Defragmenter programs can delete System Restore Points

Page 1 of 6 123 ... LastLast

  1. Posts : 53,363
    Windows 10 Home x64
       #1

    Defragmenter programs can delete System Restore Points


    I believe it's possible for any defrag program to cause loss of restore points. It has to do with the Volume Shadow Service cluster size

    The System Shadow Copy provider uses a copy-on-write mechanism that operates at a 16-KB block level. This is independent of the file system's cluster allocation unit size. If the file system's cluster size is smaller than 16 KB, the System Shadow Copy provider cannot easily determine that disk defragmentation I/O is different from typical write I/O, and performs a copy-on-write operation. This might cause the Shadow Copy storage area to grow very quickly. If the storage area reaches its user-defined limit, the oldest shadow copies are deleted first.
    Shadow copies may be lost when you defragment a volume

    Trick #3: Don't lose your system restore points!

    Lost system restore points in Windows are a common complaint with people using disk defragmenters on machines running Vista and later Windows versions. What happens is the defrag operation moves files around causing the Volume Shadow Copy Service (VSS) to create snapshots that overwrite older ones and cause restore points to get deleted. If you have VSS enabled on your hard drive, or if you are not sure if you do, the first thing you should do after installing Auslogics Disk Defrag is go to Program Settings - Algorithms and set the program to defragment in VSS-compatible mode. This prevents excessive growth of the VSS storage area and ensures that your system restore points will remain intact.

    Not all defraggers have this option, so be sure to never use the ones that don't if you have VSS enabled.

    Defragmenter programs can delete System Restore Points-vss.png
    How to Defrag Your Hard Drive Properly

    #1 Restore Points/VSS

    This issue is addressed in Microsoft KB 312067. Defrag activity can purge snapshots off a system. If the drive is formatted in 16K clusters (or a multiple) then steps are taken to minimize purging snapshots or shadow copies. On VSS-enabled drives with a cluster size less than 16K, you need to minimize file movement in order to avoid purging snapshots. By default, PerfectDisk addresses this issue by running in VSS Compatibility Mode with a configurable threshold. The Windows 7 defrag tool has no compatibility mode and will purge the snapshots off a VSS-enabled system.
    8 Reasons Why the Best Windows 7 Defrag is Not the Built-in Windows Disk Defragmenter | Raxco Software Blog

    Minimizing interactions between defragmentation and shadow copies

    When possible, move data in blocks aligned relative to each other in 16-kilobyte (KB) increments. This reduces copy-on-write overhead when shadow copies are enabled, because shadow copy space is increased and performance is reduced when the following conditions occur:
    The move request block size is less than or equal to 16 KB.
    The move delta is not in increments of 16 KB.

    The move delta is the number of bytes between the start of the source block and the start of the target block. In other words, a block starting at offset X (on-disk) can be moved to a starting offset Y if the absolute value of X minus Y is an even multiple of 16 KB. So, assuming 4-KB clusters, a move from cluster 3 to cluster 27 will be optimized, but a move from cluster 18 to cluster 24 will not. Note that mod(3,4) = 3 = mod(27,4). Mod 4 is chosen because four clusters at 4 KB each is equivalent to 16 KB. Therefore, a volume formatted to a 16-KB cluster size will result in all move files being optimized.
    Defragmenting Files (Windows)

    Puran Defrag and VSS

    "You can uncheck all additional operations in Puran Defrag to run it in VSS compatibility mode. However it is recommended that you format your disk with cluster size > 16K. Please read Puran Defrag help VSS Compatibility section for more info."
    Simply excluding "System Volume Information" wont help. Here is the text from Puran Defrag help file "VSS Compatibility" section -

    · It is highly recommended that you format your drive with cluster size of 16K if you want to defrag it and also do not want to loose Shadow Copies.

    · If above is not possible for you then to configure Puran Defrag so that data movement is minimum and shadow copies are not lost or the loss is minimum, uncheck Additional Operations including Fill Gaps, Optimize Drectories, Free Space and PIOZR.
    Puran Defrag and VSS | Wilders Security Forums

    Some programs have settings to prevent or mitigate this issue, a VSS compatibility mode. Most do not.
    Windows by default has a 4K cluster size, and it does not seem wise to change that to a 16K size for this inconsistent issue.

    You can determine a drives cluster size by opening a command prompt and typing

    fsutil fsinfo ntfsinfo C: (Replace the C with the letter of the drive you want to check)

    I think 4k is default? Even my SSD reports that size

    Defragmenter programs can delete System Restore Points-clusters.jpg

    Defragmenter programs can delete System Restore Points-default.jpg

    Also, you can create a text file in notepad with only 1 character and save it. Right click the new text file> Properties

    It will show
    Size: 1 bytes (1 bytes)
    Size on disk: 4.0KB (4,096 bytes)
    for example

    Defragmenter programs can delete System Restore Points-notepad.jpg

    Showing a cluster size of 4k

    I think we can assume that most (if not all) users will not have a cluster size of greater then 16k. I think 4k is set as a reason? Therefore, anyone defragging runs the risk of losing restore points. Since it is not that common, I'll assume free space, and space allocated for SR points are the main causes?

    Let's use this thread to discuss the issue. A Guy
    Last edited by A Guy; 27 May 2014 at 00:31.
      My Computer

  2.    #2

    Thanks Bill. Brilliant explication. This will be good to get the discussion going further, attract google hits on the subject, also to link for those reporting or asking about it. I am hearing about this for some months now.

    I guess what I'm still wondering is if there is any way to avoid it. That brings up the discussion if defrag is really even needed. I notice Win7 apparently doesn't any longer schedule a weekly default defrag, at least on my installs recently.

    I had migrated to Puran for its boot-time defrag after it helped cut a 2 minute startup time in half. But the reports on Puran causing restore points loss are making me reconsider even advising defrag at all.
      My Computer


  3. Posts : 53,363
    Windows 10 Home x64
    Thread Starter
       #3

    There is likely a commonality amongst those who have the problem. I surmised perhaps free space on the drive, and space allocated for SR points are the main causes, but we may find that there is plenty of both, and yet it still happens. I have used many defragmenter programs over the years (Auslogics, Puran, JK Defrag, etc.), and have never has an issue.

    I also use Power Defragmenter which is a GUI for Contig written by Mark Russinovich for Windows Sysinternals

    How it Works

    Contig uses the native Windows NT defragmentation support that was introduced with NT 4.0 (see my documentation of the defrag APIs for more information). It first scans the disk collecting the locations and sizes of free areas. Then it determines where the file in question is located. Next, Contig decides whether the file can be optimized, based on free areas and the number of fragments the file currently consists of. If the file can be optimized, it is moved into the free spaces of the disk.
    Contig

    Contig is designed to defragment individual files,[1] or specified groups of files, and does not attempt to move files to the beginning of the partition. Unlike the Windows built-in defragmenter tool, Contig can defragment individual files, individual directories, and subsets of the file system using wildcards.

    Contig does not move any data except that belonging to the file in the question, so the amount it can defragment a file is limited to the largest contiguous block of free space on a system. Use of contig exchanges decreased file fragmentation for increased free space fragmentation.
    Contig Defragmentation Utility Wikipedia

    I don't know if Contig would have the same issue. If any defrag program could conceivably?

    A Guy
      My Computer


  4. Posts : 54
    Windows 7 Ultimate x64 SP1
       #4

    Puran Defrag


    Hi,

    I was directed here by gregrocker. I recently used Puran Defrag and created restore points beforehand only to check right after and discover that they had all been deleted. I ran a full boot defrag of my OS drive. If you want some more details let me know.
      My Computer


  5. Posts : 53,363
    Windows 10 Home x64
    Thread Starter
       #5

    I'm wondering if Event viewer would document the deletion of Restore Points for any reason?

    A Guy
      My Computer


  6. Posts : 54
    Windows 7 Ultimate x64 SP1
       #6

    A Guy said:
    I'm wondering if Event viewer would document the deletion of Restore Points for any reason?

    A Guy
    I could post my event logs here if you want. Just be aware there are probably a bunch of other problems in those logs from my computer haha
      My Computer


  7. Posts : 53,363
    Windows 10 Home x64
    Thread Starter
       #7

    Every computer has a ton of entries in Event Viewer. You can try

    Start> In search box type Event Viewer> Enter> When the Event viewer opens expand Custom Views, and click on Administrative events

    Defragmenter programs can delete System Restore Points-event.jpg

    Find the timestamp from when you did the defrag, and see if anything jumps out at you. You could also use the SF Diagnostic Tool - Using for Troubleshooting to capture events. Someone much wiser than I would be required to analyse them though

    A Guy
      My Computer


  8. Posts : 54
    Windows 7 Ultimate x64 SP1
       #8

    A Guy said:
    Every computer has a ton of entries in Event Viewer. You can try

    Start> In search box type Event Viewer> Enter> When the Event viewer opens expand Custom Views, and click on Administrative events

    Find the timestamp from when you did the defrag, and see if anything jumps out at you. You could also use the SF Diagnostic Tool - Using for Troubleshooting to capture events. Someone much wiser than I would be required to analyse them though

    A Guy
    All the stuff in event viewer is too complicated for me to understand I don't know what to look for. However for future reference to anybody that does want to look at my events, I have attached them.
    Defragmenter programs can delete System Restore Points Attached Files
      My Computer


  9. Posts : 4,049
    W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, W10 Pro 1703 VM, #All 64 bit
       #9

    I use Defraggler and it seems to delete System Restore points.
      My Computer


  10. Posts : 4,566
    Windows 10 Pro
       #10

    Almost all third party antivirus programs will delete restore points if it finds infections in them. If you have a rootkit, sometimes it uses the av software to delete all the restore points the user has on purpose by infecting them with a little something. Basically setting a trap for the user.

    Not that that matters anyway, under no circumstance should you use system restore to recover from a threat. It is not a good idea in the slightest.

    You should always Disable system protection on a very infected pc to clean all restore points for the very nasty ones. This will delete all restore points on the system and will help keep malware from hiding. Then once all the infections are cleaned up, re-enable system protection.
      My Computer


 
Page 1 of 6 123 ... LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 08:05.
Find Us