How to tell if a System Restore was done?

[glricht]

Does anybody know how to determine if a System Restore has been done? (Win 7)

Background: Win 7 H.P. desktop. Did an onsite call exactly one week ago and one of the items was her McAfee Internet Security had expired and she wanted a free a.v. Uninstalled McAfee (it came out clean), rebooted, Win complained about no a.v.; installed/config MSE, verified all OK. Just like a hundred others I've done.

This morning she calls because a genealogy web site she uses won't work because it says it needs Flash. However, last week I checked Flash and it was up-to-date.

Did a quick remote connect to see what was going on and the first thing I see is a pop-up on her machine saying McAfee was expired and needs to be renewed! Huh? I removed it last week! Tried to bring up McAfee to check it out, but it won't come up.

This has the symptoms of a system restore being done to a date prior to my call last week, but she swears she didn't do a SR. But she did have a friend come over a few days ago, but doesn't know what was done. Groan.

I'm scheduled to go see her tomorrow, but need to know if a SR was actually done. If so, I can probably just do an "undo" SR. But if an SR wasn't done, doing an undo could introduce all kinds of add'l issues.

Done all sorts of Google search, but no real help. I suspect that the Event Log would show an SR, but don't know what ID to look for.

Anybody run into this before?

 

[Tech in SC]

Click Start
Type cmd
Press Enter
Type systeminfo
look for "Original Install Date" near the top

 

[glricht]

Click Start
Type cmd
Press Enter
Type systeminfo
look for "Original Install Date" near the top

No, that's the date of the last install of Windows itself, not the date of the last system restore.

But since the original post, using a test Win 8 Pro machine (didn't have a Win 7 one available), I created a restore point, then restored to that point, and then checked the Event Log.

In the Application logs:
Event ID 8199 showed the creation of the restore point
Event ID 8202 showed the restoration of the above restore point

8202 lists the restore point's description, but unfortunately not the date that the restore point itself was created, but it's a start.

I'm assuming (hoping?) that Win 7 will work the same way.

 

[johnrobert]

Go thru the process of making a new system restore when you see dates to choose it will show any restores already done

 

[Xander]

^ That.

If a Restore was done, it will show up as a Restore point itself so that you will then have the option of undoing that same restore.

 

[glricht]

Go thru the process of making a new system restore when you see dates to choose it will show any restores already done

Thanks, this appears to work just fine.

I'm going to the customer this morning, so I will at least be able to determine if a system restore was done or something else is going on.

 

[mm201]

Maybe there was a bit left over, a reminder in the Task Scheduler maybe, that didn't get uninstalled and that's why you're getting the renewal reminder but the program won't launch.

 

[glricht]

To close the loop: went to the customer's house this morning and determined that the "friend" had indeed done a SR which screwed everything up. When I did an SR undo, McAfee was gone, MSE was back, but a whole bunch of new infections showed up!

Was able to piece together what actually happened:

Mon, Jan 21: my service call - removed McAfee, installed MSE, cleaned up PC
Wed, Jan 23: "friend" comes over, decides to improve on what I'd done. Ends up infecting the PC with a bunch of stuff (including Babylon). Realizes she's in big trouble, so does a SR back to around Wed, Jan 16th and leaves
Mon, Jan 28: During a remote connect, I realize everything I had done on Jan 21 was missing!
Tue, Jan 29: Undid the SR of Jan 23 and my work is back. But so is all the crap that the friend had installed. Spent another 30 minutes or so removing all that stuff too.

End result: their PC is clean, they paid to clean what the "friend" did - and then vowed never to let her touch their PC again!

 

[EvolutionElectronics]

glad it worked out for you, i also have had to look up if a system restore was used to determine if our work was undone as well, one time it escalated to the customer removing their machine and never coming back lol

 

[HCHTech]

This is a good reason to make wiping previous restore points part of your cleanup routine. I learned that one the hard way from a dishonest customer when I first started this gig.

Step 1 - Pay for cleanup
Step 2 - Surf pron
Step 3 - run system restore
Step 4 - Call tech back for free fix
Step 5 - Goto Step 2