[XP] A mini reader for system-restore logs

[sapero]

This is only for Windows XP with enabled system restore.

There are three examples. The first one just dumps the content of change.log file from the current restore point in System Volume Information directory.

Code Select Expand

CHANGE_LOG_ENTRY
.RecordHeader.size: 470
.RecordHeader.type: LogEntry
.magic            : ABCDEF12h
.type             : File deleted
.flags            : ACLINFO TEMPPATH
.attributes       : ARCHIVE NOT_CONTENT_INDEXED

  RECORD_HEADER size:  104 type: FirstPath: \WINDOWS\system32\wbem\Performance\WmiApRpl.ini
  RECORD_HEADER size:   34 type:  TempPath: A0098177.ini
  RECORD_HEADER size:  264 type: AclInline: O:BAG:SYD:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)
The second example lets you pick a file from System Volume Information directory, then shows its real name and original location. All the log files (change.log and change.log.NNN) are scanned.
For example if you pick "A0098219.ini", it will show "A0098233.ini comes from \Documents and Settings\username\ntuser.ini"

The third one displays in real time what system restore service is adding to logs.

All examples use 'undocumented' structures RECORD_HEADER, SR_LOG_DEBUG_INFO, CHANGE_LOG_ENTRY and CHANGE_LOG_HEADER described here (you can study the internal structures of the log file).

Note: the System Volume Information directory is protected, but its chid directories are not.
In case you manipulated the ACL, all the examples are capable for impersonation, and will have access to System Volume Information (impersonation requires admin privileges).