Windows Restore Points

From ForensicsWiki
Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

On Windows XP the Restore Points can be found in:

C:\System Volume Information\_restore{%GUID%}\

Where %GUID% is the machine GUID, for which the Restore Point was created.

This directory contains:

  • fifo.log; Restore Point deletion information
  • Restore Point data sub directories, named 'RP[1-9][0-9]*', e.g. 'RP1'

A Restore Point data sub directory contains:

  • change.log or change.log.[1-9];
  • rp.log; restore point information log file

External Links

Tools