When you run an antivirus program, you may receive a report that indicates
that one or more files in the _Restore\Temp or the _Restore\Archive folders
contain a virus or are infected with a virus. Also, your antivirus program
may indicate an inability to remove the virus from the file or files.
This behavior occurs because the System Restore feature in Windows
Millennium Edition (Me) protects all folders and files in the _Restore
folder on the Windows Me system partition. This folder and all of its
subfolders are the data store that the System Restore feature uses to
restore your computer's operating system to a previous state from a previous
point in time.
Although some antivirus programs may have the ability to work with files
that have been compressed or stored in .zip or .cab file format, the System
Restore feature does not permit these utilities to manipulate these files
within the data store. The data store is protected for data integrity
purposes, and the System Restore feature is the only method you can use to
obtain access to the data store. Because of this, the antivirus program is
unable to remove the virus from the file or files in the data store. The
files in the data store are inactive and can be used only by the System
Restore feature.
To work around this behavior, use the appropriate method.
Use the First In First Out (FIFO) Feature
The FIFO routine purges the oldest restore points so that newer, more
current restore points can be added to the data store. FIFO starts
automatically when the files in the data store reach 90 percent of the
maximum size of the data store. System Restore purges the oldest files first
until the files in the data store occupy no more than 50 percent of the
maximum size of the data store.
For example, if the maximum size of the data store is 400 megabytes (MB), 90
percent of this is 360 MB and 50 percent is 200 MB. If the data store is 200
MB when you view the properties of the _Restore folder, it is 50 percent of
the maximum size. If you adjust the size of the data store to the minimum
size of 200 MB, FIFO occurs when you click
Apply.
NOTE: If the data store is less than 90 percent (180 MB) of the
minimum (200 MB) value, adjusting the size does not have any effect in
purging restore points. In this scenario, you must carefully consider the
use of the methods that are described in this article.
Over a period of time, the data store purges restore points on a FIFO basis
as the maximum size of the data store is reached. There are a few scenarios
in which FIFO can be used to purge older restore points to retain more
recent restore points on the computer.
FIFO Method 1
No action is required if the system has been cleaned and only the data store
is reported by the antivirus tool to have suspicious files. Until all
infected files are processed out on a FIFO basis, the antivirus tool may
still report that there are infected files that it cannot obtain access to
within the data store.
FIFO Method 2
You can trigger the FIFO feature to remove older restore points from the
data store by resizing the data store. To use the System Restore feature to
adjust the size of the data store:
| 1. |
View the properties of the _Restore folder to
determine how much data is actually in the data store. You do this
to determine if this step will have any effect on the data store. If
the data store uses less than 90 percent (less than 180 MB) of the
minimum value (200 MB), this method may have no effect on purging
the restore points. If less than 90 percent of the data store is
used, even at the minimum settings you should consider using FIFO
method 1 or using the "Manually Purge the Data Store"
method that is listed later in this article. |
| 2. |
Click Start, point to Settings, and
then click Control Panel. |
| 3. |
Double-click System, and then click the Performance
tab. |
| 4. |
Click File System. |
| 5. |
Adjust the System Restore disk
space use slider to the approximate lower amount, and then
click Apply.
Note that you can use the System Restore disk
space use slider to select the minimum amount of space to
allocate for the data store, the maximum amount, or a size in
between. Adjusting the slider to a lower value changes the the
values that trigger FIFO. You may need to restart your computer for
any changes to take effect. |
| 6. |
Click OK, and then click OK to close
System properties. |
| 7. |
Use the antivirus tool to scan the computer to verify
that the virus-infected files have been purged from the data store.
If there are still infected files in the data store, repeat the
previous steps and lower the data store size until the data store is
clear of infected files.
Note that you can also use the calendar page in the System Restore
tool to view how far back the restore points were purged. |
| 8. |
After the infected files have been cleared from the
data store by using this method, return the slider to the original
or appropriate size, click OK to close any open windows, and
then restart your computer. |
If there still is an infected file in the data store after you resize the
data store to the minimum size, you can either wait for it to be processed
out on a FIFO basis (FIFO method 1), or you may want to consider using the
"Manually Purge the Data Store" method that is described later in
this article to remove all restore points on your computer.
Manually Purge the Data Store
To completely and immediately remove the infected file or files in the data
store, disable and re-enable the System Restore feature.
WARNING: Using the following steps will completely remove all restore
points from the data store. Do not use this method if this will cause
problems. When you enable the System Restore feature again, the System
Restore feature will create a new restore point and then resume monitoring
your computer.
| 1. |
Click Start, point to Settings, and
then click Control Panel. |
| 2. |
Double-click System, and then click the Performance
tab. |
| 3. |
Click File System, and then click the Troubleshooting
tab. |
| 4. |
Click to select the Disable System Restore
check box, click Apply, click to clear the Disable System
Restore check box, click Apply, and then click OK. |
| 5. |
Restart the computer when you are prompted to do so.
When the computer restarts, the data store is purged and the System
Restore feature begins monitoring the system again. |
This behavior is by design.
The _Restore folder is protected by default and prevents programs from using
or manipulating the files that are within this folder. These files are
inactive while in the data store and are not used by any utility other than
System Restore.
The System Restore feature is not designed to detect or scan for virus
infections or virus activity. Most computer virus infections seek or attack
files with extensions such as .exe or .com. These are file types that the
System Restore feature is designed to monitor.
NOTE: If you restore your computer to a previous state when you did
not have an installed antivirus tool, you must install an antivirus tool and
clean any files that were restored and are infected.
