ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Windows Restore Points

From ForensicsWiki
Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

On Windows XP the Restore Points can be found in:

C:\System Volume Information\_restore{%GUID%}\

Where %GUID% is the machine GUID, for which the Restore Point was created.

This directory contains:

  • fifo.log; Restore Point deletion information
  • Restore Point data sub directories, named 'RP[1-9][0-9]*', e.g. 'RP1'

A Restore Point data sub directory contains:

  • change.log or change.log.[1-9];
  • rp.log; restore point information log file

External Links

Tools