System Restore Points Information

Overview

Evidence: System Restore Points Information Description: Collect Information About System Restore Points Category: System Platform: Windows Short Name: rpi Is Parsed: Yes - WMI data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

System Restore creates restore points that snapshot system configuration and registry state. These snapshots allow Windows to revert to a previous state if problems occur.

Restore point metadata includes creation time, description, and type information. While the actual restore point data (in System Volume Information) is not collected, the metadata provides evidence of system state changes and potential restoration events.

Data Collected

Collection Method

This collector queries WMI for restore point information:

• WMI namespace: ROOT\DEFAULT

• WMI query: SELECT * FROM SystemRestore

The query returns all restore points with their metadata.

Usage

Restore point information helps track system configuration changes and potential malware installation timeframes. Investigators use this data to identify when system changes occurred, correlate with malware installation, track software installation events, and identify potential restoration attempts.

Known Limitations

• Only metadata is collected, not actual restore point data

• System Restore may be disabled

• Restore points may be deleted by users or malware

• Limited number of restore points retained

Notes

Ransomware often deletes restore points to prevent recovery. The absence of expected restore points or recently deleted restore points may indicate malicious activity.