Controlling System Restore Behavior with respect to file location

Discussion in 'Windows Vista File Management' started by jimmuh, Jan 28, 2007.

  1. jimmuh

    jimmuh Guest

    Hi,

    I know that you can turn System Restore on / off on any given drive. What
    I'd like to know is whether or not specific locations on specific drives can
    be turned off so that the Shadow Copy feature stops keeping Previous Versions
    for those locations.

    The Previous Versions feature is a nice one. A lot of people apparently
    thought that such a feature was implicit in the Windows XP version of System
    Restore and learned, often to their chagrin, that it wasn't so. Nonetheless,
    I consider it a privacy and security issue that there appears to be no way,
    other than group policy (perhaps), to control just where Vista does its
    shadow copying.

    For example, I received e-mail from a colleague (whose system, it turns out,
    had been compromised). This e-mail contained a couple of image attachments
    which I saved to the Downloads directory under my user own account. When I
    viewed the images what I found was a pair of images my friend had certainly
    not intended to send to me. Nor, I suspect, had she ever even viewed them,
    much less deliberately saved them to her hard drive. I deleted the images.

    Flash forward a day. I accidentally delete my Downloads folder. (Hey, I was
    tired and under the weather.) I resort to Previous Versions to pick the most
    recent version of the folder so that it would have all of the correct
    properties. To my admittedly ingenuous surprise, there were the two porno
    images again!

    So, let's say that a user starts writing a nastygram to a client / customer
    / boss / whatever and then thinks better of it and deletes the file(s)
    involved. Or figure on some other similar scenario where you decide that
    there is a file or files that you really wish to remove PERMANENTLY from your
    system. As it turns out, anyone with access to your profile can peruse the
    Previous Versions tab on the Properties dialog for a given folder and, if the
    shadow copy system chose to make a copy at an inoppotune (for you) time,
    there's the stuff you didn't want anyone else to see.

    Is there a way to prevent this from happening -- short of turning off System
    Restore altogether? This has the potential, I think, for causing the sorts of
    issues that happened (and still probably happen) in Office before the Remove
    Hidden Data Tool was made available.

    Anyone have a bead on this? If so, please tell me where to aim.
     
    jimmuh, Jan 28, 2007
    #1
    1. Advertisements

  2. Jill Zoeller [MSFT], Jan 29, 2007
    #2
    1. Advertisements

  3. jimmuh

    jimmuh Guest

    Thanks for that information, Jill.

    I thinkg that I had already indicated in my initial post that I was aware
    that I could use a Group Policy to deal with this. But that's like throwing
    the baby out with the bath water. I mean, really, does it make sense to have
    to disable the operating system's first line means of recovering from serious
    system problems? (That's a question for Microsoft, not for you, Jill.)

    EFS on Vista Business? Well, sure, but then the recovery agents (the admins,
    the same people about whom I was worried before) on the system or domain can
    still get to the data.

    I'm one of those sysadmins who thinks that at least some of a client's data
    belongs only to her/him. If this system chooses an inopportune moment to
    perform a shadow copy, that client can't count on the mental scratch pad or
    whatever actually being gone. I've had to jump through some hoops on all
    operating systems to be sure that erasures were secure enough to please the
    legal types with whom I deal. I'm not going to tell them that even a secure
    file erasure isn't going to protect them. I can't give them sole admin access
    to these systems to protect their confidentiality because they would be
    hapless at dealing with anything. It's beginning to look as though, in order
    to use Vista, we'll be stuck with a procedural / physical security workaround
    that will be onerous at best. They'll be taking hard drives home in their
    briefcases, or we'll each have half of the password so that the system (which
    can't be joined to a domain) can be accessed as an admin only with the lawyer
    AND the admin present, or something else along those lines.

    I hope Microsoft will make information on registry editing or custom policy
    development to make it possible for us to get around this issue. My guess is
    that I'm not the Lone Ranger on this one, even though my situation is
    possibly a bit more extreme than most. I cannot, for the life of me, imagine
    why Microsoft wouldn't make it possible to simply exclude the data files from
    shadow copying. It's a function they ADDED to System Restore. Why not let the
    user decide whether or not s/he really wants to use it. Many of us are
    actually capable of taking care of our data. (No one on my domain has ever
    lost more than a few minutes' worth of data when it wasn't definitively
    her/his fault. Ever.)

    But, again, thank you very much for your link to the blog. It is
    informative. But it's just not the information I happen to need in this case.
    And, nice blog, BTW.

    Best regards,
    Jim
     
    jimmuh, Jan 29, 2007
    #3
  4. Unlike in System Restore in XP, System Restore in Windows Vista uses the
    Volume Shadow Copy Service (VSS). VSS uses a low level driver to keep
    differential copies of changed blocks in your system. Because it interacts
    with the system below the file system level, it would be very costly
    (primarily performance-wise) to allow ad-hoc file and folder exclusions from
    it. If the registry capability were to be added, it would work on a best
    effort basis, not guaranteed.

    I have passed your feedback on to the team for consideration.
     
    Jill Zoeller [MSFT], Jan 30, 2007
    #4
  5. jimmuh

    jimmuh Guest

    Thanks, Jill, for a solid, succinct explanation. I tried to respond a little
    bit ago but (apparently) got disconnected or otherwise defeated in making the
    post.

    I do appreciate your point. But the feature set, as it stands, presents some
    obstacles to our use of the OS. As always, in anything this complex, there
    must be trade-offs. Forcing data writes to non-shadowed (is that a word?)
    drives or using removeable drives is one way around the issue, but will cost
    in terms of outlay for new hardware and maybe by requiring acceptance of
    design compromises which we wouldn't otherwise have to face. We could develop
    procedures that depend upon hardware or dual passwords, like allowing admin
    logins only in the presence of two keys (one held by the client and one by
    the admin). We could use third party encryption to which only the client
    would have the keys.

    You have been very helpful. Can you think of any other avenues I could
    explore, given the constraints under which I have to operate?

    Thanks,
    Jim
     
    jimmuh, Jan 30, 2007
    #5
  6. We don't currently have any documented avenues just yet, other than the
    suggestions to use EFS or Bitlocker. I think this a good topic for community
    discussion as people find creative ways to ensure their files can't be
    restored. It will be interesting to see how the product team addresses this
    issue moving forward.
    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    Want to learn more about Windows file and storage technologies? Visit our
    team blog at http://blogs.technet.com/filecab/default.aspx.
     
    Jill Zoeller [MSFT], Jan 30, 2007
    #6
  7. jimmuh

    jimmuh Guest

    Okay, thanks for your help, Jill. I'll be hanging out around here, and I'll
    turn what few gray cells I have to the problem to see if I can come up with
    something useful -- as I hope others will do.

    Regards,
    Jim
     
    jimmuh, Jan 30, 2007
    #7
  8. The way I handle this is by moving/saving all personal files and downloads
    to a partition other that the system partition. My decision is that only the
    O/S and the programs that I consider to be integral to the operating system
    belong on the system Partition. All of my personal files and folders have
    been moved to partition D:.

    Minor programs/utilities are also installed to D:\Programs Files and not
    kept on the system partition, as a great many of these small programs are
    contained 100% in their own folder. They survive a reinstall of the
    operating system just fine.

    Downloads are saved to partition E:, music to partition F:, Videos to
    partition G: and so forth.

    I then turn off system restore on all partitions and drives I have no reason
    to monitor. This has worked for me for 6 years now.

    --


    Regards,

    Richard Urban
    Microsoft MVP Windows Shell/User
    (For email, remove the obvious from my address)

    Quote from George Ankner:
    If you knew as much as you think you know,
    You would realize that you don't know what you thought you knew!
     
    Richard Urban, Feb 2, 2007
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.