[SOLVED] Restore Point Deletion

[TeamRocket 0]

I've been working on a restore point utility as of late. The only function that's causing me grief is the one that is supposed to delete individual restore points. I found a function contained in srclient.dll called "SRRemoveRestorePoint" which is specifically designed for this exact purpose. I've read the documentation on the MSDN, I've looked into "srrestoreptapi.h"... I'm completely stumped. Here's my code:

ConsoleWrite(@CRLF & "> Calling 'srclient.dll' function to delete restore point @ instance 1...")
$result = DllCall("srclient.dll", "DWORD", "SRRemoveRestorePoint", "DWORD", 1)
Local $iRes = @CRLF & ">  SRRemoveRestorePoint @ERROR Return Value = " & @error

For $x = 0 To UBound($result) - 1
    $iRes = $iRes & @CRLF & @TAB & "Error #" & $x & " = " & $result[$x]
Next
ConsoleWrite($iRes & @CRLF)

And the output from SciTE:

> Calling 'srclient.dll' function to delete restore point @ instance 1...
>  SRRemoveRestorePoint @ERROR Return Value = 0
    Error #0 = 0
    Error #1 = 1

and if I change the instance to, say, 5:

> Calling 'srclient.dll' function to delete restore point @ instance 5...
>  SRRemoveRestorePoint @ERROR Return Value = 0
    Error #0 = 0
    Error #1 = 5

However the restore points do not actually remove.

Additional details:

Production rig is running XP Pro SP3 on an admin account

I verified that srclient.dll was registered (ran "regsvr32 srclient.dll" which succeeded)

The results are the exact same if I replace "SRRemoveRestorePoint" with the ordinance number (20) and the hex address (0x0014)

The ordinance number, address, and name have been verified by opening srclient.dll in Dependancy Walker & by disassembling it via PE Explorer

I verified that the restore points did not delete via an enumeration function I also wrote (but it's using WMI) and by opening rstrui.exe and browsing the existing restore points.

Also, I looked at this post: but the author had the same issue.

Any ideas as to what I'm doing wrong? I admit my knowledge with DLL calls is very sparse...

Edit: Added link to similar conundrum in autoit forum

Edited March 29, 2011 by TeamRocket

[TeamRocket 0]

Update: After typing up a working snippet in C#, I discovered that the SRRemoveRestorePoint is useless in XP, but works perfectly in Vista and 7. However, my AutoIt script (above) still does not work. Same code, different output:

> Calling 'srclient.dll' function to delete restore point @ instance 1...
>  SRRemoveRestorePoint @ERROR Return Value = 0
    Error #0 = 2
    Error #1 = 1

[TeamRocket 0]

HA!!!! I feel like an idiot. Mere seconds after my last post, I figured it out. I'll consider this solved. Here's the solution for anyone else who comes across this:

1) SRRemoveRestorePoint will not work in Windows XP. Basically, all it will do is mark the restore point as code 13 (canceled) and hide it from use, but the restore point data will remain on the computer. The only way to delete restore points is to mark them canceled and then delete the corresponding directory in System Volume Information, but this is VERY risky. Best to just delete them all at once.

2) SRRemoveRestorePoint works perfectly on Vista/7, but you have to make sure that you are deleting a restore point that actually exists. In my last post, I had tried to delete restore point 1, but the first restore point sequence available for deletion was 9. Oops! Here's the full debugging output after a successful run:

expandcollapse popup

***********************************************
***   Restore Point Manipulation utilizing  ***
***    Windows Management Instrumentation   ***
***********************************************

> Beginning Test.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~      Enumerating before deleting...     ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Getting WMI Object "Systemrestore"... Done.
Attempting to obtain instances of systemrestore in "default" object... Done.

Point.creationtime: "20101207230830.183982-000"
Point.description: "Installed VMware Tools"
Point.sequencenumber: "9"

Point.creationtime: "20110328095112.955186-000"
Point.description: "Restore point 2"
Point.sequencenumber: "10"

Point.creationtime: "20110328095147.287161-000"
Point.description: "restore point 3"
Point.sequencenumber: "11"

Point.creationtime: "20110328101003.579087-000"
Point.description: "Au3 Test 1"
Point.sequencenumber: "12"

Point.creationtime: "20110328101007.485337-000"
Point.description: "Au3 Test 2"
Point.sequencenumber: "13"

Point.creationtime: "20110328101014.641587-000"
Point.description: "Au3 Test 3"
Point.sequencenumber: "14"

Point.creationtime: "20110328101021.985337-000"
Point.description: "Au3 Test 4"
Point.sequencenumber: "15"

Point.creationtime: "20110328101029.282212-000"
Point.description: "Au3 Test 5"
Point.sequencenumber: "16"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~       Deleting Instance #2...           ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> Calling 'srclient.dll' function to delete restore point @ instance 13...
>  SRRemoveRestorePoint @ERROR Return Value = 0
    Error #0 = 0
    Error #1 = 13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~      Enumerating after deleting...      ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Getting WMI Object "Systemrestore"... Done.
Attempting to obtain instances of systemrestore in "default" object... Done.

Point.creationtime: "20101207230830.183982-000"
Point.description: "Installed VMware Tools"
Point.sequencenumber: "9"

Point.creationtime: "20110328095112.955186-000"
Point.description: "Restore point 2"
Point.sequencenumber: "10"

Point.creationtime: "20110328095147.287161-000"
Point.description: "restore point 3"
Point.sequencenumber: "11"

Point.creationtime: "20110328101003.579087-000"
Point.description: "Au3 Test 1"
Point.sequencenumber: "12"

Point.creationtime: "20110328101014.641587-000"
Point.description: "Au3 Test 3"
Point.sequencenumber: "14"

Point.creationtime: "20110328101021.985337-000"
Point.description: "Au3 Test 4"
Point.sequencenumber: "15"

Point.creationtime: "20110328101029.282212-000"
Point.description: "Au3 Test 5"
Point.sequencenumber: "16"
***********************************************
*********          COMPLETED          *********
***********************************************

Edited March 29, 2011 by TeamRocket

[TeamRocket 0]

Ok, again, posting this for anyone who comes across this in hopes of assisting you (sparing you the several days I spent researching this):

If you would like to delete the restore points in Windows XP (any edition), you MUST delete them all at once. This is the safest and most effective method. In order to do this, use the following WMI method:

Local $SRP = ObjGet("winmgmts:\\" & @ComputerName & "\root\default:Systemrestore")
$result = $SRP.Disable("X:\") ;Drive letter must be capital with colon and trailing backslash, otherwise this will fail!
ConsoleWrite("Result = " & $result & @CRLF) ;return code 0 = success!
;At this point, all restore points will be deleted from the system.

;To enable the system restore feature, use the following code:
$result = $SRP.Enable("C:\")   ;If you run this line in a seperate function, remember to call the WMI Object with the ObjGet() function above
ConsoleWrite("Result = " & $result & @CRLF) ;return code 0 = success!

Happy trails!