Chapter 15
Troubleshooting, backup, and recovery
As they say, stuff happens. You might remember a more colorful form of that expression, but in any case, it certainly applies whenever hardware and software are involved.
Although Microsoft Windows generally has become more stable and reliable over time, your computing experience will never be perfect. Apps stop responding or crash (shut down unexpectedly). Once in a while, a feature of Windows walks off the set without warning. And on rare occasions, the grim BSOD (“Blue Screen of Death,” more formally known as a Stop error or bugcheck) arrives, bringing your whole system to a halt.
In a fully debugged, perfect world, such occurrences would never darken your computer screen. But you don’t live there, and neither do we. So the prudent course is to learn to use the many tools Windows provides for diagnosing errors and recovering from problems. We examine these essential tools in this chapter.
And while those troubleshooting tools can help you understand what happened and maybe help you prevent it from happening again, they can’t help you recover, which is why this chapter also explains how to use the backup tools included with Windows 11. Our goal is to help you prepare for the inevitable day when you need to restore a lost file (or an entire drive’s worth of files). We also explain your options for resetting Windows when the operating system becomes damaged, for whatever reason.
Getting to know your troubleshooting toolkit
As any detective will tell you, solving a mystery requires evidence. If your mystery involves inexplicably slow performance or crashes, you have several places to look for clues.
Built-in troubleshooters
The most obvious first step on the road to resolving performance issues (including features that mysteriously stop working) is the set of troubleshooters at Settings > System > Troubleshoot > Other Troubleshooters. Here you will find a categorized roster of tools to deal with a wide assortment of common problems.
There’s nothing magical about any of these troubleshooters. Their purpose is to ensure that you check the most common causes of problems, including some that might seem obvious. (Is the network cable plugged in? Is the printer turned on?) Running a troubleshooter is an obvious first step when confronting most common problems: The troubleshooter can fix some issues and, more importantly, establishes a baseline for further troubleshooting.
A troubleshooter might lead you through several steps and ask you to check settings or connections. At the end, it displays its results in a troubleshooting report similar to the one shown in Figure 15-1. The report includes links for additional information.
Figure 15-1 The troubleshooting report lists issues and indicates whether they were fixed. For any issues that are detected, you can click a link to see more granular information about that item.
Windows Error Reporting
The Windows Error Reporting service runs continuously in the background, keeping track of software and driver installations (successful and otherwise) as well as crashes, hangs, and other system events that indicate a possible problem with Windows. (In fact, although the service and app that enable the feature are called Windows Error Reporting, the term you’re more likely to see in Windows is problem reporting.) If you’ve authorized Windows 11 to send these reports as part of its diagnostics tracking, Microsoft provides these details to the developers of the app that caused the error (including Microsoft developers when the issue occurs with a feature in Windows, Office, or another Microsoft app). The goal, of course, is to improve quality by identifying problems and delivering fixes through Windows Update and Office Update.
In previous versions, Windows was downright chatty about reporting crashes, successful updates, and minor speed bumps. In Windows 11, most of these problem reports (including diagnostic reports sent after successful upgrades) are completely silent, but each report is logged. You can use the history of problem reports on a system to review events and to see whether any patterns demand additional troubleshooting.
To view the Problem Reports log, open Settings, click in the Find A Setting search box, type problem reports, and then click View All Problem Reports. Figure 15-2 shows a portion of the error history for a computer running Windows 11 Pro.
Figure 15-2 The list of saved problem reports displays the two most recent reports in each group.
If the words Solution Available appear in the Status column for an item, right-click that item and then click View Solution. That shortcut menu also includes commands to group the entries in the list of problem reports by source, summary, date, or status—or you can choose Ungroup to see the entire uncategorized list. Regardless of whether the list is grouped, you can sort by any field by clicking the field’s column heading.
You can see a more detailed report about any event in this log by double-clicking the event. (See Figure 15-3.) The Description field usually is written clearly enough to provide potentially useful information. The rest of the details might not be meaningful to you, but they could be helpful to a support technician. Some reports include additional details sent in a text file you can inspect for yourself.
Figure 15-3 Double-clicking an entry in the problem reports list displays details about the problem that might be useful to a support technician.
Feedback and diagnostics
By default, Windows 11 configures your system so that it sends a generous amount of diagnostic and feedback information, including error reports that could inadvertently contain personal information. If you’re concerned about data use or privacy, you can dial back the amount of diagnostic information using the settings we describe in “Configuring privacy options,” in Chapter 12, “Windows security and privacy.”
In addition to this automated feedback, Windows 11 enables you to send problem reports and feature suggestions to Microsoft. In some cases, the operating system will directly ask for your feedback on features. If you prefer not to be asked for feedback, go to Settings > Privacy & Security> Diagnostics & Feedback. The Feedback Frequency setting near the bottom of this page controls how often Microsoft asks you about your use of features. (And yes, “Never” is an option.)
Windows 11 also includes the Feedback Hub app, which you can use to send problem reports and suggestions to Microsoft. (This app was previously available only to registered members of the Windows Insider Program.) We recommend that you search for existing feedback before filling out your own problem report. You can filter and sort the list of search results to see if your specific issue has already been reported; in some cases, Microsoft engineers respond with a note the issue has been fixed (or is on the list for repair in a future update).
If you find an existing feedback entry that describes your issue, you can add a comment and an upvote. If you discover a new issue, feel free to create your own feedback item by clicking Report A Problem or Suggest A Feature. In the spirit of setting expectations, we are compelled to add that items you submit here are different from support tickets. You probably won’t get personal support from a Microsoft engineer or support tech, although your feedback will be considered, especially if the number of upvotes hits double or triple digits.
Reliability Monitor
Windows 11 keeps track of an enormous range of system events, which you can monitor using Event Viewer, as we describe in the following section. For a day-by-day inventory of specific events (successful and unsuccessful) that affect your system’s overall stability, open Reliability Monitor, shown in Figure 15-4. (Type reliability in the search box, and then click the top result, View Reliability History.)
Figure 15-4 Reliability Monitor keeps a daily tally of significant events affecting system stability. Select any day to see details in the pane on the bottom.
Each column in the graphical display represents events of a particular day (or week, if you click that option in the upper-left corner). Each red X along the first three lines below the graph (the various Failures lines) indicates a day on which problems occurred. The Warnings line describes minor problems unrelated to system reliability, such as an app whose installation process didn’t complete properly. The last line below the graph—the line marked Information—identifies days on which an app or an update was installed or removed. You can see the details about the events of any day by clicking on the graph for that day. Reliability Monitor retains its system stability records for up to one year but clears the history with the installation of each new feature update.
This history is most useful when you begin experiencing a new problem and are trying to track down its cause. Examine the critical events for the period when you first began to experience the problem, and see whether they correspond with an informational item, such as an app installation. The alignment of these events could be mere coincidence, but it could also represent the first appearance of a long-term problem. Conjunctions of this sort are worth examining. If you think a new app has destabilized your system, you can try uninstalling it.
Double-clicking any problem report exposes its contents, which are filled with technical details that are potentially useful, confusing, or both. Note that these reports are identical to those you can find in the listing of problem reports we discussed earlier in this chapter.
Event Viewer
Technically, we probably should have included Event Viewer (Eventvwr.msc) in the previous section. It is, after all, just another troubleshooting tool. But we think that this, the most powerful of all the diagnostic tools in Windows 11, deserves special attention in this chapter.
In Windows, an event is any occurrence that is potentially noteworthy—to you, to a system or network administrator, to the operating system, or to an app. Events are recorded by the Windows Event Log service, and their history is preserved in one of several log files, including Application, Security, Setup, System, and Forwarded Events. You can use Event Viewer, a Microsoft Management Console (MMC) snap-in supplied with Windows, to review and archive these event logs, as well as other logs created by the installation of certain apps and services.
You can examine the history of errors on your system by creating a filtered view of the Application log in Event Viewer. Why would you want to do this? The most likely reasons are to troubleshoot problems that have occurred, to keep an eye on your system to forestall problems, and to watch out for security breaches. If a device has failed, a disk has filled close to capacity, an app has crashed repeatedly, or some other critical difficulty has arisen, the information recorded in the event logs can help you—or a technical support specialist—figure out what’s wrong and what corrective steps are required.
To start Event Viewer, find it by searching for event and then click Event Viewer or View Event Logs in the search results. (Alternatively, right-click Start and then click Event Viewer.)
Note
Event Viewer requires administrator privileges for full functionality. If you start Event Viewer while signed in as a standard user, it starts without requesting that you sign in by elevating to an administrator’s credentials. However, the Security log is unavailable, along with some other features. To get access to all logs, right-click and choose Run As Administrator.
Figure 15-5 offers an overview of Event Viewer, which uses the basic three-pane Microsoft Management Console to organize and displays a truly massive amount of data from event logs.
Figure 15-5 Event Viewer’s console tree (left) lists available logs and views; the details pane (center) displays information from the selected log or view; the Actions pane (right) provides a menu of tasks relevant to the current selection.
When you select the top-level node in Event Viewer’s console tree, the details pane displays summary information, organized into groups, in decreasing order of severity. With this view, you can see at a glance whether any significant events that might require your attention have occurred in the past hour, day, or week. You can expand each category to see the sources of events of that event type. This simple count can flag potential problems easily. If, for example, you see an unusually large number of recent errors from a particular source, you might want to dig deeper into that list to determine whether a particular error is a sign of a reliability or performance problem. To do that, you can right-click an event type or an event source under Summary Of Administrative Events, and then click View All Instances Of This Event, as shown in Figure 15-6.
Figure 15-6 The summary view is organized by event type, in order of severity. Expand any category and then right-click a source to view all instances of that event.
The resulting filtered list of events is drawn from multiple log files, sparing you from having to search in multiple places. Armed with this information, you can quickly scroll through and examine the details of each one, perhaps identifying a pattern or a common factor that will help you find the cause and, eventually, the cure for whatever is causing the event.
Types of events
As a glance at the console tree confirms, events are recorded in one of several logs. Logs are organized in the console tree in folders, and you can expand or collapse the folder tree using the customary outline controls. The following default logs are visible under the Windows Logs heading:
Application Events are generated by applications, including apps you install, apps that are preinstalled with Windows, apps from the Microsoft Store, and operating system services. App developers decide which events to record in the Application log and which to record in a custom log under Applications And Services Logs.
Security Events that include sign-in attempts (successful and failed) and attempts to use secured resources, such as an attempt to create, modify, or delete a file.
Setup Events that are generated by app installations.
System Events that are generated by Windows itself and by installed features, such as device drivers. If a driver fails to load when you start a Windows session, for example, that event is recorded in the System log.
Forwarded Events Events gathered from other computers.
Under the Applications And Services Logs heading are logs for individual apps and services. The difference between this heading and the Windows Logs heading is that logs under Applications And Services record events related only to a particular app or feature, whereas the logs that appear under Windows Logs generally record events that are systemwide.
If you expand the Microsoft entry under Applications And Services Logs, you’ll find a Windows subfolder, which in turn contains a folder for each of hundreds of features that are part of Windows 11. Each of these folders contains one or more logs.
Viewing logs and events
When you select a log or a custom view from the console tree, the details pane shows a list of associated events, sorted (by default) in reverse chronological order, with each event occupying a single line. A preview pane below the list displays the contents of the saved event record. Figure 15-7 shows one such listing from the System log.
Note
The Windows Event Log service records the date and time each event occurred in Coordinated Universal Time (UTC). Event Viewer translates those time values into dates and times appropriate for the currently configured time zone.
Figure 15-7 All the details you need for an individual event are visible in this preview pane. Double-click an event to see those same details in a separate window.
Events in most log files are classified by severity, with one of four entries in the Level field:
Critical events The most severe category, which includes Stop errors and other events that have the potential to damage data.
Error events The category that represents a possible loss of data or functionality. Examples of errors include events related to a malfunctioning network adapter and loss of functionality caused by a device or service that doesn’t load at startup.
Warning events Less significant or less immediate problems than error events. Examples of warning events include a nearly full disk, a timeout by the network redirector, and data errors on local storage.
Information events Other events logged by Windows. This category includes any Windows Update that is successfully installed, for example, as well as events documenting startup and shutdown times.
The Security log file uses two different icons to classify events: A key icon identifies Audit Success events, and a lock icon identifies Audit Failure events. Both types of events are classified as Information-level events; “Audit Success” and “Audit Failure” are stored in the Keywords field of the Security log file.
The preview pane shows information about the currently selected event. (Drag the split bar between the list and preview pane up to make the preview pane larger so that you can see more details, or double-click the event to open it in a separate dialog that includes Next and Previous buttons and an option to copy the event to the Clipboard.)
The information you find in Event Viewer is evidence of things that happened in the past. Like any good detective, you have the task of using those clues to help identify possible issues. One hidden helper, located near the bottom of the Event Properties dialog, is a link to more information online. Clicking this link opens a webpage that might provide more specific and detailed information about this particular combination of event source and event ID, including further action you might want to take in response to the event.
Customizing the presentation of tabular data in Event Viewer
If you have a passing familiarity with Details view in File Explorer, you’ll feel right at home with the many tabular reports in Event Viewer. You can change a column’s width by dragging its heading left or right. You can sort on any column by clicking its heading; click a second time to reverse the sort order. Right-click a column heading and choose Add/Remove Columns to make more or fewer columns appear.
As with files and folders in File Explorer, you also have the option to group events in Event Viewer. To do that, right-click the column heading by which you want to group and then click Group Events By This Column. Figure 15-8, for example, shows the System log with events grouped by Source and sorted by Date And Time in descending order. Note that you can expand or collapse each grouping using the tiny arrows at the end of each group heading.
Figure 15-8 In this view, we right-clicked the Source heading and chose the option to group events, and then we clicked the Date And Time heading to bring the most recent events to the top of each group.
Filtering the log display
As you can see from a cursory look at your System log, events can pile up quickly, obscuring those generated by a particular source or those that occurred at a particular date and time. Sorting and grouping can help you find relevant events, but filtering is even more effective, especially when using multiple criteria. With a filter applied, all other events are hidden from view, making it much easier to focus on the items you currently care about.
To filter the currently displayed log or custom view, click Filter Current Log or Filter Current Custom View in the Action pane on the right. A dialog like the one shown in Figure 15-9 appears. To fully appreciate the flexibility of filtering, click the arrow by each filter. You can, for example, filter events from the past hour, 12 hours, day, week, month, or any custom time period you specify. In the Event Sources, Task Category, and Keywords boxes, you can type text to filter on (separating multiple items with commas), but you’ll probably find it easier to click the down arrow and then select each item you want to include in your filtered view. In the Includes/Excludes Event IDs box, you can enter multiple ID numbers and number ranges, separated by commas; to exclude particular event IDs, precede their number with a minus sign.
Click OK to see the filtered list. If you think you’ll use the same filter criteria again, click Save Filter To Custom View in the Action pane on the right. To restore the unfiltered list, in the Action pane, click Clear Filter.
Figure 15-9 If you don’t select any Event Level checkboxes, Event Viewer includes all levels in the filtered results. Similarly, any other field you leave blank includes all events without regard to the value of that property.
Note
Event Viewer also includes a basic search capability, which you access by clicking Action, Find. You can perform more precise searches by filtering.
Dealing with Stop errors
If Windows has ever suddenly shut down, you’ve probably experienced that sinking feeling in the pit of your stomach. When Windows 11 encounters a serious problem that makes it impossible for the operating system to continue running, it does the only thing it can do, just as every one of its predecessors has done in the same circumstances. It shuts down immediately and displays an ominous text message whose technical details begin with the word STOP. Because a Stop error typically appears in white letters on a blue background, this type of message is often referred to as a blue-screen error or the Blue Screen of Death (BSOD). (If you’re running an Insider Preview release of Windows 11, this screen is green.) When a Stop error appears, it means there is a serious problem that demands your immediate attention.
Windows 11 collects and saves a variety of information in logs and dump files, which a support engineer or developer armed with debugging tools can use to identify the cause of Stop errors. You don’t have to be a developer to use these tools, which are available to anyone via download from https://learn.microsoft.com/windows-hardware/drivers/debugger. (Don’t worry; you can’t break anything by simply inspecting a .dmp file.) If you know where to look, however, you can learn a lot from these error messages alone, and in many cases, you can recover completely by using standard troubleshooting techniques.
Customizing how Windows handles Stop errors
When Windows encounters a serious error that forces it to stop running, it displays a Stop message and then writes debugging information to the page file. When the computer restarts, this information is saved as a crash dump file, which can be used to debug the specific cause of the error.
You can customize two crucial aspects of this process by defining the size of the crash dump files and specifying whether you want Windows to restart automatically after a Stop message appears. By default, Windows automatically restarts after a Stop message and creates a crash dump file optimized for automatic analysis. That’s the preferred strategy in response to random, isolated Stop errors. But if you’re experiencing chronic Stop errors, you might have more troubleshooting success by changing these settings to collect a more detailed dump file and to stop after a crash.
To make this change, open Settings, type advanced system in the search box, and then click View Advanced System Settings.
On the Advanced tab of the System Properties dialog, under Startup And Recovery, click Settings. Adjust the settings under the System Failure heading, as shown in Figure 15-10.
If you want Windows to pause at the Stop error message page, clear the Automatically Restart checkbox and click OK.
From the same dialog, you can also define the settings for crash dump files. By default, Windows sets this value to Automatic Memory Dump, which contains the same information as a kernel memory dump. Either option includes memory allocated to kernel-mode drivers and programs, which are most likely to cause Stop errors.
Figure 15-10 By default, Windows manages the size of the memory dump file and restarts automatically after a Stop error. You can pick a larger or smaller dump file here.
Because this file does not include unallocated memory or memory allocated to user-mode programs, it usually will be smaller in size than the amount of RAM on your system. The exact size varies, but in general, you can expect the file to be no larger than one-third the size of installed physical RAM, and much less than that on a system with 16 GB of RAM or more. The crash files are stored in %SystemRoot% using the file name Memory.dmp. (If your system crashes multiple times, each new dump file replaces the previous file. If you have sufficient disk space, you can change these default settings so that a new crash dump file does not overwrite any previous dump files.)
If disk space is limited or you’re planning to send the crash dump file to a support technician, you might want to consider setting the system to store a small memory dump (commonly called a mini dump). A small memory dump contains just a fraction of the information in a kernel memory dump, but it’s often enough to determine the cause of a problem. Under Write Debugging Information, select Small Memory Dump (256 KB).
Note
Small memory dumps are stored in the %SystemRoot%\Minidump folder.
What’s in a Stop error
The exact text of a Stop error varies according to what caused the error. But the format is predictable. Don’t bother copying down the error code from the blue screen itself. Instead, look through Event Viewer for an event with the source BugCheck, as shown in the example in Figure 15-11.
Figure 15-11 Decoding the information in a Stop error can help you find the underlying problem and fix it. Start with the error code—0x000000e2, in this example.
You can gather important details from the bugcheck information, which consists of the error number (in hexadecimal notation, as indicated by the 0x at the beginning of the code) and up to four parameters that are specific to the error type.
Windows 11 also displays the information in Reliability Monitor, under the heading Critical Events. Select the day on which the error occurred, and then double-click the “Shut down unexpectedly” entry for an event with Windows as the source. That displays the bugcheck information in a slightly more readable format than in Event Viewer, using the term BlueScreen as the Problem Event Name.
For a comprehensive and official list of what each error code means, see the Microsoft Hardware Dev Center “Bug Check Code Reference” at https://bit.ly/bug-check-codes. A code of 0x00000144, for example, points to problems with a USB 3 controller, whereas 0x0000009F is a driver power state failure. (Our favorite is 0xDEADDEAD, which indicates a manually initiated crash.) In general, you need a debugger or a dedicated analytic tool to get any additional useful information from a memory dump file.
Isolating the cause of a Stop error
If you experience a Stop error, don’t panic. Instead, run through the following troubleshooting checklist to isolate the problem and find a solution:
Don’t forget to rule out hardware problems. In many cases, software is the victim and not the cause of blue-screen errors. Common hardware failures such as a damaged hard disk drive or a corrupted solid state drive (SSD), defective physical RAM, an overheated CPU chip, or even a bad cable or poorly seated memory module can result in Stop errors. If the errors seem to happen at random and the message details vary each time, there’s a good chance you’re experiencing hardware problems.
Check your memory. Windows 11 includes a memory diagnostic tool you can use if you suspect a faulty or failing memory chip. To run this diagnostic procedure, type memory in the search box and click Windows Memory Diagnostic in the search results. This tool requires a restart to run its full suite of tests, which you can perform immediately or defer until your next restart.
Look for a driver name in the error details. If the error message identifies a specific file name and you can trace that file to a driver for a specific hardware device, you might be able to solve the problem by disabling, removing, or rolling back that driver to an earlier version. The most likely offenders are network interface cards, video adapters, and disk controllers. For more details about managing driver files, see “Updating and uninstalling drivers” in Chapter 13, “Managing hardware and devices.”
Ask yourself, “What’s new?” Be suspicious of newly installed hardware and software. If you added a device recently, remove it temporarily and see whether the problem goes away. Take an especially close look at software in the categories that install services or file-system filter drivers; these hook into the core operating system files that manage the file system to perform tasks such as scanning for viruses. This category includes backup programs, multimedia applications, networking tools, security software, and DVD-burning utilities. You might need to uninstall the program to resolve the problem; check with the program’s developer to see if the issue has been fixed in an updated version that’s newer than the one you’re running.
Search Microsoft Support. Make a note of the error code and all parameters. Search Microsoft Support using both the full and the short formats. For instance, if you’re experiencing a KMODE_EXCEPTION_NOT_HANDLED error, use 0x1E and 0x0000001E as your search keywords.
Check your system firmware. Is an update available from the manufacturer of the system or motherboard? Check the firmware documentation carefully; resetting all firmware options to their defaults can sometimes resolve an issue caused by overtweaking.
Are you low on system resources? Stop errors are sometimes the result of a critical shortage of RAM or disk space. If you can start in Safe Mode, check the amount of physical RAM installed, and look at the system and boot drives to see how much free disk space is available.
Is a crucial system file damaged? To reinstall a driver, restart your computer in Safe Mode. (See the following section.) If your system starts in Safe Mode but not normally, you very likely have a problem driver. Try running Device Manager in Safe Mode and uninstalling the most likely suspect. Or run System Restore in Safe Mode. If restoring to a particular day cures the problem, use Reliability Monitor to determine what changes occurred on or shortly after that day.
Troubleshooting in Safe Mode
In earlier Windows versions, holding down the F8 key while restarting gave you the opportunity to start your system in Safe Mode, with only core drivers and services activated. On modern hardware, with UEFI firmware, that’s no longer possible. Safe Mode is still available, but you have to work a little harder to get there.
If you can start Windows and get to the sign-in screen, you can then click the Power button in the lower-right corner of that screen. Hold down Shift as you click Restart to go to the Windows Recovery Environment; there, you can start in Safe Mode and take various other actions, including restoring Windows from an image backup, running System Restore to revert to a saved restore point, and resetting your PC. (We discuss all three topics later in this chapter.)
If you can’t start Windows, use the power button on your PC to shut down and restart three times. On the third unsuccessful startup attempt, Windows will start in the Windows Recovery Environment.
When you first arrive in the Windows Recovery Environment, a menu similar to the one in Figure 15-12 appears. Your menu might look slightly different, with a custom option supplied by the OEM. The Use Another Operating System option appears only on a PC that has been configured to boot into multiple operating systems.
Figure 15-12 The main menu for the Windows Recovery Environment offers a range of troubleshooting options.
To get to Safe Mode, you need to navigate through several menus. Click Troubleshoot in this menu, and then click Advanced Options. On the Advanced Options menu, click Startup Settings; if BitLocker Drive Encryption is enabled on the system drive, enter the 48-digit BitLocker recovery key and then (finally!) click Restart. You then see the Startup Settings menu, as shown in Figure 15-13. You can then choose between Safe Mode, Safe Mode With Networking, or Safe Mode With Command Prompt.
Figure 15-13 Use the Startup Settings menu to boot into Safe Mode, where you can perform tasks such as removing a troublesome program or driver that prevents you from starting normally.
In Safe Mode, you can access certain essential configuration tools, including Device Manager, System Restore, and Registry Editor. If Windows appears to work properly in Safe Mode, you can safely assume there’s no problem with the basic services. Use Device Manager, Driver Verifier, and Event Viewer to try to figure out where the trouble lies. If you suspect that a newly installed device or program is the cause of the problem, you can remove the offending software while you’re running in Safe Mode. Use Device Manager to uninstall or roll back a hardware driver; use Control Panel to remove a desktop program or utility. Then try restarting the system normally to see whether your changes have resolved the problem.
For more information about Device Manager, see “Getting useful information from Device Manager” in Chapter 13. We explain how to use Driver Verifier in the “Sporadic hardware errors” troubleshooting sidebar in “Uninstalling a driver,” also in Chapter 13. You can find a detailed discussion of Event Viewer earlier in this chapter.
If you need access to network connections, choose the Safe Mode With Networking option, which loads the base set of Safe Mode files and adds drivers and services required to start Windows networking.
The third Safe Mode option, Safe Mode With Command Prompt, loads the same stripped-down set of services as Safe Mode, but it uses the Windows command interpreter (Cmd.exe) as a shell instead of the graphical Windows Explorer (Explorer.exe, which also serves as the host for File Explorer). This option is unnecessary unless you’re having a problem with the Windows graphical interface. The default Safe Mode also provides access to the command line. (Press Windows key+R, and then type cmd.exe in the Run dialog.)
The six additional choices on the Startup Settings menu are of use in specialized circumstances:
Enable Debugging Use this option if you’ve installed debugging tools and want to switch into a special mode that is compatible with those tools.
Enable Boot Logging With this option enabled, Windows creates a log file that lists the names and status of all drivers loaded into memory. To view the contents of this file, look for Ntbtlog.txt in the %SystemRoot% folder. If your system is hanging because of a faulty driver, the last entry in this log file might identify the culprit.
Enable Low-Resolution Video This option starts the computer in 640-by-480 resolution using the current video driver. Use this option to recover from video problems that are caused not by a faulty driver but by incorrect settings, such as an improper resolution or refresh rate.
Disable Driver Signature Enforcement Use this option if Windows is refusing to start because you installed an unsigned user-mode driver. Windows will start normally, not in Safe Mode. (Note that you cannot disable the requirement for signed kernel-mode drivers.)
Disable Early Launch Anti-malware Protection This is one of the core security measures of Windows 11 on a UEFI-equipped machine. Unless you’re a security researcher or a driver developer, we can’t think of any reason to disable this important security check.
Disable Automatic Restart After Failure Use this option if you’re getting Stop errors (blue-screen crashes) and you want the opportunity to see the crash details on the Stop error screen instead of simply pausing there before restarting.
A final option, Launch Recovery Environment, isn’t on the main menu but is on a second page that you reach by pressing F10 or 0. Use this command to return to the recovery environment.
Checking disks for errors
Errors in disk media and in the file system can cause a wide range of problems, from an inability to open or save files to blue-screen errors and widespread data corruption. Windows can recover automatically from many disk errors, especially on drives formatted with NTFS.
To perform a thorough inspection for data errors, run the Windows Check Disk utility (Chkdsk.exe). Two versions of this utility are available—a graphical version that performs basic disk-checking functions, and a command-line version that provides a much more extensive set of customization options.
To check for errors on a local disk, follow these steps:
In File Explorer, open This PC, right-click the icon belonging to the drive you want to check, and then click Properties.
On the Tools tab, click Check. (If you’re using a standard account, you need to supply credentials for an account in the Administrators group to execute this utility.) Unless Windows is already aware of problems with the selected disk, you’re likely to see a message that says you don’t need to scan the drive.
If you want to go ahead and check the disk, click Scan Drive. Windows performs an exhaustive check of the entire disk. If there are bad sectors, Windows locates them and recovers readable information where it can.
The command-line version of Check Disk gives you considerably more options. You can also use it to set up regular disk-checking operations using Task Scheduler (as described in “Task Scheduler” in Chapter 16, “Windows Terminal, PowerShell, and other advanced management tools”). To run this command in its simplest form, right-click Start, click Terminal (Admin), and then type chkdsk at the prompt. This command runs Chkdsk in read-only mode, displaying the status of the current drive but not making any changes. If you add a drive letter after the command (chkdsk d:, for instance), the report applies to that drive.
To see descriptions of the command-line switches available with the Chkdsk command, type chkdsk /?. Here is a partial list of the available switches:
/F Instructs Chkdsk to fix any errors it detects. This is the most commonly used switch. The disk must be locked. If Chkdsk cannot lock the drive, it offers to check the drive the next time you restart the computer or to dismount the volume you want to check before proceeding. Dismounting is a drastic step; it invalidates all current file handles on the affected volume and can result in loss of data. You should decline the offer. When you do, Chkdsk makes you a second offer—to check the disk the next time you restart your system. You should accept this option. (If you’re trying to check the system drive, the only option you’re given is to schedule a check at the next startup.)
/V On FAT32 volumes, /V displays verbose output, listing the name of every file in every directory as the disk check proceeds. On NTFS volumes, this switch displays cleanup messages (if any).
/R Identifies bad sectors and recovers information from those sectors if possible. The disk must be locked. Be aware that this is a time-consuming and uninterruptible process.
/X Forces the volume to dismount, if necessary, and invalidates all open file handles. This option is intended for server administrators. Because of the potential for data loss, it should be avoided.
The following switches are valid only on NTFS volumes:
/I Performs a simpler check of index entries (stage 2 in the Chkdsk process), reducing the amount of time required.
/C Skips the checking of cycles within the folder structure, reducing the amount of time required.
/L[:size] Changes the size of the file (in kilobytes) that logs NTFS transactions. If you omit the size parameter, this switch displays the current size. This option is intended for server administrators. Because of the potential for data loss, it also should be avoided in normal use.
/B Reevaluates bad clusters and recovers readable information.
Offering remote support with Quick Assist
Quick Assist offers a new name and a streamlined interface to the Windows Remote Assistance tool available in earlier Windows versions. After making a Quick Assist connection as the helper, you can see the other computer’s screen on your system, run diagnostic tools such as Task Manager, edit the remote system’s registry, and even use a stylus to annotate the remote display.
One ground rule applies: The computer giving assistance must be able to sign in with a Microsoft account (Quick Assist prompts for one if the user is signed in using a different account type).
The simplest way to run the Quick Assist executable (Quickassist.exe) is to start typing quick assist in the search box. The program should quickly appear at the top of the search results. After running the program, the party asking for help chooses Get Assistance, and the party offering support chooses Give Assistance.
The helper sees a six-digit security code and has 10 minutes to supply that code to the person asking for assistance, who enters the code to complete the connection. (You can use the Send Email link to do this, but it’s probably simpler to use the phone. The two of you are likely to want to be in touch via phone in any case.) After both parties successfully enter the matching code, the Quick Assist connection is complete.
As the helper, you can choose to view the screen or ask for permission to take control, with the explicit permission of the person receiving assistance. From that point forward, the helper can see the remote screen in the Quick Assist window, with a toolbar that offers the ability to open Task Manager, annotate the screen, and send messages via a chat window. At any time, the person receiving assistance can pause screen sharing or end the Quick Assist session.
Windows 11 backup and recovery options
Through the years, the backup and recovery tools in Windows have evolved, but their fundamental purpose has not changed. How well you execute your backup strategy determines how easily you’re able to get back to where you were after something goes wrong—or to start over with an absolutely clean slate. When you reach into the recovery toolkit, you’re hoping to perform one of the following three operations:
Full reset If you’re selling or giving away a PC or other device running Windows 11, you can reset it to a clean configuration, wiping personal files in preparation for the new owner. Some Windows users prefer this sort of clean install when they just want to get a fresh start, minus any cruft from previous installations.
Recovery The “stuff happens” category includes catastrophic hardware failure, malware infection, and system corruption, as well as performance or reliability problems that can’t easily be identified with normal troubleshooting. The recovery process involves reinstalling Windows from a backup image or a recovery drive.
File restore When (not if) you accidentally delete or overwrite an important data file or (ouch) an entire folder, library, or drive, you can call on a built-in Windows 11 tool to bring back the missing data. You can also use this same feature to find and restore earlier versions of a saved file—an original, uncompressed digital photo, for example, or a Microsoft Word document that contains a section you deleted and now want to revisit.
In Windows 11, the primary built-in tool for backing up files is called File History. Its job is to save copies of your local data files—every hour is the default frequency—so that you can find and restore your personal documents, pictures, and other data files when you need them.
Windows 11 also includes the old-style Windows 7 Backup And Restore tool. The simplest way to run it is by entering the name of its executable file, Sdclt.exe, in a Terminal window or in the search box. If you can’t remember that name, you can find both backup solutions by opening Control Panel and typing backup in the search box, as shown in Figure 15-14. (Searching for Backup from the Start menu turns up a pointer to the Settings page Accounts > Windows Backup, which offers tools for backing up apps and preferences but not data.)
Figure 15-14 The File History feature is the preferred backup solution for Windows 11, but the older Windows 7 Backup and Restore program is still around.
Despite its advanced age, the Windows 7 backup tool can still do one impressive digital magic trick that its newer rivals can’t: It can create an image of the system drive that can be restored to an exact copy of the original saved volume, complete with Windows, drivers and utilities, desktop programs, settings, and data files. System image backups were once the gold standard of backup and are still the best way to capture a known good state for quick recovery.
The disadvantage of a full image backup is that it’s fixed at a moment in time and doesn’t capture files created, changed, or deleted since the image was created. If your primary data files are located in the cloud or on a separate volume from the system drive, that might not be a problem.
The final backup and recovery option in Windows 11 is the “push-button reset” feature, which allows you to reinstall Windows, with the option to keep or discard personal data files. Using this option, you can reset a misbehaving system on the fly, rolling back with relative ease to a clean, fully updated Windows 11 installation. The Reset This PC option is on the Settings > System > Recovery page. (See Figure 15-15.)
Figure 15-15 The Reset This PC option gives you a fresh start by rolling your system back to a clean Windows 11 installation.
Windows 11 also includes a built-in option to turn a USB flash drive into a bootable recovery drive. Using this recovery drive, you can restore Windows, even after a complete system drive failure.
In the remainder of this section, we discuss these backup and recovery options in more detail.
Using a recovery drive
Windows 11 includes the capability to turn a USB flash drive into a bootable recovery drive that you can use to perform repairs or completely reinstall Windows. The Recovery Media Creator (Recoverydrive.exe) creates a bootable drive that contains the Windows Recovery Environment.
- For instructions on how to create a recovery drive, with or without Windows installation media, see “Downloading and creating installation media,” in Chapter 2, “Setting up a new Windows 11 PC.”
To use the recovery drive, configure your PC so that you can boot from the USB flash drive. (That process, which is unique for many machines, might involve tapping a key or pressing a combination of buttons such as Power+Volume Up when restarting.)
If you see the Recover From A Drive option when you restart, congratulations—the system has recognized your recovery drive, and you are (fingers crossed) a few minutes away from being back in business.
The menu that appears when you start from a recovery drive allows you to repair a PC that has startup issues. Choose Troubleshoot to get to the Advanced Options menu, where you can choose to perform a startup repair, use System Restore to undo a problematic change, or open a Command Prompt window to use system tools such as DiskPart from the command line.
Using File History to protect files and folders
File History is designed as a “set it and forget it” feature. After you enable this backup application, it first copies all personal data files in your personal profile to a secondary drive, usually an external device or a network location. File History then scans the file system at regular intervals (hourly, by default), looking for newly created files and changes to existing files, and adds those files to the backup store.
Note
File history is not available on Windows 11 devices that run on an Arm processor.
You can browse the backed-up files by date and time or search the entire history, and then restore one or more of those backed-up files to their original location or to a different folder.
But first, you have to go through a simple setup process.
Setting up File History
Although the File History feature is installed by default, it’s not enabled until you designate a drive to serve as the backup destination. This drive is typically an external storage device, such as a USB-attached hard drive, or a network location. On desktop PCs with multiple internal hard disks, you can choose a second internal hard disk as the File History location. Removable drives, such as USB flash drives, may not be eligible. (We have seen inconsistent behavior from Windows in this regard. In any case, using a small removable drive for backup purposes is not a stellar idea.) The File History setup wizard shows you only eligible drives when you set up File History for the first time.
Caution
Be sure you specify a File History volume that is on a separate physical drive from the one that contains the files you’re backing up. Windows warns you, sternly, if you try to designate a separate volume on the same physical drive as your system drive. The problem? One sadly common cause of data loss is the failure of the drive itself. If the backups and original files are stored on the same drive, a hardware failure wipes everything out. Having backups on a separate physical drive allows them to remain independent.
To turn on File History for the first time, open Control Panel and search for and then select File History. Click Add A Drive to scan for available File History drives. The File History Wizard responds by showing you all drives that are eligible for use as a File History destination. Figure 15-16 shows a system that has a two external USB hard drives attached. Selecting one of the available locations turns on the File History service and begins the backup process, with the backup frequency set to one hour.
Figure 15-16 Before you can enable File History, you must specify a location (preferably an external USB drive) to hold the backed-up files.
You can also choose to back up your files to a network shared folder, presuming you have the necessary shared folder and NTFS permissions. To add a network share for which you have read/write permission, in File History, click Select Drive. Click the Add Network Location link. Browse for or enter the full path of a shared folder to which you have the necessary access. If required, enter and save alternative network credentials. Select the newly added drive and click OK.
By default, File History checks your drives and folders that are included in libraries once an hour, saving copies of any new or changed files as part of the operation. You can adjust this setting in either direction, choosing from nine intervals that range from every 10 minutes (if you really hate the idea of ever losing a saved file) to once daily.
- For details on how to add folders to libraries so they’re automatically included in File History, see “Using libraries,” in Chapter 9, “Using File Explorer.”
File History backups are saved by default forever. (You receive a warning when your File History drive is full.) However, you can alter the Keep Saved Versions setting to 1, 3, 6, or 9 months or 1 or 2 years. The “set it and forget it” Until Space Is Needed setting allows File History to automatically jettison old backups to make way for new ones when the drive is full.
You can change the backup interval and time period for saving backups by selecting Advanced Settings, as shown in Figure 15-17.
Figure 15-17 Use Advanced Settings to change the frequency for backups and to define for how long to retain saved versions.
When you first enable and run File History, it creates a full copy of all files in the locations configured for backup.
There’s nothing complicated or proprietary about File History volumes. The following rules apply to external drives and shared network folders:
Windows creates a FileHistory folder on the destination drive, with a separate private subfolder for each user. Thus, on a device that includes multiple user accounts, each user’s files can be backed up separately.
Within each user’s private subfolder are one or more additional subfolders, one for each device backed up. This folder arrangement allows you to use a single external drive to record File History backups from different devices.
Each backup set includes two folders. The Configuration folder contains XML files and, if necessary, index files to allow speedier searches. The Data folder contains backed-up files, which are stored in a hierarchy that matches their original location.
Backed-up files are not compressed. File names are the same as the original, with a date and time stamp appended (in parentheses) to distinguish different versions. As a result, you can browse a File History drive in File Explorer and use search tools to locate a file or folder without using the File History app.
Caution
Files stored on a File History drive are not encrypted by default. Anyone who has physical possession of the drive can freely read any files stored there. If you’re concerned about confidential information contained in an external File History drive, we recommend you encrypt the drive. When you enable File History, you are warned to encrypt your backup drive. Click the Turn On BitLocker link to complete this task.
What does File History back up?
By default, File History backs up all folders in the current user profile (including those created by third-party apps) as well as the contents of local folders that have been added to custom libraries.
- For an overview of what’s in a default user profile and instructions on how to work with libraries, see “Organizing personal data with user profile folders and libraries,” in Chapter 9.
To manage the list of folders backed up by File History, in Control Panel in File History, select Exclude Folders. Then select Add and define those folders you want to exclude. When you’ve defined all the folders you want to exclude, click Save Changes.
Note
It’s worth noting that the configurable options for managing which folders are or are not backed up is more limited in Windows 11 than in Windows 10.
It’s useful to exclude certain folders when you want to avoid filling your File History drive with large files that don’t require backing up. If you routinely put interesting but ephemeral video files into a subfolder in your Downloads folder, for example, you might choose to exclude that Videos subfolder completely from File History, while leaving the rest of the Downloads folder to be backed up.
When a File History drive fills up, you can either change the settings to remove old backed-up files and make room for new ones or swap in a new drive. If you choose the latter option, on the File History page in Control Panel, click or tap Select Drive, and then browse and select a new drive.
When you select a new drive, Windows prompts you to move your existing files to the new location. This is useful if you are specifying a replacement drive that is larger than your original drive. The copy process can take an extended time depending on how much space your existing files use.
Restoring files and folders
File History backups give you multiple ways to recover files that are lost, damaged, or accidentally deleted. You can restore the entire contents of a folder or drive as part of the recovery from a hard drive crash, for example. You can even resuscitate an earlier version of a document so that you can recover content you changed or deleted in a later draft.
The simplest way to recover an earlier version of an existing file or folder is to start from File Explorer. If you know which version you want, right-click the file in File Explorer, click Show More Options and then choose Restore Previous Versions. That opens the file’s Properties dialog with the Previous Versions tab selected, displaying a list of available backed-up versions sorted by date, as shown in Figure 15-18.
The arrow to the right of the Open button at the bottom of the Previous Versions list gives you a choice of how to open the selected item. Clicking Open works especially well for Office documents; you get a read-only copy of the document in the app that created it. That way, you won’t accidentally overwrite the current version of the document with the older one you just opened.
Click Open In File History to use the File History application instead. (We say more about the File History application in a moment.)
Figure 15-18 When you know exactly which file you want to restore, it’s often quickest to get it from the Previous Versions tab in File Explorer.
The second button beneath the File Versions list also provides a pair of choices: Click Restore to overwrite the current version, or click Restore To and save a copy to a different location. If you attempt to restore a previous version of a file to the original location and the original file still exists, you see the Replace Or Skip Files dialog, which gives you an opportunity to change your mind or save the new file as a copy in the same location. If you want to restore a copy without deleting the original, click Compare Info For Both Files and then select the checkbox for both the original file and the restored previous version, as shown in Figure 15-19. The restored copy has a number appended to the name to distinguish it from the original.
Not sure which version you want? Select a version and click Open In File History to preview that version. Or select a document and then, on the Home tab in File Explorer, click History. That option opens a preview of the most recent saved version in the File History app. Use the left-arrow button in the group of controls at the bottom of the main window to go back in time until you find the right version. Right-click the big green button for Restore and Restore To options.
The File History app offers a distinctly different take on browsing backed-up files. Although it resembles File Explorer in some respects, it adds a unique dimension—the ability to choose a set of saved files from a specific date and time, and then scan, scroll through, or search that entire set of files.
Figure 15-19 To restore a previous version of a file without replacing the original, click the Compare Info For Both Files option and then select both versions in the File Conflict dialog.
You’re most likely to use the File History app in one of the following two ways:
To restore some or all files from a backup, open File History in Control Panel and click Restore Personal Files. In the File History app, shown in Figure 15-20, you can then select the files or folders you want to restore.
To restore one or more files or folders, open File Explorer, select the file or folder you’re interested in recovering, right-click, select Show More Options, and then click Restore Previous Versions.
Figure 15-20 In its Home view, the File History app shows all files and folders set for regular backup. Scroll left for older backups, right for more recent ones.
Figure 15-20 shows the File History app, which has an address bar, navigation controls, and a search box along the top, very much like File Explorer. What’s different are the time stamp (above the file browsing pane) and the three controls below the pane that allow time travel without the need for flux capacitors or other imaginary time-machine components.
The legend at the top of the window tells you the date and time of the currently displayed backup. Use the Previous Version and Next Version controls at the bottom of the window to move between backups. (You can also use the keyboard shortcuts Ctrl+Left/Right Arrow.)
Within the File History app window, you can open folders to see their contents. An address bar at the top, along with the invaluable up arrow beside it, allows you to navigate as you might in File Explorer. As with File Explorer, you can use the search box in the upper right to narrow the results by file type, keyword, or file contents. Because file names rarely provide enough detail to determine whether a specific file is the one you’re looking for, File History has a preview function. Double-click a file to show its contents in the File History window.
To restore a file or folder you deleted or overwrote, move backward through the backups until you reach the desired date. Double-click to open a folder; use Ctrl+click to select multiple items. When you’ve made your selections, click the big green button to restore the selected items to their original location. If you’d prefer to restore the items to a separate location, right-click the green button and click Restore To.
The option to restore entire folders is especially useful when you’re switching to a new PC. After you complete one last backup on your old PC, plug the File History drive into your new PC, and then use the big green Restore button to copy your backed-up files to corresponding locations on the new PC.
As with File Explorer, you can change the view of files in the File History browsing window. By using the two shortcuts in the lower-right corner, you can quickly switch between Details and Large Icons view. (The latter is particularly useful when looking through folders full of digital photos.)
Using the Reset option to recover from serious problems
One of the signature features of Windows 8 turned out to be quietly revolutionary: an easy way for anyone to reset Windows to its original configuration using a Refresh or Reset command, with no technical skills required.
Windows 11 significantly refines that capability under a single Reset command. The most important change eliminates the need to have a disk-hogging OEM recovery image in a dedicated partition at the end of the hard drive. In Windows 11, that recovery image and its associated partition are no longer the primary recovery option. Instead, Windows 11 accomplishes recovery operations by rebuilding the operating system to a clean state using existing system files.
This push-button reset option has the same effect as a clean install, without the hassles of finding drivers and without wiping out potentially valuable data.
The Reset This PC option is near the top of the list on the System > Recovery page in Settings, as shown earlier in Figure 15-15. It’s also the featured choice on the Troubleshoot menu when you restart in the Windows Recovery Environment, as shown in Figure 15-21.
Figure 15-21 You can reset your Windows 11 PC by starting the Windows Recovery Environment and choosing the top option shown here.
When you reset a PC, Windows 11 and its drivers are restored to the most recent rollup state. After the reset is complete, the PC includes all updates except those installed in the past 28 days, a design that allows recovery to succeed when a freshly installed update is part of the problem.
For PCs sold with Windows 11 already installed, any customized settings and desktop programs installed by the manufacturer might be restored with the Windows 11 reset. These customizations are saved in a separate container, which is created as part of the OEM setup process.
All of the default preinstalled Windows apps (Photos, Mail, and Calendar, for example) are restored, along with any Windows apps that were added to the system by the OEM or as part of an enterprise deployment. App updates are downloaded and reinstalled via the Store automatically after recovery.
Windows desktop programs are not restored and must be manually reinstalled. Likewise, any previously purchased Store apps are discarded and must be reinstalled from the Store.
Resetting a PC isn’t something you do accidentally. The process involves multiple confirmations, with many opportunities to bail out if you get cold feet or realize that you need to do just one more backup before you irrevocably wipe the disk. The first step offers you the option to keep your personal files or remove everything, as shown in Figure 15-22.
Figure 15-22 The Reset This PC option lets you choose whether to keep your personal files or remove everything and start with a completely clean slate.
If you’re performing the reset operation in preparation for selling or donating your computer, you probably want to use the second option. Otherwise, choose the first option to retain your personal files.
If you’re removing everything on a system with more than one drive, you can choose to remove files from only the drive where Windows is installed or from all drives.
Next, you’re prompted to reinstall Windows from local files, or from a cloud download. Consider that around 4 GB of files are downloaded to reinstall from the cloud, and unless you have a reasonable internet bandwidth, that might take an extended time.
You’re now asked whether you want to Just Remove My Files or Fully Clean The Drive. The Fully Clean The Drive option can add hours to the process. Note that this option, while thorough, is not certified to meet any government or industry standards for data removal.
If you made it this far through the process, you have only one more confirmation to get through. That confirmation, shown in Figure 15-23, displays the choices you made, with one last Cancel option. To plunge irreversibly ahead, click Reset.
Figure 15-23 This is your last chance to back out when resetting a PC.
The reset option can be a tremendous time-saver, but it’s not all-powerful. Your attempts to reset Windows can be thwarted by a handful of scenarios:
If operating system files have been heavily corrupted or infected by malware, the reset process might not work—although the cloud download option might work better.
If the problem is caused by a cumulative update that is more than 28 days old, the reset might not be able to resolve that problem.
If a user chooses the wrong language during the out-of-box-experience (OOBE) phase on a single-language Windows version (typically sold in developing countries and regions), a complete reinstallation might be required.
Note
For workplace computers that are domain-joined, it’s likely that a network administrator can reimage a problematic computer, perhaps by using Endpoint Configuration Manager desktop images. This can achieve very much the same end-result—a computer that is reset to an earlier point in time. For workplaces that manage their computers using Endpoint Manager (Microsoft Intune), administrators can choose between performing a remote Fresh Start (which is similar to Reset This PC) or, where applicable, an Autopilot Reset, which returns a device to a fully configured and managed state.
If the reset option doesn’t work, the best option is reinstalling with the assistance of a recovery drive, as we describe in “Working with ISO files directly,” in Chapter 2.
Using the Windows 7 Backup program
Windows 11 includes the Windows Backup program, which was originally released as part of Windows 7. Its feature set is basically the same as its distant predecessor, and it’s included primarily for compatibility with backups created using that older operating system. (In fact, the name of the executable file, Sdclt.exe, is an inadvertent giveaway of just how old this program is. It’s short for SafeDocs Client, the original name of this feature when it debuted as part of a very early Windows Vista beta release.)
If you have a working backup routine based on the Windows 7 Backup program, we don’t want to stand in your way. The version included with Windows 11 does all the familiar tasks you depend on, and we suggest you carry on. After all, the best backup program is the one you use.
For Windows 11, there are better backup utilities, but we continue to recommend the Windows Backup program for the one task it does exceptionally well: Use it to make a system image backup that can re-create a complete PC configuration, using a single drive or multiple drives. Restoring that system image creates a perfect copy of the system configuration as it existed on the day that system image was captured, without the need to reinstall and reconfigure applications.
To restore an image backup, boot into the Windows Recovery Environment, choose an image file to restore, and complete the process by restoring from your latest file backup, which is likely to be more recent than the image. (Depending on the age of the backup image, you might also need to install the latest feature update for Windows, followed by the latest cumulative quality update.) The image files that Windows Backup creates are largely hardware independent, which means that—with some limitations—you can restore your backup image to a new computer of a different brand and type.
Creating a system image backup
To create a system image, open Control Panel and search for Backup; then click Backup And Restore (Windows 7). You can skip a few clicks by typing sdclt in the search box or the Run box. That opens the tool shown in Figure 15-24.
Figure 15-24 The vintage Windows 7 Backup tool isn’t necessary for file backup tasks, but it’s ideal for capturing a complete image of a Windows installation for disaster recovery.
When you first open Windows Backup, a message alerts you that the program has not been set up. You can ignore that message and the options in the center of that window, and instead click the Create A System Image link at the left side of the window. That opens the efficient Create A System Image Wizard. The first step asks you to define a destination for your system image.
The ideal destination for a system image backup is a local hard disk, internal or external. If the Windows Backup program detects a drive that qualifies, it suggests that destination in the list of hard disks at the top of the dialog. The second option lets you choose a DVD writer as the target for the backup operation; although this option might have made sense a decade ago, we do not recommend it today.
When you create a system image backup, the resulting image file stores the complete contents of all selected drives during its first backup. If the backup target is a local (internal or external) hard drive, subsequent backup operations store only new and changed data. Therefore, the subsequent, incremental backup operation typically runs much faster, depending on how much data has been changed or added since the previous image backup operation.
If you choose a shared network folder as the backup destination, you can save only one image backup. Any subsequent image backup wipes out the previous image backup.
If you have multiple hard drives, Windows displays a dialog in which you choose the volumes you want to include in the backup. By default, all volumes that contain Windows system files (including the EFI System Partition and the Windows Recovery Environment) are selected. If other volumes are available, you can optionally choose to include them in the image backup as well.
The disk space requirements for an image-based backup can be substantial, especially on a well-used system that includes lots of user data files. Windows Backup estimates the amount of disk space the image will use, as in the example in Figure 15-25, and warns you if the destination you choose doesn’t have sufficient free disk space.
Figure 15-25 The Windows Backup program warns you if the destination drive lacks enough space to hold the image you plan to create.
After you confirm your settings, click Start Backup to begin the process of building and saving your image.
System images are stored in virtual hard disk (VHD) format. Although the data is not compressed, it is compact because the image file does not include the hard drive’s unused space and some other unnecessary files, such as hibernation files, page files, and restore points. Incremental system image backups on a local drive are not written to a separate folder. Instead, new and updated files (actually, the changed blocks in those files) are written to the same VHD file. The older blocks are stored as shadow copies in the VHD file, allowing you to restore any previous version.
The final step of the image backup process offers to help you create a system repair disc on a writable CD or DVD. This option might be useful for an older PC, but it’s redundant if you already created a recovery drive as described in “Downloading and creating installation media,” in Chapter 2.
Restoring a system image backup
The system image capabilities in Windows Backup are intended for creating an emergency recovery kit for a single PC. In that role, they function exceptionally well. If your hard drive fails catastrophically, or if you want to wipe your existing Windows installation and start with a clean custom image you created a few weeks or months ago, you’ve come to the right place.
Your options (and potential gotchas) become more complex if you want to use these basic tools to work with a complex set of physical disks and partitions. That’s especially true if the disk layout to which you want to restore an image has changed from the time you created the original image—if you replaced the original system disk with one that has a larger capacity, for example.
In this section, we assume you created an image backup of your system disk and want to restore it to a system that is essentially the same (in terms of hardware and disk layout) as the one you started with. In that case, you can restart your computer using a recovery drive or bootable Windows 11 installation media and then choose the Repair Your Computer option.
Choose Advanced Options, See More Recovery Options, and then select System Image Recovery. If you’re restoring the image backup to the same system on which it was originally created, and the external drive containing the backup file is available, you should see a dialog proposing that option. Verify that the date and time and other details of the image match the one you want to restore, and then click Next to continue.
If the image file you’re planning to restore from is on a network share or if you want to use a different image, choose Select A System Image and then click Next. You see a dialog that lists additional image files available on local drives. Select the correct file, and then click Next to select a specific image backup. If the image file you’re looking for is in a shared network folder, click the Advanced button and then click Search For A System Image On The Network. Enter the network location that contains your saved image, along with credentials (a username and password) that have authorized access to that location.
Restoring an image backup completely replaces the current contents of each volume in the image file. The restore program offers to format the disk or disks to which it is restoring files before it begins the restore process; if you have multiple drives or volumes and you’re nervous about wiping out valuable data files, it offers an option to exclude certain disks from formatting.
The important point to recognize about restoring a system image is that it replaces the current contents of system volumes with the exact contents that existed at the time of the image backup you select. That means your Windows system files and registry will be returned to healthy (provided the system was in good shape when you performed your most recent backup and that no hardware-related issues have cropped up since then). Whatever programs were installed when you backed up your system will be restored entirely. All other files on the restored disk, including your documents, will also be returned to their prior states, and any changes made after your most recent backup will be lost.
Caution
If you keep your documents on the same volume as your system files, restoring a system image is likely to entail the loss of recent work—unless, of course, you have an up-to-date file backup, or you have the good fortune to have made an image backup almost immediately before your current troubles began. The same is true if you save documents on a volume separate from your system files but have included that data volume in your image backup. If you have documents that have not been backed up, you can avoid losing recent work by first copying them to a disk that will not be affected by the restore process—a USB flash drive, for example, or some other form of removable media. You can use the Command Prompt option in the Windows Recovery Environment to copy these documents. (For details about using the Command Prompt option, see “Working in a Command Prompt session” in Chapter 16.) If you do have a recent file backup, first restore the image backup and then restore your backed-up datafiles.
The main hardware limitation for restoring a system image backup is that the target computer must have at least as many hard drives as the source system, and each drive must be at least as big as its corresponding drive in the source system. This means, for example, that you can’t restore a system image from a system that has a 500 GB hard drive to a system with a 256 GB SSD, even if the original system used far less than 256 GB of drive space. Keep in mind also that on a system with multiple physical disks, you might have to adjust firmware settings to ensure that Windows restores the image of your system volume to the correct drive.
If your new computer meets the space requirements, restoring a system image should work. This is true even when the source and target computers use different disk controllers. Similarly, other differences—such as different graphics cards, audio cards, processors, and so on—shouldn’t prevent you from restoring a system image to a different computer because hardware drivers are isolated from the rest of the image information and are rebuilt as part of the restore process. (You might need to reactivate Windows because of hardware changes.)
Configuring and using System Restore
The System Restore feature is a relatively minor part of the recovery toolkit in Windows 11, but it can be useful for quickly undoing recent changes that introduced instability. When System Restore is enabled, the Volume Shadow Copy service takes occasional snapshots of designated local storage volumes. These snapshots occur before Windows Update installs new updates and when supported software installers run. You can also create snapshots manually—a sensible precaution before you make system-level changes.
System Restore snapshots take note of differences in the details of your system configuration—registry settings, driver files, third-party applications, and so on—allowing you to undo changes and roll back a system configuration to a time when it was known to work correctly.
Note
In Windows 7, the volume snapshots created by System Restore also included a record of changes to data files on designated drives, allowing you to restore previous versions of those data files. In Windows 11, this capability is part of the File History feature, which we described in detail earlier in this chapter.
Note that System Restore monitors all files it considers system-related, which includes executable files and installers. If you download the latest version of a favorite utility and store it in your Downloads folder, it is removed if you roll back to a System Restore checkpoint from before it was downloaded.
To check the status of the System Restore feature, in Settings, search for and select Recovery; then, in Advanced Recovery Tools, click Configure System Restore. Under Protection Settings is a list of internal and external NTFS-formatted drives. (See Figure 15-26.) A value of On indicates that restore points are being created automatically for the associated drive.
Figure 15-26 The System Protection tab shows available disks and their current protection settings (on or off). To enable protection for a drive that’s off, select it and click Configure.
Using the System Properties dialog, you can enable or disable automatic monitoring for any local drive. On previous versions of Windows, system protection is fully enabled for the system drive by default and is disabled for all other local drives. In our experience, Windows 11 typically disables system protection; we’re not aware of any documentation that explains how or why Windows 11 chooses to enable or disable this feature, but the obvious reason is to save disk space. After a successful upgrade, we recommend that you check these settings and, if you find this feature important, re-enable system protection for the system drive at least.
You can manually create a restore point at any time for all drives that have system protection enabled. Click the Create button at the bottom of the System Protection tab to open the Create A Restore Point dialog. Enter a meaningful description and then click Create to enter the descriptive text.
To turn system protection on or off, or to adjust the amount of space it uses, select a drive from the Available Drives list and then click Configure. That opens the dialog shown in Figure 15-27.
The information under the Disk Space Usage heading shows both the current usage and the maximum amount of space that will be used for snapshots before System Protection begins deleting old restore points to make room for new ones. Move the Max Usage slider to change the amount of disk space reserved for restore points. We recommend using no more than 5 percent of the disk, up to a maximum of 10 GB, on volumes that are larger than 64 GB.
Figure 15-27 Use the Max Usage slider to adjust the amount of disk space used by System Restore snapshots.
If you’re concerned about disk space usage and you’re confident you won’t need to use any of your currently saved restore points, you can click the Delete button in the lower-right corner under the Disk Space Usage heading to remove all existing restore points without changing other System Protection settings.
Rolling back to a previous restore point
The most common reason to roll back to a previously saved restore point is to undo the de-stabilizing effect of a freshly installed app or driver that conflicts with other software or drivers on your system. First, if possible, uninstall the offending app or driver and then apply the restore point captured before the installation. That should remove any problematic system files and registry settings that were left behind by the uninstaller.
To see a list of recent restore points, type rstrui at a command prompt or click System Restore on the System Protection tab of the System Properties dialog. (If you’re running under a standard user account, you need to enter an administrator’s credentials in a UAC dialog to continue.) That opens the System Restore Wizard. Select the restore point you want, then confirm your choice in the ensuing dialog.
To choose a restore point other than the most recent one, click Choose A Different Restore Point and then click Next.
What impact does your choice of restore points have? To see a full list of programs and drivers that will be deleted or restored, select the restore point you’re planning to use, and then click Scan For Affected Programs. That displays a dialog that lists every change you made since that restore point was created. (Note that this list does not warn you about any executable files that might be deleted from your Desktop, Downloads, or other folders.)
After selecting a restore point, click Next to display a series of confirmation dialogs. After you successfully convince the system that, yes, you really want to do this, the System Restore wizard creates a new restore point, labeled Undo: Restore Operation, which makes it possible to restore the current configuration if this troubleshooting operation doesn’t solve the underlying problem. Then, after a restart, it replaces current system files and registry settings with those in the restore point you selected.
When System Restore reinstates a previously saved configuration using a restore point, your data files—documents, pictures, music files, and the like—are not tampered with in any way. (The only exception is if you or an app created or saved a file using one of the file name extensions from the list of monitored extensions, as described in the previous section.)
Although you can restore your system to a previously saved restore point from the Windows Recovery Environment, neither you nor Windows can create a new restore point from that location. As a result, you cannot undo a restore operation that you perform by starting from the Windows Recovery Environment. You should use System Restore in this mode only as a last resort if you are unable to start Windows normally to perform a restore operation.