System Restore Points Information
Overview
Section titled “Overview”Evidence: System Restore Points Information
Description: Collect information about system restore points
Category: System
Platform: windows
Short Name: rpi
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”System Restore creates restore points that snapshot system configuration and registry state. These snapshots allow Windows to revert to a previous state if problems occur.
Restore point metadata includes creation time, description, and type information. While the actual restore point data (in System Volume Information) is not collected, the metadata provides evidence of system state changes and potential restoration events.
Data Collected
Section titled “Data Collected”This collector gathers structured data about system restore points information.
System Restore Points Information Data
Section titled “System Restore Points Information Data”| Field | Description | Example |
|---|---|---|
Description | Restore point description | Automatic Restore Point |
CreationTime | When restore point was created | 2023-10-01T10:00:00 |
RestorePointType | Type of restore point | 12 |
EventType | Event type | 100 |
Collection Method
Section titled “Collection Method”This collector queries WMI for restore point information:
- WMI namespace:
ROOT\DEFAULT - WMI query:
SELECT * FROM SystemRestore
The query returns all restore points with their metadata.
Forensic Value
Section titled “Forensic Value”Restore point information helps track system configuration changes and potential malware installation timeframes. Investigators use this data to identify when system changes occurred, correlate with malware installation, track software installation events, and identify potential restoration attempts.