00,14,00,2e,1e,20,20,ec,21,\
  ea,3a,69,10,a2,dd,08,00,2b,30,30,9d,2f,01,00,00,02,00,00,00,14,00,2e,80,a0,\
  ff,2c,99,57,f5,1a,10,88,ec,00,dd,01,0c,cc,48,76,01,00,00,02,00,00,00,14,00,\
  2e,80,36,b7,11,e2,fd,43,d1,11,9e,fb,00,00,f8,75,7f,cd,76,01,00,00,02,00,00,\

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\14]
  00,00,00,00,00,00,00,f0,f0,f0,f0,14,00,03,00,6a,01,00,00,00,00,00,00,00,00,\
  2e,45,58,45,00,e8,00,00,00,02,00,00,00,29,00,32,00,1a,b7,04,00,8d,41,2e,a1,\
  20,00,46,49,4c,45,4c,49,53,54,31,2e,54,58,54,00,46,49,4c,45,4c,49,7e,31,2e,\
  54,58,54,00,2f,01,00,00,02,00,00,00,20,00,32,00,38,79,53,00,8d,41,57,a1,20,\
  00,52,45,47,31,2e,72,65,67,00,52,45,47,31,2e,52,45,47,00,76,01,00,00,02,00,\
  00,00,1c,00,32,00,00,6e,b6,03,8a,41,19,44,20,00,55,39,38,53,45,53,50,33,2e,\
  45,58,45,00,00,8f,01,00,00,96,00,00,00,29,00,32,00,e8,b8,04,00,8d,41,92,a1,\
  20,00,46,49,4c,45,4c,49,53,54,32,2e,54,58,54,00,46,49,4c,45,4c,49,7e,32,2e,\
  54,58,54,00,8f,01,00,00,96,00,00,00,00,00,bf,7f

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
"HRZR_EHACNGU"=hex:02,00,00,00,46,00,00,00,60,d1,c6,45,6e,d9,cd,01
"HRZR_HVFPHG"=hex:02,00,00,00,22,00,00,00,a0,2f,ba,3b,6e,d9,cd,01
"HRZR_EHAJZPZQ"=hex:02,00,00,00,21,00,00,00,60,43,ba,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,130"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,132"=hex:02,00,00,00,10,00,00,00,80,33,23,44,6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf"=hex:02,00,00,00,06,00,00,00,00,eb,b5,10,\
  6e,d9,cd,01
"HRZR_EHACVQY:%pfvqy2%\\Npprffbevrf\\Flfgrz Gbbyf"=hex:02,00,00,00,06,00,00,00,\
  00,eb,b5,10,6e,d9,cd,01
"HRZR_EHAJZPZQ:0k1,191"=hex:02,00,00,00,08,00,00,00,60,43,ba,44,6e,d9,cd,01
  00,00,00,06,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\Qrfxgbc\\OOO.ONG"=hex:02,00,00,00,0b,00,00,00,20,1f,\
  1e,31,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\ERTRQVG.rkr"=hex:02,00,00,00,07,00,00,00,60,d1,c6,\
  45,6e,d9,cd,01
"HRZR_EHACVQY"=hex:02,00,00,00,08,00,00,00,00,eb,b5,10,6e,d9,cd,01
"HRZR_EHACNGU:P:\\JVAQBJF\\FLFGRZ\\ERFGBER\\EFGEHV.RKR"=hex:02,00,00,00,06,00,\
  00,00,e0,b3,c6,10,6e,d9,cd,01

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer"

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013


#42
CharlotteTheHarlot

CharlotteTheHarlot

    MSFN Master

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,054 posts
  • OS:none specified
  • Country: Country Flag

I followed your instructions using WINDIFF.EXE 6.0.6000.16384 and here are the changes after System Restore has been run

When you Windiff the filelists you should get the file locations, dates/times in addition to the sizes, but they are not showing there. Can you confirm that the DIR filelists are complete?

Without seeing the filepaths I will assume that this is activity under _Restore directory. Was this a "Save" or "Restore" operation? I am going to guess it is a "Save" because the user registry hive is larger "after" the operation. So I guess these files you list were saved to the _Restore directory? But it did not save the System hive which is very important IMHO. Actually I don't see any system file changes at all.

At the minimum, a System Restore should save both ( on Win98 ) or all three ( WinME ) registry hives, as well as key files like SYSTEM.INI, WIN.INI, and it should be able to do quite a few more like VMM32.VXD just for an example. We could crowd source a nice complete list, but I thought that the WinME System Restore already had it built-in.

... Let him who hath understanding reckon the Number Of The Beast ...


#43
PROBLEMCHYLD

PROBLEMCHYLD

    The Resurrector for old Windows OS

  • Member
  • PipPipPipPipPipPipPipPip
  • 2,528 posts
  • OS:98SE
  • Country: Country Flag

When you Windiff the filelists you should get the file locations, dates/times in addition to the sizes, but they are not showing there. Can you confirm that the DIR filelists are complete?

It does, I was just being lazy. :thumbup

Without seeing the filepaths I will assume that this is activity under _Restore directory. Was this a "Save" or "Restore" operation? I am going to guess it is a "Save" because the user registry hive is larger "after" the operation. So I guess these files you list were saved to the _Restore directory? But it did not save the System hive which is very important IMHO. Actually I don't see any system file changes at all.

It was System Restore.
The system hive is placed inside a .cab file in the _Restore folder. If you notice the change in the file sizes I posted above, it lets you know system restore has written new data. I only made minor changes, to speed up the process.

Believe God is the Alpha and Omega.
Believe Jesus Christ died for our sins.
Repent for your sins now or there will be
BLOOD

The Path to God


U98SESP3 03-11-2013





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN