Marc27

Regarding system restore point file names and change logs, Mandiant Restore Point Analyzer

Ok... I tried the above ideas with no luck. So I move to the next step, trying to at least know which files folders where deleted so that I can manually recreate them again. I've gone through the changes.txt files (unfortunately I realized it only contained a fraction of the lost folders) and the files of the system restore. I've one idea left. I made regularly backups of the registry and so I have the registry key that contains the folder info of the root directory. [HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\1475] Since this key contains information of custom items positions, it may as well contain the names of all the lost folders. My bet is that "ItemPos1152x864(1)" is the REG_BINARY value that I want to convert to readable text/string. Right now it looks like 01 00 00 00 94 00 00 00 14 00 00 00 63 00 3A 00 5C 00 70 00 72 00 6F 00 67 00 72 00 61 00 6D 00 6d 00 65 00 ... around 2600 lines. Now I'm trying to figure out how to run a script to convert it. There are some codes out there Here there's some code post but I'm not sure how to run it. Like: For Each Val As String In ValueName data = k.GetValue(Val) ListRecent.Items.Add(Val & ": " & encoding.GetString(data)) Next and Function Microsoft.Win32.RegistryKey.GetValue(name as String) as Object Edit: I realize this is not recuva's land, so if it's too tricky where do you recommend me to ask?

It looks it's behave differently as well when undoing a restoration. The restore points in F are around 1,77 GB, and looking at the files I can tell they are there but renamed. And maybe that's the reason why Recuva can't find more files with their original names/paths... (at least in F, I still don't know why it found so little folders in C before restoring all files via system restore). So considering that's highly unlikely to recreate a restore point (though I can still try copying all the files to the volume information folder), can the files contained there be renamed? So far the file "changes.txt" seems to contain a list, but it's a difficult to read format. Maybe it can be converted to a more readable one? and then use a program to rename the files like Renamer? Edit: @Ishi OK, then I will try this. I already tried copying only the files in C to volume information folder... So I will try copying the recovered restore files of C and F to their respective volume information folders in their partitions, and copying only the recovered files of F while disabling the supervision of all the other partitions. Edit2:@Super Fast So I just checked as well the system attributes of the recovered files. There's a check box that reads "File" that is checked, "Read only" and "Hidden" are unchecked. "File" equals to "System"? If not, I can easily change all the file attributes with BulkFileChanger and set the files as read-only or hidden.

Sorry for that, It should had been marked as deleted** (that happens for posting late). So how should I use the recovered restore point files? Should I try copying all the files from to the volume information folder? or maybe creating a new point and replacing the files (like importing)? At this point It looks more likely to recover the files from the recovered restore point files from F.

Yes, that's it! (I already recovered the files of both drives with Recuva) What I'm trying to figure out is how to use them. The folder actually contain lots of applications toolkits, so the exe's should be ok. I use to always scan them with Virustotal and download them from trusted sources. Also maybe I'm missing some basic stuff of system restore, but if a malware deleted the files, shouldn't system restore be unable to restore them? Since if I recap correctly it doesn't actually store a copy of the files...? There's another point that I didn't mention, after undoing the restoration, not all the files that I copied from C to F disappeared, oddly all the folders that didn't disappear are folders that didn't disappear either in C (after the initial error). Anyway it makes sense to run a malware scan just to be sure

As far as I can tell the files got marked for deletion because of the increase in free space that matches the size of the lost data. I really don't believe there's a virus.. I checked the process, memory, performance, and done some quick memory scan. I will go a little more in detail in how the error happened: I was working with several folders in the same main directory. I was actually checking them in order (the 500+ folders). At one point I attempted to open the next folder and I got the error "unable to.." tried with the one that followed after that and again the same error. After 2 seconds those two folders disappeared and then I realized that the item count in the status bar changed from 550 aprox to 280. Nothing in the recycle bin. No error message in the event viewer. An interesting point is that before using the restore point (which effectively restored all the files) Recuva didn't managed to find many of them, hence they may not be all that badly overwritten. That leads me to believe that those files are recoverable and that somehow this error or whatever happened makes it hard for Recuva to find them while Windows can manage to recover them. I've used Recuva many times in the past and it usually manages to find & recover most of the files. In this case it only displayed files from 5-6 of 270 folders. So having most (I hope) of the files of the restore points that managed to find and recover all the files, there may be some way to retrieve them (either from the restore files of the main partition C or from the ones in the third partition F). There's even a file "change.txt" that seems to list the files/directories that were deleted (in both C and F syst. restore files). Edit: I didn´t mention in the first post that the "Files Recovered in second partition" File List F.txt are files of the restore point in F.

Hello, This is the situation... Suddenly I received an error in windows, something like cannot locate the route of the specified file when attempting to open a folder, and at the same time other 200 folders that where present in the same directory as the one that I tried to open disappeared! I rebooted, nothing. So I tried system restore, and well it fixed it, it restored all the files. But then I did the biggest mistake ever, I thought of undo the restoration and take note of some configs I made in the time between the last restore point and the actual state. But right afterwards I undo the restoration it popped up a notification telling that there was little space on disk and !@# all system restore points where deleted. The reason for this it seems that when I restored the system I copied the vanished files to another partition (which it seems had system restore enabled on it too) causing this drive to lose all the restore points. After undoing the restoration the files copied to the other partition where lost as well. So, my bet is somewhere these files are. I ran Recuva but it only detected a handful of the folders, even before I used the system restore point. Meaning the files where there but Recuva couldn't recover them. Now, first thing I did after all the restore points where gone. Scanned with Recuva and saved the files to a third partition so I got this File List C.txt (it seemed better idea instead of posting it on the code box) So I'm sure the files are there and may be recovered but Recuva doesn't detect them. Options that come to my mind is to attempt to recreate the old restore point using the files recovered with Recuva. Else to only use the info related to the files and import** that info into an actual restore point. I already learnt how to access the system restore protected directory. Third I can try to recover the files from the other (second partition) in which I copied the files as well but disappeared after I undo the restoration. These files are quite important, meaning lots of lots of work hence all the effort to recover them. Files Recovered in second partition (note I didn't manage to recover all - I ran out of space - up to 75% 1.77GB) File List F.txt I forgot to mention I'm running Windows XP SP3...