System Restore’s debut in Windows XP was a godsend. I thought of it as the “truth serum of Windows features” because it often revealed what users wouldn’t reveal. For example, an administrative employee once told me that her workstation wouldn’t boot. I asked her if she had installed anything recently, and she replied that she’d installed a new antivirus software version. “How many times did you install it?” I asked, and she said, “Just once.” Booting from a recovery disk got System Restore up, though, and when I asked it to roll back the most recent application installation, it revealed 20 attempts to install the antivirus software! No, it doesn’t solve every problem, but it’s always been kind to me.
I have never, however, been a fan of System Restore’s GUI. Fortunately, PowerShell offers five key cmdlets:
- Enable-ComputerRestore and Disable-ComputerRestore turn it on or off for any given drive.
- Checkpoint-Computer lets you create a new restore point.
- Get-ComputerRestorePoint shows all available restore points.
- Restore-Computer tells System Restore to roll back a system to a particular restore point.
Note, however, the oddity about these cmdlets: There’s no common noun! A wag of the finger, then, to these cmdlets’ authors. Thankfully, these cmdlets are still of great use, as I think you’ll see.
Enabling or Disabling System Restore
The Enable-ComputerRestore and Disable-ComputerRestore cmdlets let you choose which drives to protect with System Restore. The syntax is simple but precise: a comma-delimited list of which drives to support, with each drive written as the filespec of its root directory, surrounded by quotes, like this:
Enable-ComputerRestore "C:\", "D:\ "
Any drives not mentioned will have System Restore disabled, so if in this case drive E is already being protected, running that exact cmdlet would disable protection on E. Also, there doesn’t seem to be a cmdlet to adjust System Restore–allowed maximum usage as in Control Panel, although tweaking entries in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore registry subkey will give you all the control you need.
View Available Restore Points
Prior to rolling a system back to solve a problem, you’ll want to know which restore points are available to roll back to. In Get-ComputerRestorePoint’s simplest form, you can just type
An abbreviated output from my system looks like this:
PS C:\> Get-ComputerRestorePoint
CreationTime Description SequenceNumber
------------ ----------- --------------
3/8/2015 5:12:25 PM Windows Update 89
3/11/2015 1:07:16 PM Test restore point 90
3/11/2015 2:43:17 PM Extra checkpoint 91
The important data to get from this is the SequenceNumber value—that’s how you’ll identify your desired restore point to Restore-Computer. Get-ComputerRestorePoint will alternatively show the final status of the previous System Restore operation with the -LastStatus parameter, like so:
That returns a text message such as The computer has been restored to the specified restore point. Again, it is only re-reporting the result of the previous rollback attempt. It might look like it’s showing you some just-performed operation (which can be a bit disconcerting), but it’s not.
Performing a System Rollback
Once you find your desired restore point, roll the computer back to it with
Restore-Computer -RestorePoint <sequencenumber>
For instance, to roll back to the most recent restore point on my example computer, I’d type
Restore-Computer -RestorePoint 91
Alternatively, if you’re sure that you want to restore to the most recent restore point, you could combine Get-ComputerRestorePoint and Restore-Computer, like so:
Restore-Computer -RestorePoint (Get-ComputerRestorePoint)[-1].sequencenumber
If you’ve not messed much with PowerShell arrays, the confusing part will be the [-1]. Try typing just part in parentheses, and you should get the most recent sequence number, as in this sample run:
PS C:\> (Get-ComputerRestorePoint)[-1].sequencenumber
The parenthesized Get-ComputerRestorePoint simple collects all the command’s output. In my case, my system returned three restore points. The square brackets let me specify which of the three I want:  means I want the first one,  the second, and  the third.
But I want a generic way to find the last of the restore points, which means the highest array number. That would be  in my case, but if you have 46 restore points, it would be . Using [-1] tells the cmdlet to give you the last item. You saw that each rollback point includes several properties, including CreationTime, Description, and SequenceNumber. The -RestorePoint parameter needs just the numeric value of the SequenceNumber, and adding .sequencenumber returns only that value.
Note that Restore-Computer won’t prompt you before proceeding. If you’d like a prompt, add -confirm:$true to the cmdlet.
Create a New System Restore Point
Finally, you’ll sometimes want to programmatically force System Restore to create a new restore point if you were, for example, installing an iffy new driver or Windows update. In those cases, it would be nice to have an easy rollback method, if necessary. Create a new restore point by running Checkpoint-Computer, followed by a space and a descriptive name for the restore point in quotes, as in
Checkpoint-Computer "Just trying this out"
Give these a try! I think they’ll become oft-used tools in your toolkit!