Thursday, 24 November 2016

System Protection (Shadow Copy) - recover deleted files

On your Windows PC have you ever deleted a file and emptied it from the Recycle Bin, then realised that was a mistake? Unfortunately we've all been there! There is a feature built into Windows (from XP to 10) that is called System Protection or often it is known as Shadow Copy. In this article I'll explain what it is and how you can use it to recover your accidentally deleted files.

How it works
Periodically Windows will create a 'Restore Point', it is like a snapshot in time. If you install an application that creates a problem or maybe a virus destroys some of your system files, you can revert to the last good Restore Point, it is like going back in time to when your computer was functioning normally. This is the main purpose of System Protection.

NOTE: You should have local Administrator rights for the following.

Press the Windows key and
Enter: sysdm.cpl
The System Properties window will appear
Click the System Protection tab

System Restore
In the situation where system files have been damaged you can click the System Restore button and revert to a previous restore point. Your data files (photos, documents, music, etc) are not restored when you use this option. Only system files are restored.

Protection Settings
In the above example the computer has two local hard disk drives (or partitions), C: and D:. The C: drive is the system partition where Windows is installed. Because it is the system partition the C: drive is protected. However, System Protection is turned Off for the D: drive. This is an important consideration if you store files on a second hard drive or a second partition (a D: drive). You should consider turning the System Protection on for that second drive.

To change the settings for a particular drive, click on it and click Configure:

In the above example we're looking at the configuration for C:.

Turn on/off system protection
For this drive you can turn the system protection on or off. Normally it's a good idea to switch it on for all drives. As explained above, you might want to switch on protection for D: if you have a second partition as I do.

Disk Space
The System Protection is keeping copies of all the system and your files. That's a lot and there can of course be several versions. When it runs out of space it will replace the oldest restore point - it recycles the space. The more space you allocate to System Protection, the more restore points can be saved and the more files versions can be stored.

Normally of course do not use delete! If you do then all your restore points will be deleted. But there are situations where this is a very important option. Imagine your computer files were infected with a virus. After cleaning the virus and restoring all your data files, you should consider deleting your restore points. Why? Because you may have infected files in your System Protection restore points! Anti-virus software will not be able to scan inside the System Protection space so all kinds of nasties might be lurking there. Also, if you are about to sell your computer, make sure you delete your restore points before handing it over to the new owner.

The frequency that Restore Points are created
System protection is running all the time. It periodically creates Restore Points. In Windows 7 the default is once a week, for other operating systems I've not read anything definitive but as an example, the below is a screen shot of restore points from a Windows 8.1 computer:

In the Type column where it says Manual that is where I created a restore point manually (we'll look at how you can do that in a moment). For the others you can see that an automatic restore point was created by the system when I uninstalled Java 8. This is great, if that process of uninstalling had failed, I could've used the restore point to put the system back to how it was before.

Create a Restore Point manually
Despite the above that shows how Windows appears to be very clever, I would recommend that before installing new software or adding a new driver, you first create a restore point manually, just to be sure. It's easy to do, again do the following:

Press the Windows key and 
Enter: sysdm.cpl
The System Properties window will appear
Click the System Protection tab

Click Create
Enter the name of the Restore Point and click Create
It'll take a few seconds to make it, click Close when it has finished.

Task Scheduler
There is a task already in the Windows Task Scheduler. You could also change this to run it more often if you wish.

Search for "schedule tasks" in the Control Panel or launch it as follows:
Press the Windows Key and R
Enter: taskschd.msc

In the left hand navigation pane click Task Scheduler Library, Microsoft, Windows
Click on Windows Restore

Your screen should look similar to the above screen shot. From here you can double click the SR task to edit it. Click the Triggers tab and decide when you would like to run the task. Maybe once a week?

Previous Versions
In Windows 7 right click on a file, click Properties, click Previous Versions - wait a few seconds and a list of restore points for that file will appear.

In the above example you can see I have right clicked on a file called 'My Test File.txt' and one previous version is available. To recover it, click the Restore button.

This works very well for when you want to revert to a previous version of a file. If you delete a file and empty the Recycle Bin, then this is not so useful. The Previous Versions tab does not appear in Windows 8 and 8.1. For these reasons, although this is a nice feature to have and excellent for anyone to restore a previous version of a file, it is not ideal. This is where ShadowExplorer is the best option...

If you have deleted a file and you need to get it back, no matter whether you are using Windows 7, 8 or 10, ShadowExplorer can do the job. It provides the best view of your Restore Points and all the files stored within them. ShadowExplorer is a free utility that you can download from

You can browse the different Restore Points and restore (export) the files from there.

When you first start ShadowExplorer it appears as above. Just click the C: to change drives. The different restore points and drop-down list next to the drive letter. In the above I have a restore point of 27/10/2016 selected.

Once you select a restore point you can navigate through the files on the drive just as you would in Explorer. When you want to restore a file select it, right click, click Export.

TIP: Download the portable version from - you can copy it to a USB flash drive. In the event that your computer is infected with a virus or ransomeware, you could copy (export) files from your restore point to the USB drive to reduce the possibility of infection. ShadowExplorer should be in every IT technician's toolkit!

To discover more about ShadowExplorer there website has lots of information and there's also many Youtube videos to help.

Do NOT rely upon System Protection alone!
The System Protection copy of your files is stored on the same drive where your files exist (C: drive for example). This means that System Protection does not help you in the event of a drive failure. Also, ransomeware often deletes restore points.

You should not rely upon System Protection for your file backups. However, you can think of System Protection as your last line of defence.

For backups, if you have Windows 8, 8.1 or 10 please use the File History option - it is excellent and backs up your files as you make changes to them. Click the following link for an explanation:

For Windows 7 you can use the classic Windows Backup.

System Protection (Shadow Copy) can be a life saver. It's primary use is to protect your Windows system files. But keep it in mind the next time you accidentally delete a file, just don't rely upon it. System Protection should be just one part of your backup strategy. You should have multiple backups and different tools to cover the different 'disaster' scenarios.



A full explanation of the Shadow Copy technology:

What are shadow copies - a further explanation:

Shadow Copy for advanced users:

Post a Comment