What does Windows System Restore exactly back up and restore?
Solution 1:
Restored:
- Registry (note: some current values will persist)
- Profiles (local only—roaming user profiles not impacted by restore)
- COM+ DB
- WFP.dll cache
- WMI DB
- IIS Metabase
- Files with extensions listed in the Monitored File Extensions list
Not Restored:
- DRM settings
- SAM hives (does not restore passwords)
- WPA settings (Windows authentication information is not restored)
- Contents of the My Documents folder(s)
- Specific directories/files listed in the Monitored File Extensions list
- Any file with an extension not listed in the Monitored File Extensions list
- Items listed in both
Filesnottobackup
andKeysnottoRestore
(HKLM->System->ControlSet001->Control->BackupRestore->Filesnottobackup and keysnottorestore
) - User-created data stored in the user profile
- Contents of redirected folders
Solution 2:
If you have restored you computer to a point during the virus infection, you may have reintroduced the virus. See How antivirus software and System Restore work together for details.
Regarding the files that system restore deals with, Microsoft says -
System Restore can make changes to Windows system files, registry settings, and programs installed on your computer. It also can make changes to scripts, batch files, and other types of executable files on your computer. Personal files, such as documents, e‑mail, photos, and music files, are not changed.