Use PowerShell to Back Up System State Prior to Making Changes

Doctor Scripto

Summary: Learn how to use Windows PowerShell to back up system state prior to making changes to the registry.

Hey, Scripting Guy! Question Hey, Scripting Guy! I am interested in using Windows PowerShell to work with the registry, but everything I see talks about backing up the registry first. Is it possible to use Windows PowerShell to back up the registry?


Hey, Scripting Guy! Answer Hello CG,

Microsoft Scripting Guy, Ed Wilson, is here. Things are really becoming exciting around here. I have been in contact with the two winners from the 2012 Scripting Games, Rohn Edwards and Lido Paglia, and they are both coming to Microsoft TechEd 2012. I will later announce a time when they will be at the Scripting Guys booth, so if you are in Orlando at TechEd 2012, make sure that you can stop by. In addition, I have been talking to my good friend, Blaine Barton, who does the IT Time TechNet Radio podcast, and we will be doing a live broadcast from the TechEd floor as we talk to Rohn and Lido. This is not all— I will make sure to announce any other cool things we come up with.

Note   This is the second blog in a series of Hey, Scripting Guy! Blogs that discuss using the Registry provider. The first blog, Using the Registry Provider to Simply Registry Access published on Monday. For additional information about working with the registry via Windows PowerShell, see this collection of blogs.

Understanding the Computer Restore cmdlets

One of the easiest ways to ensure system reliability is to create a restore point prior to making potentially damaging changes. In this way, if a problem arises, it is rather simple to roll back the changes. In Windows PowerShell, the easy way to create a restore point is to use the Windows PowerShell cmdlets. These cmdlets require administrator rights (due to access to protected registry keys and other vital configuration files). Therefore, you need to right-click the Windows PowerShell icon and select Run As Administrator from the Action menu. Keep in mind that these cmdlets only work on client systems later than Windows XP. These cmdlets do not work on server versions of the operating system. There are several cmdlets that you can use to work with system restore. These cmdlets and their associated descriptions are listed here.




Enables the System Restore feature on the specified file system drive.


Disables the System Restore feature on the specified file system drive.


Gets the restore points on the local computer.


Starts a system restore on the local computer.


Creates a system restore point on the local computer.


Note   The following command retrieved the information in the previous table:

“*restore*”,”checkpoint*” | % {get-help $_ }| select name, synopsis | ft -AutoSize –Wrap

The good thing is that the *restore* cmdlets use a standard WMI class: the SystemRestore WMI class. This class has documentation on MSDN, so MSDN is a great place to find additional information about the Windows PowerShell cmdlets.

Use CheckPoint-Computer to create a restore point

To create a new restore point, you use the CheckPoint-Computer cmdlet. If the name of this cmdlet bothers you, you can create an alias to New-ComputerRestorePoint by using the New-Alias cmdlet as shown here.

new-alias -Name New-ComputerRestorePoint -Value Checkpoint-Computer

When creating a new restore point via the CheckPoint-Computer cmdlet, you can specify one of five values for the RestorePointType parameter. The values are shown here.






An application has been installed.



An application has been uninstalled.



An application needs to delete the restore point it created. For example, an application would use this flag when a user cancels an installation.



A device driver has been installed.



An application has had features added or removed.


The default value for the RestorePointType parameter is APPLICATION_INSTALL. Therefore, leaving the RestorePointType parameter out of the command causes the cmdlet to create this type of restore point.

Because you are getting ready to modify the registry, you can use the default RestorePointType value. This command is shown here.

Checkpoint-Computer -Description “prior to adding registry key”

You can use the Get-ComputerRestorePoint cmdlet to obtain a list of the most recent computer restore points. This command is shown here.

PS C:\> Get-ComputerRestorePoint

Warning   Column “RestorePointType” does not fit into the display and it was removed.


CreationTime           Description                    SequenceNumber    EventType

————           ———–                    ————–    ———

4/17/2012 4:51:37 PM   Windows Update                 38                BEGIN_SYS…

4/19/2012 3:53:55 PM   Windows Update                 39                BEGIN_SYS…

4/19/2012 3:57:07 PM   Windows Live Essentials        40                BEGIN_SYS…

4/19/2012 3:57:19 PM   Installed DirectX              41                BEGIN_SYS…

4/19/2012 3:57:24 PM   Installed DirectX              42                BEGIN_SYS…

4/19/2012 3:57:48 PM   WLSetup                        43                BEGIN_SYS…

4/24/2012 9:11:12 AM   Windows Update                 44                BEGIN_SYS…

4/25/2012 1:48:52 PM   Windows Update                 45                BEGIN_SYS…

4/29/2012 9:43:11 AM   Windows Update                 46                BEGIN_SYS…

4/30/2012 11:27:01 AM  Installed Microsoft  File T… 47                BEGIN_SYS…

5/2/2012 10:51:17 AM   Installed Intel(R) PROSet/W… 48                BEGIN_SYS…

5/2/2012 10:04:24 PM   Windows Update                 50                BEGIN_SYS…

5/4/2012 10:22:41 AM   Windows Update                 51                BEGIN_SYS…

5/7/2012 12:01:48 PM   Windows Update                 52                BEGIN_SYS…

5/7/2012 2:02:12 PM    prior to adding registry key   53                BEGIN_SYS…

Verifying the status of the last restore point

Unfortunately, this command provides no information about the success of the last attempt to create a restore point for the computer. Selecting the most recent checkpoint and sending the output to the Format-List cmdlet with the Force parameter, displays additional information, but it does not provide any information about the success or failure of the checkpoint. This command and associated output are shown here.

PS C:\> Get-ComputerRestorePoint -RestorePoint 53 | fl * -Force

__GENUS          : 2

__CLASS          : SystemRestore


__DYNASTY        : SystemRestore

__RELPATH        : SystemRestore.SequenceNumber=53


__DERIVATION     : {}

__SERVER         : EDLT

__NAMESPACE      : root\default

__PATH           : \\EDLT\root\default:SystemRestore.SequenceNumber=53

CreationTime     : 20120507180212.613222-000

Description      : prior to adding registry key

EventType        : 100

RestorePointType : 0

SequenceNumber   : 53

Scope            : System.Management.ManagementScope

Path             : \\EDLT\root\default:SystemRestore.SequenceNumber=53

Options          : System.Management.ObjectGetOptions

ClassPath        : \\EDLT\root\default:SystemRestore

Properties       : {CreationTime, Description, EventType, RestorePointType…}

SystemProperties : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY…}

Qualifiers       : {dynamic}

Site             :

Container        :

The Get-ComputerRestorePoint cmdlet does have a LastStatus switched parameter, which according to Help, “Gets the status of the most recent system restore operation.” Unfortunately, the parameter provides only cryptic information such as shown here.

PS C:\> Get-ComputerRestorePoint -LastStatus | fl *

The last attempt to restore the computer failed.

Without any dates, operation IDs or other detailed information, the LastStatus parameter cannot be relied on to make a decision in relation to the success or failure of the computer’s system restore point.

See the Event Log for restore point status

The best place to determine the success (or failure) of the attempt to create a restore point for the computer is the Application Event Log. The pertinent event (event ID 8194) is shown here.

Image of event

Because you already have Windows PowerShell open, it is much faster to use the Get-EventLog cmdlet to obtain this information than to open the Event Viewer utility, navigate to the Windows Logs, select the Application log, and find the 8194 events in the log viewer. The command to find the latest 8194 event from the application log is shown here.

Get-EventLog -LogName application -InstanceId 8194 -Newest 1 | fl *

The command and the associated output are shown in the image that follows.

Image of command output

CG, that is all there is to using the CheckPoint-Computer cmdlet to create a system restore point and back up the registry. Registry Week will continue tomorrow when I will talk about creating new Registry keys and property values via the Windows PowerShell Registry provider.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 


Comments are closed. Login to edit/delete your existing comments

Feedback usabilla icon