Hidden Windows recovery partition: What it is and how to manage it

Default Windows installations create a hidden partition with a "second Windows" at the end of the disk. This small system is equipped with recovery tools. If you want to reclaim the space it occupies or prevent booting alternate systems, it can be disabled.

Windows Recovery Environment, or Windows RE or WinRE, is a backup operating system that works in read-only mode and automatically launches when the system crashes. It can also be booted on demand (by issuing the command shutdown /r /o) or by restarting the computer several times during the boot process.

Since WinRE is a second system and in the UEFI system one hard drive can only have one ESP partition (in the BIOS system - only one MBR section), Windows does not install itself on it. Instead, it provides the boot manager (Windows Boot Manager, BOOTMGR).

This manager by default loads Windows but also allows, among other things, the selection of another Windows installed on the computer and booting from the recovery partition. The system selection list is hidden by default and appears only when there are problems or when multiple versions of Windows are installed on different disks or partitions.

Windows Boot Manager's "knowledge state" is stored in the BCD store (boot configuration data). It lists all recognized systems, the recovery partition, the hibernation resume point, and the RAM testing tool. In UEFI systems, BCD is supplemented with entries registered in the motherboard's EFI Boot Manager. This method of BOOTMGR operation allows for booting multiple systems and, in the case of a single installation, two: the installed Windows and its accompanying recovery partition.

This sophisticated idea, although useful, can cause many issues. The most trivial of these is that WinRE occupies several hundred megabytes of disk space. This can be one gigabyte or more in OEM installations if the recovery partition includes a full recovery image for reinstallation. This can be a significant problem for ultramobile computers with 64GB eMMC drives.

But the problems don't stop at space. The recovery partition contains a WIM file with Windows, which may have security vulnerabilities. Old Windows 10 installations did not update WinRE's contents, so the 22H2 system might still have an outdated version 1809 in the recovery partition, which is unsupported. Microsoft may have released updates for WinRE 22H2, but if our recovery partition is older, the update won't apply.

What does this mean? This is only significant when using data protection involving physical access, like BitLocker encryption. An unpatched WinRE partition may circumvent encryption when unlocking using TPM, without an additional PIN or password. A patch was released, but as mentioned, the WinRE content might be too old, or the update might have issues applying due to disk space.

The BCD configuration state regarding the recovery environment can be viewed with the command:

It will show on which disk and partition the WinRE WIM image is located. This information will be contained in the record "", where X and Y are the disk and partition numbers, numbered according to NT identifiers (Virtual Disk Manager), not traditional MS-DOS drive letters. Such an identified partition can be assigned a letter and accessed, but it's better not to touch it and access it via so-called raw reads.

7-Zip, run as Administrator, will allow this. Navigating to the location \\.\PhysicalDrive7\Z.ntfs\Recovery\WindowsRE\ (where Z=Y-1) will reveal the WIM file of the WinRE system. The file ReAgent.xml located next to it will contain the version of WinRE. If it is lower than the installed Windows version, it means WinRE is outdated and does not update.

To disable the recovery partition, launch Command Prompt as Administrator and issue the command:

This will disable the recovery environment. At this stage, it is still (usually) possible to re-enable WinRE (with the parameter /enable). From the moment of disabling, if Windows encounters a problem, recovery will end with a blue screen. Therefore, WinRE should only be disabled if you can boot the computer from a Windows USB drive in case of failure!

The disabled WinRE partition can then be deleted. However, this only makes sense in two cases: if you have a serious space issue on the disk or if you plan to manually rebuild and update the partition due to its obsolescence. In all other cases, unregistering WinRE is sufficient.

If you want to delete the partition, it will be necessary to use the DISKPART tool. The disk manager will not allow WinRE to be deleted. DISKPART must be run in the command prompt as Administrator. Then issue the following commands, using the X, Y, Z values known from the reagentc /info command:

This operation should only be performed if you have previously unregistered WinRE using reagentc /disable! Otherwise, the BCD configuration will be damaged. The WinRE partition can be rebuilt, and it can also be updated. This is a more tedious process than blocking and deleting it. We will cover it in the next part.