8 Replies Latest reply on May 16, 2009 12:17 AM by mrgui

    System Restore Not Working Since EEPC

    SeanKeeley
      I have EEPC build 5502 installed on my Lenovo T60p laptop. System Restore was enabled before installing EEPC. After encryption, restore points are gone (no big surprise) BUT now, even though System Restore says it is enabled, taking a manual restore point produces the event log

      Event Type: Error
      Event Source: sr
      Event Category: None
      Event ID: 1
      Date: 2009-05-05
      Time: 14:08:40
      User: N/A
      Computer: ISCL34E8W2
      Description:
      The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'BootCode.ini' on the volume 'Disk0'. It has stopped monitoring the volume.

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
      Data:
      0000: 04 00 00 00 04 00 4e 00 ......N.
      0008: 00 00 00 00 01 00 00 c0 .......À
      0010: 00 00 00 00 00 00 00 00 ........
      0018: 00 00 00 00 00 00 00 00 ........
      0020: 00 00 00 00 00 00 00 00 ........

      The manual restore point still shows but appears to disappear on the next boot (have already done this more than once).

      Are System Restore and EEPC fundamentally incompatible?
        • 1. RE: System Restore Not Working Since EEPC
          ignore it - it's trying to make a snapshot of the EEPC pre-boot volume...
          • 2. Confirmed -- Synch Removes System Restore Point
            SeanKeeley
            Here's what I did.

            1. Started System Restore, noticed no restore point (even though I knew I'd taken a manual one before). Took a manual restore point.
            2. Rebooted and before EEPC Synch took place (we have a delay in synch), started System Restore and confirmed restore point there.
            3. Clicked Synchronize in EEPC Status dialog.
            4. Started System Restore -- NO restore points.

            Here's the event log
            Event Type: Error
            Event Source: sr
            Event Category: None
            Event ID: 1
            Date: 2009-05-05
            Time: 18:04:05
            User: N/A
            Computer: ISCL34E8W2
            Description:
            The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'BootCode.ini' on the volume 'Disk0'. It has stopped monitoring the volume.


            and here's the EEPC client log
            5/5/2009 6:04:04 PM Starting synchronization
            5/5/2009 6:04:04 PM SbFs total space = 20879360 bytes (19.91 MB)
            5/5/2009 6:04:04 PM SbFs free space = 19714048 bytes (18.80 MB)
            5/5/2009 6:04:04 PM Connecting to database: "REDACTED"
            5/5/2009 6:04:04 PM Address=REDACTED
            5/5/2009 6:04:04 PM Port=5555
            5/5/2009 6:04:04 PM Authenticate=Yes
            5/5/2009 6:04:05 PM Checking for machine configuration updates
            5/5/2009 6:04:05 PM Checking for user updates
            5/5/2009 6:04:06 PM Checking for token data updates
            5/5/2009 6:04:06 PM Checking for SSO updates
            5/5/2009 6:04:06 PM Checking for Local Recovery updates
            5/5/2009 6:04:06 PM Checking for hashes updates
            5/5/2009 6:04:06 PM Transferring local audit information to database
            5/5/2009 6:04:07 PM Checking for file updates
            5/5/2009 6:04:10 PM Applying configuration
            5/5/2009 6:04:10 PM Synchronization complete
            5/5/2009 6:04:10 PM Automatically synchronizing again in 1440 minute(s)
            5/5/2009 6:04:10 PM Applying cryption changes
            5/5/2009 6:04:10 PM Not encrypting removable drive H:

            Notice the time stamps between the two coincide ...
            • 3. RE: Confirmed -- Synch Removes System Restore Point
              you won't find bootcode.ini on your c: drive - it's not there.

              I would send this to M$ - I expect they are confused as to which drive they are looking at.
              • 4. It's Not an EEPC Problem????
                SeanKeeley
                I'm sorry but "talk to MS" seems a somewhat disingenuous answer. System Restore is working fine, I install EEPC and it stops working. Furthermore, System Restore's failure occurs exactly when EEPC synchronizes. Please tell me again why this is Microsoft's problem. :confused:
                • 5. RE: It's Not an EEPC Problem????
                  I'm not saying the two are unrelated, I'm saying look at the evidence - system restore has stopped working and the reason is reported to be a file, which does not exist on any drive SR should be monitoring.

                  Now, if the file existed, I would understand a little, but it does not. My guess is SR is confused as to what drive it's looking at, which would have to be resolved by fixing SR itself?

                  I expect EEPC is simply pointing out a flaw in SR. EEPC isnt doing anything illegal or odd, it's SR which seems to be confused here.
                  • 6. RE: It's Not an EEPC Problem????
                    Unrelated to the original problem here, but you'll probably want your machines to synch a little more often that once every 24 hours. Unless you had a reason not to, I would suggest an interval between 60 and 240 minutes (1-4 hours).
                    • 7. RE: It's Not an EEPC Problem????


                      urgh - bad idea and against McAfee recommendations (which is once a day) - why would you want the policy to update so often? Remember the machine will sync on every reboot anyway, so the automatic repeat sync is only to catch those which are lucky enough never to crash or get powered off.

                      Syncing once an hour if you have a few thousand machines adds a huge load on your network, especially if you have some wan links or latency to deal with.
                      • 8. RE: It's Not an EEPC Problem????
                        We have over 5000 machines remotely syncing every 90 minutes. The reason for this is to keep audits current and passwords in sync (for multi-system users). I have never heard of any such recommendation. If the suggestion is once per day, why is it measured in minutes?

                        Many of our users work offline for hours at a time. If they only synced once a day, we'd have a considerably larger amount of machines in need of isolation recovery.