Scheduling automated rollbacks of system restore points

Discussion in 'Windows 7 Help and Support' started by keius, Aug 10, 2011.

  1. keius

    keius Active Member

    Joined:
    Aug 9, 2011
    Messages:
    4
    Likes Received:
    0
    Hi,

    Does anyone know how to schedule/automate a rollback to a system restore point at a set time each day?
    What i'm trying to do is:
    1. Disable the standard system restore behavior for creating restore points when installing apps and drivers.
    2. Automatically/schedule a restore point to be created every morning. (probably using Task Scheduler)
    3. Automatically/schedule a rollback to that morning restore point every night.

    This should allow users to mess up the workstation during the day, and restore a working rollback point at night when users are not using a workstation. Updates are scheduled at nighttime, so before that happens, it should rollback to a good restore point, apply updates, then create a working "new" restore point with the updates in the morning....etc.

    Thanks for any help/advice.
     
  2. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Jul 22, 2005
    Messages:
    8,488
    Likes Received:
    783
    Hello,

    System Restore is not really meant to be used in such a way, although I understand the motivation for what you are trying to do. Typically, to launch System Restore from a command-line, you would want to use rstrui.exe. However, because there are no command-line options, you are not going to be able to use the tool in the manner you would like.

    Clearly you have set off of the goal of "rolling back" the system to maintain its integrity. System Restore is not a very good utility for preventative maintenance or backups. Disk imaging utilities and virtualization software are now used for the task you are trying to accomplish. For example, on each workstation, you could forcefully run Microsoft Virtual PC (freeware) or Virtualbox (freeware), which supports transient images. Any changes made to the image can be rolled back once the virtual machine is restarted, and as such, these system images can be loaded off of the network.

    Norton Ghost has traditionally been used for a long time to reload an image backup every time the system boots using network scripting. Prior to this Novel Netware was used a lot for this purpose. Right now virtualization might be the best way to accomplish your task.

    For the System Restore method you would like to use, I can not give you a solution offhand, because I do not believe one exists.
     
  3. keius

    keius Active Member

    Joined:
    Aug 9, 2011
    Messages:
    4
    Likes Received:
    0
    Since Restore Points doesn't look too viable...

    Can i take it that Windows 7 System Image Backup and Restore isn't a viable option for what i would like to do as well?
    I understand that i can probably set the system up to backup an entire image of the PC on a network drive and have it perform incremental backups every morning, but is there no way to schedule an automated restore from a system image using native windows 7 capabilities? Are there command line capabilities for Windows 7 system backup/restore?

    I would like to try to find a solution without using third party apps/sw, but this isn't looking too good so far.

    Thanks for the information btw. It's much appreciated.
     
  4. zvit

    zvit Honorable Member

    Joined:
    Nov 3, 2009
    Messages:
    2,455
    Likes Received:
    84
  5. Mike

    Mike Windows Forum Admin
    Staff Member Premium Supporter

    Joined:
    Jul 22, 2005
    Messages:
    8,488
    Likes Received:
    783
    You are very welcome. It is important to understand the methodology you may often see used at a workplace or especially academia. Group policy is often used from Windows Server to employ Active Directory settings which do several things. The desktop is often times rendered from a template using group policy whenever the user logs into the account. Changes to the desktop, therefore, are not saved. Instead, each workstation functions as a kiosk type machine that supplies limited access to the end user. This is done by using access control lists under a Windows domain to reduce the surface area of the system and give the impression that no modifications to the system can be made. In general, access to areas that would allow for system configuration are revoked using the group policy method and by employing standard accounts.

    The restore from image can be done that night using additional deployment software. However, as mentioned before, entire machines can be virtually black boxed to a point that the end user is accessing a virtual machine at all times without giving the appearance that this is the case. This is done by employing software mentioned above for virtualization, including a complete system management solution from VMWare or a combination of methods that can utilize Microsoft Hyper-V and Terminal Services.

    I encourage you to access Microsoft TechNet to unravel the Microsoft deployment method as well as the VMWARE website. There are very new methods that simply involve reading a virtual machine hard disk image (.vhd or .vhk). Older methods will require backups and extensive amounts of time.

    Either way, both methods will likely require a server for a large number of computers. For a smaller computing environment, you will want to look at standardizing a set up that uses virtualization on boot and restricts access to the main system using Local Group Policy Editor. Needless to say, for the professional approach that you would see for securing workstations in an enterprise environment, you are going to have to make significant investments in hardware and software. The group policy settings rendered through a Windows domain controller described above can often be accompanied by additional software which is deployed on each workstation through the server. In many instances, this software can be Symantec End-Point protection. The one benefit of this software is not simply its virus definitions, but its ability to actually lock down and security harden a collection of systems on a network even further. Web activity can literally be logged and censored from wherever the End-Point server components are deployed. This, in conjunction with group policy, can protect systems on a large network without requiring the use of system images.

    However, reverting back to a virtualized system image and using virtual machines in general to protect a network from unskilled computer users is generally a good idea and is becoming widely adopted on public university campuses and in some public sector locations. While the old method of using Norton Ghost or other system imaging software may seem good, it can actually become quite tedious, time consuming, and the least cost effective option: It requires additional hardware, constant reliance on a variably large backup image, and precision incremental backups (if that is how it is being deployed). On the other hand, the virtualization remedy, at least with VMWare's various solutions, simply involves literally flagging the virtual machine image not to save when the system is powered off. In a sense, the "system within a system" model allows you to be the man behind the curtain as the IT director or enterprise management group. You are allowing the end-user to see what the organization wants them to see.

    If virtualization or restore from image backup are too much for your firm or organizations costs, than Windows Server 2008 R2 and Windows 7's group policy security features will certainly allow you to security harden the system to a point that installing or misconfiguring the system becomes quite challenging. With the right group policy settings, you can effectively restore the desktop to a template on every log in and ensure that only programs you want accessed can be used. By using this approach first, and then integrating a virtualization schema later, you may be saving yourself some time to see what is necessary. Ultimately, in the end, it is my belief that employee or student training is the most rewarding option. But until that becomes possible, to protect your systems, using virtualized images aren't a bad idea. One main reason is that it is easier to update the transient image file. You can update the file to incorporate Windows updates fairly easily. More information on this here:

    http://www.vmware.com/products/view/


    In fact, VMWare has numerous products that are designed exactly for what you are trying to do: limit surface penetration of the system by the end-user and minimize the ability of end-users to make policy-level decisions about the systems they operate on a daily basis. Virtualization allows you to do that without the additional hardware.
     
    #5 Mike, Aug 11, 2011
    Last edited by a moderator: Aug 11, 2011

Share This Page

Loading...