Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can a recovery partition be infected?

Question:

Many of the new computers make a "D" partition that holds the equivalent of
a Restore Disk, that used to be common practice to come with a new machine. My
question is: if a machine is contaminated with viruses and/or malware, is the
"Rebuild Partition" also infected?

Is it affected? Maybe, maybe not. It varies.

Can a recovery partition be infected? Absolutely.

Add that to my long list of why I dislike recovery partitions, and typically
get rid of them - after doing a couple of things first.

]]>

One of the ways that computer manufacturers save money when building computers is to include less with them. Fewer disks to be shipped means lower cost for the manufacturer, and in turn lower costs to you. While the disks might seem inexpensive, when you ship thousands or millions of computers, even those small costs add up.

"Being a separate partition doesn't make it immune to catastrophe."

The problem is that the saving you some money this way often creates a different cost - in risk.

I've talked a lot about how manufacturers often don't include a Windows installation disc any more. All they give you is the pre-installed version of Windows on the machine, and a "recovery" disk. The recovery disk can't be used to install Windows, but it can be used to boot and recover or repair Windows in many circumstances.

Note that I said "many", not all. More on that in a moment.

For some time, the manufacturers have been placing the recovery disc contents on your hard disk - some times in addition to the actual disc, and apparently more frequently instead of the disc. It's often an additional partition; frequently drive D: if it's visible at all. The recovery CD, if provided, uses the information in the recovery partition, and if there's no CD there's typically a way to boot from that recovery partition.

The result is the same: you can "recover" (but not reinstall) Windows to some initial presumably repaired state. (There's actually no standard as to what a recovery should include.)

Here are the two biggest issues;

  • If your hard drive fails, you lose both your primary partition - where Windows, your programs and all your data typically live - in addition to the recovery partition. Being a separate partition doesn't make it immune to catastrophe. If the drive fails that failure can take with it all partitions on the drive. You're left with either no means of recovery at all, or a recovery CD that requires information on the drive that it can no longer access.

  • Your very point: files on the recovery partition can be infected, corrupted, accidentally deleted or who knows what else. You may think you have a recovery partition, but when the time comes to use it you may find out that it simply doesn't work or results in a machine that's just as badly infected as before the "recovery".

That's just all way too risky for me.

Instead, I do three things:

  • Insist on a Windows Installation CD. This contains all of Windows and can be used by itself to reinstall the operating system from scratch to an empty hard drive if need be. This differs from a "recovery" CD or partition, which require that the guts of the operating system somehow, somewhere already be on the hard drive.

  • I backup regularly and completely.

  • I remove the recovery partition to free up the space, and never use the recovery CDs.

It's that first bullet that gives me all the flexibility I need/want.

Naturally, as I have before, I strongly recommend that you always insist on getting a Windows installation disc with your new PC. Accept no substitutes.

If it's too late, or if for some reason you must purchase from a manufacturer that doesn't make the disc available to you, then I recommend the following:

  • Make an image backup of your primary partition immediately after the machine's been set up. Make a copy or two of that backup and keep it in a safe place. That's what you'd restore to should your machine ever need to be completely reformatted and reinstalled. It's as close to setting up from scratch as you can get without the installation media (and some would even say slightly more convenient).

  • Make an image backup of the recovery partition as well, just to be safe. I can't really see a scenario where with the primary partition imaged that you would ever need this, but there's simply no reason not to take an image while you have the chance.

  • Ignore the recovery partition. Remove it if you like. Or don't.

  • If you ever find yourself in a position that you need to recover or reinstall you would instead make sure you have current backups of your data and applications and restore to the image backup you took when the machine was new.

It's not perfect, but it protects you from exactly the very legitimate scenario you're concerned about: the loss or compromise of your recovery partition.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

10 comments on “Can a recovery partition be infected?”

  1. I have had three different HP machines in which the recovery disks failed to work–even a new one purchased from HP. In all cases the disks apparently failed to recognize the machines as the original computers. The variable appears to be that I had upgraded the memory from the original purchased amount to the maximum.

    Reply
  2. HP/Compaq allowed me to make one set of recovery DVDs. I had to use them 3 years later, due to some sort of infection or spyware or virus. For some reason it ran very slowly, over 3 hours. It totally erased the computer and the corrupted D partition and everything was fine. I have an extensive backup collection of DVD’s. I just assumed all the major manufactures did the same. Only Gateway provided the actual install CD/DVD”s, back then.

    Reply
  3. I have a Gateway computer with a recovery partiton on drive D:
    McAfee give a false positive on file OOBEconfig.exe in the recovery partition. I thought I was infected. Did a google search saw discussions about the problem showing up by other anti-virius software AVG.

    Reply
  4. Nice article, till date I have no idea what it does the partioned disk (D DRIVE). Now I got a clear idea. As I mentioned earlier your language style is simple and eloborate.

    Thanks a ton.

    Reply
  5. I believe that if the windows installation disc isn’t supplied with your pc or laptop then they at least copy the disc onto your hard drive, which in most cases is the folder c:\i386 which you can then create an image of on a dvd. You then don’t need a recovery disc or recovery partition at all.

    Reply
  6. I’ve successfully recovered both of our computers with ghost images stored on a NAS device, and updated weekly as part of my backup schedule. I use Macrium Reflect, which allows me to mount the image as a drive. This meant that when my wife’s hard drive died, I was able to set up an account for her on my computer, and copy her ‘My Documents’, ‘Favourites’, ‘Desktop’ and other settings. In effect, she only lost a few e-mails. When I installed her new hard drive, I simply loaded it with the most recent ghost image, and then updated ‘My Documents’ etc. from the account on my machine.

    Reply
  7. Another aspect to consider is if you replace the motherboard in your machine. In that case, recovery partitions and image backups may not work if you are using Win 2000 or above. Until Windows 98, the op sys was really plug and play. While coming up, it would adjust itself to the new environment and work just fine. But . . . probably for marketing reasons, Windows XP just blows up when it begins to boot after you replace a motherboard (with a totally different one, such as if you upgrade). The only way to “save the day” is to boot from the Windows installation CD and do a “repair” of the existing installation. In this case, if you don’t have a bootable Windows installation CD, you are dead! (On rare occasions, replacing the motherboard does NOT cause the above mentioned. I think it has to do with the chipset.)

    Reply
  8. love em or hate em – the dell recovery disks are “the stuff” by my estimation. put it in, turn it on and experience minimal BS getting the OS YOU BOUGHT back into the machine. HP not so much.
    the idea of putting a recovery partition on the hard drive, which is the primary point of failure, escapes me. they do offer the option to make recovery cd/DVDs but most end users don’t do so — DO IT!!!!

    Reply
  9. The recovery partition should be scanned with your antivirus, just as any other partition. However, if the AV suggests to quarantine anything at all, STOP!

    Do a Google search on the infection found, using another computer if one is available. Many times, some games can trigger the AV. MSE triggers the “Wild Tangent” game, or a component of it, on my HP desktop. It’s been submitted for analysis, it’s good.

    If any data on this partition is tampered with or deleted/becomes corrupted, any attempt to recover your computer may be gone.

    For this reason, as soon as one gets a computer, after updating & removing any unwanted software, backup (image) the entire hard drive. Then, backup (once again, image) the recovery partition, or if one has extra space on another HDD, using a partitioning tool, copy the partition as is. Note where it is on the PC. This gives the user at least 2 backups of the partition.

    Also, before doing anything, especially removing any programs, burn your recovery disks if your computer comes with an optical drive. Most computers with optical media has a program (usually some type of burning software) to do this with, and you may get a reminder to do so. Don’t put it off. You’ll need 3 to 5 quality DVD’s (not the re-writable ones) to do this with. It’s best to have 5, as sometimes the program will “reject” a DVD, as the program checks it for integrity before burning to it.

    By doing this before using the computer for your regular uses, chances are that the recovery media will be free of viruses, and that it properly completes.

    Depending upon the PC maker, this set of recovery disks may or may not re-install the recovery partition onto the computer.

    Having all of these, made when the computer was new, will save your backside should there be any software corruption or hardware (especially hard drive) failure.

    I’m a solid believer in backing up my computers. There’s many free & paid choices of backup software, so there is NO reason NOT to backup.

    You don’t have to buy one of those expensive backup drives if you have a spare hard drive around. Take the old hard drive, buy an enclosure or hard drive docking station, and use that for a backup drive. Makes a great use out of a hard drive from an older, unused computer, or a used hard drive that you may have after upgrading.

    Cat

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.