I'll never forget a product demo I saw at a computer industry trade show several years ago. The product was touted for undoing user inflicted damage to a computer, and as part of the demo, the vendor booted the machine to a command prompt and deleted the machine's Windows directory.
Well, you can guess what happened next: When he rebooted the machine, it displayed a message that said something like "File WIN.COM missing." He then booted his software and told the machine to go back in time two minutes. When he rebooted the machine and Windows came up, the crowd applauded.
Sadly, this product seemed to vanish into obscurity after Microsoft began to incorporate System Restore points into Windows. System Restore points do basically the same thing as the software I just described: They let you go back in time and undo the last set of changes that were made to the Windows operating system. For instance, you can easily recover Windows after you install a buggy device driver.
System Restore points are a great feature, but I think the main advantage that the third-party software had over System Restore points was that the vendor's product was not part of the operating system. You could completely blow the operating system away and then restore the system to a functional state all within a couple of minutes because the software functioned outside of the operating system rather than as part of it.
Don't get me wrong. In spite of the imperfections associated with the
That particular incident got me thinking, though. I was able to recover the machine relatively easy, but the machine was only one computer in an office filled with similarly configured machines. If every machine in the office had become infected, it probably would have taken me a really long time to recover every single machine.
Enterprise-level recovery options
System Restore works well, but unfortunately it isn't really suitable for an enterprise-level recovery because there is no console through which you can perform a recovery on multiple machines.
In a situation where an infection becomes widespread or a bad driver or patch causes a number of workstations to have problems, many people wouldn't even bother to try to salvage Windows. In most of the organizations I have been involved with, the solution would be to simply blank the machine's hard drives and then use a Remote Installation Server or something similar to install a clean operating system and application set onto the machine. Microsoft Software Update Services (SUS) or Systems Management Server (SMS) would then be used to bring the newly installed operating system up to date.
This technique will definitely get the job done, but my experience has been that using this method often leads to data loss. Even if you tell users not to save data to their local hard drive and you redirect the My Documents folder to a network share, someone will have saved all of their stuff locally -- it never fails. If you re-image a hard drive, then any data saved on the hard disk will be overwritten. That is why I prefer to salvage the current operating system if possible.
Enterprise-grade system recovery products do exist. One such product is Recovery Manager from Winternals Software LP (http://www.winternals.com/es/solutions/recoverymanager.asp), which I found works similarly to Windows' System Restore feature with a few exceptions.
Recovery Manager lets you recover multiple systems simultaneously. Plus, it will recover workstations, even if those workstations are not bootable. It also gives you some forensic information regarding the cause of the Windows malfunction.
Between third-party products targeted to the enterprise and Microsoft's System Restore points, you can change the past.
10 tips in 10 minutes: Disaster Recovery
Tip 1: Automated System Recovery remedies corrupted registry
Tip 2: Ultimate boot CD packs in recovery, repair utilities
Tip 3: Disk imaging for disaster recovery
Tip 4: Recovery programs fix OS mistakes
Tip 5: WinXP and Windows Server 2003 volume shadow copy service
Tip 6: Restore and recover with Windows 2000
Tip 7: Disaster recovery for SBS
Tip 8: Best Practices: Desktop disaster recovery
Tip 9: Bare metal restore via Automated System Recovery
Tip 10: What to do when your hard drive fails
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.
This was first published in June 2005