Jump to content

How to fetch date/time of last windows 10 system restore point?


 Share

Recommended Posts

The are numerous ways to get the information.  Here are a few:

  • Capture & Parse a command line command:
    • ShadowCopy Object (Timestamp is slightly different by a few seconds but value is local time)
      • vssadmin list shadows (CMD)
      • wmic ShadowCopy get InstallDate (CMD)
    • SystemRestore Object (Timestamp is UTC and has to be converted to local time)
      • wmic /namespace:\\root\default path SystemRestore get CreationTime (CMD)
      • Get-ComputerRestorePoint (PowerShell)
         
  • AutoIt WMI query

 

Example of command capture and WMI query below:

Spoiler
#RequireAdmin ;System Restore point access requires elevated privileges

#include <Constants.au3>
#include <Array.au3>
#include <Date.au3>

last_restore_point_wmi_example()
last_restore_point_cmd_example()

Func last_restore_point_wmi_example()
    Local $oWmi, $oItems, $oComError
    Local $sRestorePointDateTime = ""
    Local $aRestorePoints[0]

    #forceref $oComError

    $oComError = ObjEvent("AutoIt.Error", comm_error_handler)

    ;Get WMI object
    $oWmi = ObjGet("winmgmts:\root\default")

    ;Query restore points
    $oItems = $oWmi.ExecQuery("SELECT CreationTime FROM SystemRestore")
    If $oItems.Count = 0 Then Exit MsgBox($MB_ICONWARNING,"Warning","No items found")

    ;Process result set
    For $oItem in $oItems
        With $oItem
            ;Convert UTC creation time from yyyymmddhhmmss to local yyyy-mm-dd hh:mm:ss time
            $sRestorePointDateTime = convert_utc_to_local_time(.CreationTime)

            ;Add date/time to the array
            _ArrayAdd($aRestorePoints, $sRestorePointDateTime)
        EndWith
    Next

    ;Sort the array in descending order and display first entry
    _ArraySort($aRestorePoints, 1)
    MsgBox($MB_ICONINFORMATION, "WMI Example", "Last System Restore Point" & @CRLF & $aRestorePoints[0])
EndFunc

Func last_restore_point_cmd_example()
    Local $iPID = 0
    Local $sCmdOutput = ""
    Local $aRestorePoints[0]

    ;Execute & capture console command output
    $iPID = Run("wmic /namespace:\\root\default path SystemRestore get creationtime /format:list", "", Default, $STDERR_MERGED)
    If Not $iPID Then Exit MsgBox($MB_ICONERROR, "ERROR", "WMIC command failed.")

    ;Wait for command to finish
    If Not ProcessWaitClose($iPID, 5) Then Exit MsgBox($MB_ICONERROR, "ERROR", "Timeout occurred waiting for command to complete.")

    ;Get command output and parse info of interest
    $sCmdOutput = StdoutRead($iPID)

    $aRestorePoints = StringRegExp($sCmdOutput, "(?m)^CreationTime=(\d{14})", $STR_REGEXPARRAYGLOBALMATCH)
    Switch @error
        Case 1
            MsgBox($MB_ICONWARNING,"Warning","No items found")
            Exit
        Case 2
            MsgBox($MB_ICONERROR, "ERROR", "Stringregexp error. @error = " & @error)
            Exit 1
    EndSwitch

    ;Process result set
    For $i = 0 To UBound($aRestorePoints) - 1
        ;Convert utc creation time from yyyymmddhhmmss to local yyyy-mm-dd hh:mm:ss
        $aRestorePoints[$i] =  convert_utc_to_local_time($aRestorePoints[$i])
    Next

    ;Sort the array in descending order and display first entry
    _ArraySort($aRestorePoints, 1)
    MsgBox($MB_ICONINFORMATION, "WMIC Example", "Last System Restore Point" & @CRLF & $aRestorePoints[0])
EndFunc

Func convert_utc_to_local_time($sUTCDateTime)
    Local $tSYSTEMTIME = DllStructCreate($tagSYSTEMTIME)

    ;Convert utc time to local time
    $tSYSTEMTIME.Year   = StringMid($sUTCDateTime,  1, 4)
    $tSYSTEMTIME.Month  = StringMid($sUTCDateTime,  5, 2)
    $tSYSTEMTIME.Day    = StringMid($sUTCDateTime,  7, 2)
    $tSYSTEMTIME.Hour   = StringMid($sUTCDateTime,  9, 2)
    $tSYSTEMTIME.Minute = StringMid($sUTCDateTime, 11, 2)
    $tSYSTEMTIME.Second = StringMid($sUTCDateTime, 13, 2)

    $tSYSTEMTIME        = _Date_Time_SystemTimeToTzSpecificLocalTime($tSYSTEMTIME)

    Return StringFormat("%04i-%02i-%02i %02i:%02i:%02i", _
                        $tSYSTEMTIME.Year, $tSYSTEMTIME.Month , $tSYSTEMTIME.Day, _
                        $tSYSTEMTIME.Hour, $tSYSTEMTIME.Minute, $tSYSTEMTIME.Second)

EndFunc

Func comm_error_handler($oComError)
    With $oComError
        MsgBox($MB_ICONERROR, "COM ERROR", _
               "An error occured on line " & .ScriptLine & @CRLF & @CRLF & _
               StringStripWS(.WinDescription, $STR_STRIPTRAILING) & @CRLF & @CRLF & _
               StringFormat("Error Number = %i (0x%x)", .Number, .Number) & @CRLF & @CRLF & _
               .Description)
    EndWith

    Exit 1
EndFunc

 

 

Edited by TheXman
Reformat reply & changed example WMI objects from ShadowCopy to SystemRestore
Link to comment
Share on other sites

@TheXman Thanks for your kind reply. I just added command " last_restore_point_cmd_example()" at last of script to call the function. But I am facing one issue:

1. Windows is prompting to a question "Allow changes using autoit". I dont want this prompt to happen.

 

Kindly guide me.

Edited by Jahar
Link to comment
Share on other sites

@TheXman Currently I am getting the last restore point with your code.  But if i remove line "#RequireAdmin" , I am getting different result:

1.  For last_restore_point_cmd_example - It says no items are found. But, with #RequireAdmin, it gives restore point

2. For last_restore_point_wmi_example - Msg "An error occured on line 24" is shown.

Please guide me.

Link to comment
Share on other sites

32 minutes ago, Jahar said:

For last_restore_point_cmd_example - It says no items are found. But, with #RequireAdmin, it gives restore point

If you get results with #RequireAdmin, and don't get results without it, what does that tell you?  Did you read the first line of my example script?  To query the Restore Points, it requires the script to run with elevated (Admin) privileges.  :bonk:

32 minutes ago, Jahar said:

For last_restore_point_wmi_example - Msg "An error occured on line 24" is shown.

How am I supposed to know why you get errors in your script without seeing your script?  I'm not going to try to guess what is on or around line 24.  If you are referring to the example script, then you probably ran it without #RequireAdmin.

 

I provided examples for you to learn from.  That means you need to take the time to see and understand what it is doing.  If you make changes to my examples, which I encourage you to do, you need to see how your changes affect the result and why?  It is time for you to do a little learning.  If you don't want to take the time to learn, then hopefully someone else will come along and write your solution for you.  :bye:

Edited by TheXman
Link to comment
Share on other sites

34 minutes ago, Jahar said:

is there a way to disable UAC for this script alone?

If you, or the user context in which you are running the script, is an Admin and you are just trying to get rid of the UAC prompt that #RequireAdmin displays, then the following UDF has functions to do it.  However, you will need #RequireAdmin to execute those necessary functions.  That means, until you have made the changes necessary, you will still see the prompt.  So I guess the answer to your question is yes and no.

There are other ways to get around the UAC prompt, without #RequireAdmin, when admin is required.  Discussion of getting around security is discouraged in these forums.  However, there are a few topics that have been created in the past that discuss ways that it can be done.  Some are acceptable to discuss like using the Task Scheduler and others aren't, like self-elevation techniques -- at least is was still taboo the last time I checked.  You will need to search the forum on your own for more information.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...