Hidden Partitions

[DNose]

I have had problems with them.

Most of the time they have Home on them. This time I used Windternals boot disk to delete a suspicious program (csrss.exe) using the cmd tool from /system32, that's all then Reboot and now the restarting crap. I think that when you try to do a straight fix like that it tends to cause me this kind of problem. One time, I made the mistake of doing a FIXMBR on one of these. It seems to be impossible to get them back up after that.

I'm lost - mainly because I don't understand Hidden Partitions. It's funny they never came up in any A+ training classes that I took.

One more thing: What should you recommend to a customer that has one.

Thanks 4 the help:beer:

 

[P0ldy]

OEMs are using them to include drivers and often the Windows backup CD itself. A Dell laptop I bought didn't even come with a Windows CD/restore CD, but the partition. I wiped it out anyway since I was putting Linux on it, but if you're going to suggest someone delete it, it should be backed up to DVD.

 

[DNose]

More info I can only see it if I use Rstudio so far.
Is it possible to delete the Hpartition and keep the OS operable.

 

[tiap]

You can use partition software to renove these, but you will not be able to restore your os without it, unless you create the restore disks first or image the drive to other media

 

[Smilin]

Originally posted by: DNose
I have had problems with them.

Most of the time they have Home on them. This time I used Windternals boot disk to delete a suspicious program (csrss.exe) using the cmd tool from /system32, that's all then Reboot and now the restarting crap. I think that when you try to do a straight fix like that it tends to cause me this kind of problem. One time, I made the mistake of doing a FIXMBR on one of these. It seems to be impossible to get them back up after that.

I'm lost - mainly because I don't understand Hidden Partitions. It's funny they never came up in any A+ training classes that I took.

One more thing: What should you recommend to a customer that has one.

Thanks 4 the help:beer:

Oh dude I'm sorry but that's really funny.

You deleted CSRSS.exe ???

Listen carefully...Set down the Winternals boot disk and slowly step away. Ok, good. You're safe now.

The thing that usually throws people about hidden partitions is what it does to your boot.ini arc paths. Basically the 0,0,0,1 typical arc path won't be valid on systems with a utility partition of some sort. Also, these partitions are typically not a 0x07 or 0x42 (NTFS or dynamic NTFS) but usually something a bit exotic. Some disk utilities can get thrown off by this. The other thing is that sometimes these partitions will begin on sector 32 of the disk instead of the typical 63. Not illegal mind you, just unusual.

What I would recommend to a customer that has them? Nothing. Ain't broke, don't fix it.

 

[gsellis]

Leave them alone as you may remove the ability to recover the system. As noted, mfgrs use them for recovery. We use a hidden partition (which is switchable with remote controls or distribution pushes) to do remote restore and rebuilds of computers (hands free). Our remote partition has PE on it and a database app. A mfgr could create it with the original OS to restore the computer to the state it was shipped in. Some may even allow booting in a console to fix services, registries, etc.

Basic rule, if you don't know what it is, do not assume it is unimportant and therefore you can delete it. WFP was created, in part, because of this ("I had a SYSTEM and a SYSTEM32 directory, so I deleted SYSTEM32 as it must have been a copy.")

 

[DNose]

This explains the CSRSS.EXE - Confusion.
http://www.auditmypc.com/process/csrss.asp

I restored it and the reg key from an xp pro system, Not Home edition and its back up and running now.

I thought for sure it was the Hidden Partition thing.

Thanks for the info I?m starting to understand the whole Hidden Partition issue.

 

[Smilin]

proper way to restore that file after deletion would be to pull it from the dllcache folder.

To be sure the version you restored is correct run:

sfc /scannow

 

[DNose]

proper way to restore that file after deletion would be to pull it from the dllcache folder.

To be sure the version you restored is correct run:

sfc /scannow

Done but no results.

dllcache, Tell me more.
Not sure where to look for it.

I386?

 

[Nothinman]

Hidden partitions are just normal partitions with some number added to their filesystem id in the partition table, I don't remember the exact number off hand. They're not really hidden in any way and any software smart enough will still see them just fine.

 

[Smilin]

Originally posted by: DNose

proper way to restore that file after deletion would be to pull it from the dllcache folder.

To be sure the version you restored is correct run:

sfc /scannow

Done but no results.

dllcache, Tell me more.
Not sure where to look for it.

I386?

No results displayed is likely a good thing. Check your event logs for windows file protection events.

location:
windows\system32\dllcache

google (or windows helpfile) the following topics:
windows file protection, WFP
system file checker, SFC

 

[gsellis]

Also, XP will not allocate a portion of the disk when creating partitions (I think it is 8MB). It uses these to 'hook' dynamic drives together.

 

[Smilin]

Yeah, 8mb is reserved in case you ever need to convert to a dynamic disk. The LDM database will be stored there.