I looked at the information for my computer in Disk Management. It shows my
hard disk has three partitions (I’ve included a screen shot.) The first is
unnamed and is 39 MB Healthy (OEM); the second is Recovery with 14.65 GB; and
the third is OS (C:) at 283.40 GB.
- What is the 39 MB partition?
- Does it contain some kind of read information about the hard drive itself?
Seems too small to serve any kind of operational function.
- What keeps a virus or other malware from “jumping” from one partition to
- Is it a valid concern that the recovery partition might itself become
infected? If the bad guys are so adept at creating malware what’s to prevent
them from installing something that corrupts everything, leading the
unsuspecting user to reinstall the malware via the recovery partition or the
What you’re seeing is common for machines from many of the major
manufacturers – as hard disks have grown in size they’ve begun setting aside
portions of the drive for recovery purposes.
Exactly what each partition contains is up to the specific manufacturer –
there’s no standard. In your case, I’ll take a guess to what Dell is up to. I’ll
also explain why I ignore these partitions, and then remove them should I ever
reformat a machine containing them.
And while I’ve addressed the malware and
partitions question before, it’s an important one worth revisiting as it
actually relates somewhat to why I typically remove the partition.
The Partitions and Recovery
Here’s the hard disk display in the Windows disk management tool (used with the permission of my reader):
The big one at the right end is easy – it’s your C: drive, the drive you see when you boot your computer normally. Of your approximately 300 gigabyte drive 283 gigabytes are available for use in this partition. And, as I said when you boot normally, it’s the only partition you would see outside of any disk management tools, and it’s the only partition that the rest of the software on your machine would typically know about.
As I said, there’s no standard as to what the other partitions installed by your computer’s manufacturer might hold. Some put a bare minimum of information, some put an entire backup of your original install on it. A quick search on the Dell site also didn’t turn up a definition, but looking at the sizes I’m guessing you’ve got the later.
Hence, I’ll make an educated guess about what’s what.
Both the OEM and Recovery partitions are used at recovery time. And by “recovery time” I mean that time as outlined by Dell support documents where on boot before Windows begins loading you press F8 to get additional boot options and choose recovery.
I believe (and I could be wrong on this) that the OEM partition is a small boot partition that’s used at that time. The larger Recovery partition is probably a backup image of your machine as it was on the day it was delivered. So a “restore to factory settings” in this case consists of a couple of simple steps:
Booting from that OEM partition (done by the F8 selection you’ve made on boot)
A utility in that partition that then simply a) erases your C: drive and b) copies the “Recovery Partition” contents over to the C: drive restoring it to it’s initial factory-delivered condition.
Remember, this is an educated guess, and different computers – particularly computers from different manufacturers – may well do things very, very differently.
The issue you raise about malware somehow getting onto the recovery partition is a good one. In your case, I wouldn’t expect it to happen for a couple of reasons:
While the recovery partitions are visible in disk management, they’re not typically visible during normal system operation, making it harder – though of course not impossible – for malware to “see” and infect the partition.
As I’ve pointed out, the layout and technique varies from manufacturer to manufacturer. Malware writers tend to choose the biggest targets and typically choose things that are on most machines, not just machines from, say, Dell. Again, it’s possible, just not as likely.
I have seen machines where the recovery partitions are visible as an additional drive, often drive “D:”. In this case the recovery partition is very vulnerable to infection. In this, case in particular your concerns are very valid and represent a serious risk. Fortunately if the drive is visible your anti-malware tools are also able to scan and protect it for some amount of security.
So in short: if the recovery partition is hidden, as yours is, the likelihood of cross contamination or infection is low. If the partition is visible when your machine is booted normally as an additional drive, then the risk is high.
It’s Still A Single Drive
I need to point out one more thing about this configuration: partitioned or not, it’s all on the same single physical drive.
That means that the recovery partition can be used only for certain types of recovery; specifically it can only be used for recovery where the drive is still functional. Should the drive ever fail (and they do, more often than you might think), then all partitions on the drive are lost, including the recovery partitions.
It’s important to remember that a Recovery Partition:
Does not backup your data.
Does not stay current with installed updates or applications installed after purchase.
Cannot recover from a hard drive failure.
Basically I see it as being useful in only one case: where the software (Windows, applications, whatever) has become so unstable that a reinstall is required. A recovery partition is used to effectively do this by containing a copy of the installed or installable system at the time it was delivered. After you recover you still need to bring it up to date, install all your applications and retrieve your data from backups.
Why I Delete It, And What I Do Instead
I find recovery partitions next to useless for most common problem scenarios. They may make a few steps easier for your computer manufacturer’s support engineers (they do often seem eager to have you restore the machine to factory settings), but in practice I don’t believe that they’re worth the space and effort compared to other more comprehensive approaches. And as we’ve seen in some cases, they can be another location to get infected, further invalidating their usability.
When I get a new machine, I’ll typically leave the recovery partition alone. I’ll completely ignore it and act as if it wasn’t there. Then, the first time I need to reformat the machine I’ll remove all those partitions and recover the space they’re using by re-creating or resizing the primary partition to use the entire hard disk.
Instead of relying on a recovery partition I:
Insist on getting Windows Installation CDs or DVDs when I purchase the machine. When I need to reformat/reinstall, I can use these.
Take a complete image backup of the new machine’s primary partition (C:) as soon as practical after receiving it. This creates my own snapshot of the “factory original” state that I can safely store off-line and use as needed. Restoring to this is typically faster than a reformat/reinstall, and can often be the only option if installation media was not originally provided.
Take complete image backups periodically to have “more recent” images to restore to that are more up to date than that “factory original”. Solutions frequently don’t require that you go back to that initial state, just back “far enough” prior to whatever problem I’m dealing with. These images would also contain any data I have on the system in addition to the system itself.
You may recognize that last step as part of a regular backup strategy, if it’s taken frequently enough.
Should you ever have an actual hard drive failure and lose your recover partition, then only one of those types of options will allow you to recover. Since you should really have these off-machine backups or reinstall media anyway, why have a recovery partition at all?