I looked at the information for my computer in Disk Management. It shows my
hard disk has three partitions (I’ve included a screen shot.) The first is
unnamed and is 39 MB Healthy (OEM); the second is Recovery with 14.65 GB; and
the third is OS (C:) at 283.40 GB.
- What is the 39 MB partition?
- Does it contain some kind of read information about the hard drive itself?
Seems too small to serve any kind of operational function. - What keeps a virus or other malware from “jumping” from one partition to
another? - Is it a valid concern that the recovery partition might itself become
infected? If the bad guys are so adept at creating malware what’s to prevent
them from installing something that corrupts everything, leading the
unsuspecting user to reinstall the malware via the recovery partition or the
system image?
What you’re seeing is common for machines from many of the major
manufacturers – as hard disks have grown in size they’ve begun setting aside
portions of the drive for recovery purposes.
Exactly what each partition contains is up to the specific manufacturer –
there’s no standard. In your case, I’ll take a guess to what Dell is up to. I’ll
also explain why I ignore these partitions, and then remove them should I ever
reformat a machine containing them.
And while I’ve addressed the malware and
partitions question before, it’s an important one worth revisiting as it
actually relates somewhat to why I typically remove the partition.
]]>
The Partitions and Recovery
Here’s the hard disk display in the Windows disk management tool (used with the permission of my reader):
The big one at the right end is easy – it’s your C: drive, the drive you see when you boot your computer normally. Of your approximately 300 gigabyte drive 283 gigabytes are available for use in this partition. And, as I said when you boot normally, it’s the only partition you would see outside of any disk management tools, and it’s the only partition that the rest of the software on your machine would typically know about.
As I said, there’s no standard as to what the other partitions installed by your computer’s manufacturer might hold. Some put a bare minimum of information, some put an entire backup of your original install on it. A quick search on the Dell site also didn’t turn up a definition, but looking at the sizes I’m guessing you’ve got the later.
Hence, I’ll make an educated guess about what’s what.
Both the OEM and Recovery partitions are used at recovery time. And by “recovery time” I mean that time as outlined by Dell support documents where on boot before Windows begins loading you press F8 to get additional boot options and choose recovery.
I believe (and I could be wrong on this) that the OEM partition is a small boot partition that’s used at that time. The larger Recovery partition is probably a backup image of your machine as it was on the day it was delivered. So a “restore to factory settings” in this case consists of a couple of simple steps:
-
Booting from that OEM partition (done by the F8 selection you’ve made on boot)
-
A utility in that partition that then simply a) erases your C: drive and b) copies the “Recovery Partition” contents over to the C: drive restoring it to it’s initial factory-delivered condition.
Remember, this is an educated guess, and different computers – particularly computers from different manufacturers – may well do things very, very differently.
Cross Contamination
The issue you raise about malware somehow getting onto the recovery partition is a good one. In your case, I wouldn’t expect it to happen for a couple of reasons:
-
While the recovery partitions are visible in disk management, they’re not typically visible during normal system operation, making it harder – though of course not impossible – for malware to “see” and infect the partition.
-
As I’ve pointed out, the layout and technique varies from manufacturer to manufacturer. Malware writers tend to choose the biggest targets and typically choose things that are on most machines, not just machines from, say, Dell. Again, it’s possible, just not as likely.
I have seen machines where the recovery partitions are visible as an additional drive, often drive “D:”. In this case the recovery partition is very vulnerable to infection. In this, case in particular your concerns are very valid and represent a serious risk. Fortunately if the drive is visible your anti-malware tools are also able to scan and protect it for some amount of security.
So in short: if the recovery partition is hidden, as yours is, the likelihood of cross contamination or infection is low. If the partition is visible when your machine is booted normally as an additional drive, then the risk is high.
It’s Still A Single Drive
I need to point out one more thing about this configuration: partitioned or not, it’s all on the same single physical drive.
That means that the recovery partition can be used only for certain types of recovery; specifically it can only be used for recovery where the drive is still functional. Should the drive ever fail (and they do, more often than you might think), then all partitions on the drive are lost, including the recovery partitions.
It’s important to remember that a Recovery Partition:
-
Does not backup your data.
-
Does not stay current with installed updates or applications installed after purchase.
-
Cannot recover from a hard drive failure.
Basically I see it as being useful in only one case: where the software (Windows, applications, whatever) has become so unstable that a reinstall is required. A recovery partition is used to effectively do this by containing a copy of the installed or installable system at the time it was delivered. After you recover you still need to bring it up to date, install all your applications and retrieve your data from backups.
Why I Delete It, And What I Do Instead
I find recovery partitions next to useless for most common problem scenarios. They may make a few steps easier for your computer manufacturer’s support engineers (they do often seem eager to have you restore the machine to factory settings), but in practice I don’t believe that they’re worth the space and effort compared to other more comprehensive approaches. And as we’ve seen in some cases, they can be another location to get infected, further invalidating their usability.
When I get a new machine, I’ll typically leave the recovery partition alone. I’ll completely ignore it and act as if it wasn’t there. Then, the first time I need to reformat the machine I’ll remove all those partitions and recover the space they’re using by re-creating or resizing the primary partition to use the entire hard disk.
Instead of relying on a recovery partition I:
-
Insist on getting Windows Installation CDs or DVDs when I purchase the machine. When I need to reformat/reinstall, I can use these.
-
Take a complete image backup of the new machine’s primary partition (C:) as soon as practical after receiving it. This creates my own snapshot of the “factory original” state that I can safely store off-line and use as needed. Restoring to this is typically faster than a reformat/reinstall, and can often be the only option if installation media was not originally provided.
-
Take complete image backups periodically to have “more recent” images to restore to that are more up to date than that “factory original”. Solutions frequently don’t require that you go back to that initial state, just back “far enough” prior to whatever problem I’m dealing with. These images would also contain any data I have on the system in addition to the system itself.
You may recognize that last step as part of a regular backup strategy, if it’s taken frequently enough.
Should you ever have an actual hard drive failure and lose your recover partition, then only one of those types of options will allow you to recover. Since you should really have these off-machine backups or reinstall media anyway, why have a recovery partition at all?
That first partition is the boot manager – the one that allows you to choose between the normal boot and the Recovery partition. On Dells it’s an older implementation of LILO.
Hi Leo, Thanks for the great newsletter service.
I set up new computers for our company and one thing I do is to place all the system documentation, system recovery and other software discs into a labeled 6×9 envelope and place that inside the computer case – usually on the side behind the motherboard, making sure not to interfere with any wiring, or air flow for cooling. Then I place a label on the outside of the case that says “System Info & Recovery CD’s behind this panel”. That way, maybe years later, after the machine has moved around some, the original CD’s can always be found if they are needed for service.
In the case of Dell, pressing F8 to get to the recover options gives you more than just the ability to restore to factory image. It also gives you a command prompt. I use that command prompt to run chkdsk /f on the data drive (which is not C: in this scenario). You can also go back to prior system restore points and a few other things. (I would have to reboot my computer to remember all of them.) That’s on a Win7 Pro machine, by the way.
Leo, and others, keep recommending you insist on getting a install CD/DVD with the purchase of a new machine. However, for many of us who buy their machine at a “box” store, that seems to be next to impossible. We are stuck with the next two options. 1)Create a set of ‘recovery discs’, and 2) order a set from the manufacturer (at a cost). Both of those have the advantage of having the specific drivers for that machine, and the disadvantage of having the clutter the manufacturer installed at the onset.
Purchasing a ‘built’ machine from smaller retailers gives you more options, but at a financial burden. There are two more options I use. If it’s new, after I have it configured/cleaned up the way I want, I clone it. Bingo, a recovery disc you can use to clone back to your machine after the ‘disaster’.
Also, I was fortunate enough to have access to a ‘Original’ windows disc which I copied. The key I did not worry about because the machines I fix have their own ‘valid’ key. This should be a perfectly legal option as you are restoring the ‘original’ OS to a legal ‘originally keyed’ machine.
As a relatively new reader, I find a lot of helpful information. The questions may seem a bit naive, but your expanded answers either confirm what I thought I knew, or give me very good extended insight as to the workings of these little beasts called computers. This whole area of hidden partions, backups, and restoring has been a source of confusion. Of all the rescue disks I have made, none have worked. Now I understand. Thank you very much for sharing your extensive knowledge.
je
Though these ‘recovery’ partitions (they ought to be called ‘reinstall’ partitions as you can’t recover anything with them) are a bit of a nuisance, they do have their uses. It’s well known that secondhand computers can have a lot of information left on the hard drive. and it’s not impossible for it to be infected, so a complete ‘factory-fresh’ reinstall clears everything – at least as far as the average user is concerned. Yes it takes time to do all the updates, but at least you know you have a clean machine. I’ve done this several times for family members and friends who have acquired computers in the secondhand market.
I don’t know if the ‘recovery disks’ you are urged to create are any good – I’ve never had to use them – but one Packard Bell I set up wouldn’t let me create another set (despite it nagging me to do so…) so if he original owner made them and didn’t pass them on to you, you may have a problem…
However, as you suggest, there’s no real alternative to proper backups for total security.
I agree you should leave it alone unless absolutely necessary… I believe in redundancy to the point to stupidity and the “stupidity” mentioned is usually executed by my own hand. If you have multiple backups usually the initial one made of a system is on an “older” drive… what if that one is damaged, dropped (stupidity again.) And you can’t get back – then if you truly want a “clean” state the recovery will get you there. Or, if you want to eventually give that computer to charity of somebody you know – it gives them the choice as maybe they would prefer a recovery drive. There are many scenarios – too many, so you are right to say leave it alone unless absolutely necessary…
I have fixed too many computers to count without having to reinstall the OS. I have also reinstalled the OS or a more recent one on countless machines when “fixing” them proved impossible or way too time consuming…. and I have just used the recovery partition on a dell for the very first time. The Dell inspiron would start Vista, get to the desktop and then within 30 seconds to a minute you could not click on anything—the cursor moved but clicking had no result—even Safe Mode wouldn’t work. Normally I would have reformatted it and put Windows 7 on it but my friend didn’t want to spend the money, I could have reformatted and put Vista back on but having nothing to lose I tried F8 on system start and reinstalled using the recovery partition. It worked just fine–didn’t even have to reenter the product key. So maybe worth trying before manually reformatting and reinstalling.
I did backup files using Ubuntu 10 (Ubuntu is another OS–if you don’t know about it, not really important to this conversation) and I used Winkey finder (google it) to recover the product keys for Microsoft Office 2007 and Vista before I did the recovery–Winkey Finder is BLAZINGLY FAST–in 1 or 2 seconds it had both keys—it was just as fast on my other computer where it had to show the keys for multiple Adobe products as well as Microsoft products–try it, it’s free.
The staement that when you reinstall the OS using the recovery partition you lose all data is not always true. On my Gateway laptop the recovery choices include the option to save data, which after recovery can be found at C:windowsBACKUP. It saves ALL of my data in this directory — of course I must still reinstall all my programs but it is easier when you at least have your original program files to refer to. Anyone who has a recovery partition should check into this to see if this option applies to your system.