41 replies to this topic

[pes2013]

Hello

As you know Windows 7 makes a System Reserved partition which is called "System Reserved". It does not have any drive letter assigned. Sometimes I cannot hibernate my PC because this partition removes its label "System Reserved" and changing it to "". To fix it I have to assign a driver letter to it (making it visible) then remove the drive letter. THEN I can hibernate.

Why does this happen and how can make it permanently "System Reserved" with no drive letter and hidden?

Thank you

[Shane Nokes]

If something is changing that you need to check your system out for viruses or malware to start...

That's definitely something that shouldn't be happening.

[pes2013]

If something is changing that you need to check your system out for viruses or malware to start...

That's definitely something that shouldn't be happening.

Its odd that a virus/malware would target that though.....

Nonetheless, running MSE and MBAM right now

[Shane Nokes]

Its odd that a virus/malware would target that though.....

Nonetheless, running MSE and MBAM right now

Not really. There are several variants out right now that target that partition.

I brought it up since changing the name of drives/partitions is something that requires admin rights...so if it's changing it is a process that somehow has silent admin rights.

[pes2013]

Not really. There are several variants out right now that target that partition.

I brought it up since changing the name of drives/partitions is something that requires admin rights...so if it's changing it is a process that somehow has silent admin rights.

I ran MBAM and nothing really showed up interesting. Removed some obvious old things. BTW, this has never happened.

Couldn't complete MSE but I removed the things it detected.

[pes2013]

Im surprised no one has had this and doesn't comment on it.

[xorangekiller]

Based on the fact that both MBAM and MSE detected threats (no matter how mundane they might seem) and MSE couldn't complete its scan, it sounds like you are infected with malware. You might try scanning again with Kaspersky Rescue Disk. It might be able to remove some presistent threats that MBAM, MSE, or some other malware scanner running within Windows cannot. Just make sure that after KRD is booted, you update the definitions before starting the scan.

[pes2013]

MSE couldn't complete its scan,

Never said that, I just did not finish it.

[xorangekiller]

Never said that, I just did not finish it.

I'm sorry for misinterpreting your post. I do still recommend that you try a full scan with KRD. It sounds like you may have malware. Better safe than sorry.

If the scan comes back clean, try booting from your rescue partition or original install disc and running chkdsk /r on both your main partition and the system reserved partition. You might also try sfc /scannow to make sure that no critical Windows system files are corrupt.

[redvamp128]

I would actually suggest - Safe Mode - then try the scan - also it could be possible the following is happening - When he assigns it a partition letter the system itself removes it. (you know similar to a backup) or have a look at this and possibly --



It is possible the page file may be on that drive and that would actually cause the system to set it back to the state it is now upon each boot. (or the system may actually be saving data to that partition and reset up each reboot)

Your best bet may be to shrink the partition for C: then create a D: drive that does not have system reserved label or a page file on it. then Hibernation file may be assigned to that drive.

[evacc44]

The system reserved partition should not have a drive letter assigned to it. Remove it.

The reason for the system reserved partition is that the computer boots off of it (it should be marked as active). It includes repair tools that you can boot off of (from pressing f8 at startup and select repair computer) to help repair any damage to your main system partition. If you do not want to use the system partition you can mark you main system partition as active and then create the boot files on it.

But, you probably do have malware or a bad file system on your system reserved partition. I would start with downloading tdsskiller and running it from within windows. I would also run the new malwarebytes anti-rootkit. Both are available from the download section of www.bleepingcomputer.com. I would then run combofix (also available from the previously mentioned site).

If those three come up clean then you should probably recreate your boot files on either the system reserved partition or move them to the main system partition.


edit: Some things I just thought of after my original reply:

1. If you run a chkdsk /r or /x from the repair environment or from booting off the CD/DVD, your system reserved will probably show up as C: and your main system partition will show up as D:. This is normal. chkdsk both of them. If they both come up clean and there are no viruses/rootkits/malware then move the boot files.

[pes2013]

I would actually suggest - Safe Mode - then try the scan - also it could be possible the following is happening - When he assigns it a partition letter the system itself removes it. (you know similar to a backup) or have a look at this and possibly --



It is possible the page file may be on that drive and that would actually cause the system to set it back to the state it is now upon each boot. (or the system may actually be saving data to that partition and reset up each reboot)

Your best bet may be to shrink the partition for C: then create a D: drive that does not have system reserved label or a page file on it. then Hibernation file may be assigned to that drive.

How can the hibernation file be stored on there if it is 100MB???

The system reserved partition should not have a drive letter assigned to it. Remove it.

I assign it just to get its label back. I then remove it.

The reason for the system reserved partition is that the computer boots off of it (it should be marked as active). It includes repair tools that you can boot off of (from pressing f8 at startup and select repair computer) to help repair any damage to your main system partition. If you do not want to use the system partition you can mark you main system partition as active and then create the boot files on it.

But, you probably do have malware or a bad file system on your system reserved partition. I would start with downloading tdsskiller and running it from within windows. I would also run the new malwarebytes anti-rootkit. Both are available from the download section of www.bleepingcomputer.com. I would then run combofix (also available from the previously mentioned site).

If those three come up clean then you should probably recreate your boot files on either the system reserved partition or move them to the main system partition.


edit: Some things I just thought of after my original reply:

1. If you run a chkdsk /r or /x from the repair environment or from booting off the CD/DVD, your system reserved will probably show up as C: and your main system partition will show up as D:. This is normal. chkdsk both of them. If they both come up clean and there are no viruses/rootkits/malware then move the boot files.

Im just surprised this has happened to my system but Ill run these programs nonetheless....

malwarebytes anti-rootkit crashes. Its beta though....

[redvamp128]

How can the hibernation file be stored on there if it is 100MB???

I never said the hibernation file went there.... I said this is probably what is happening -
The WHY it removes the drive letter that you ASSIGN IT.

It probably has some files that the "system" level stores on it which will believe it or not counteract what an Administrator does.

Though what you may want to try is this... Removing the old Hibernation file then Defragmentation and re creation of the Hibernation file

http://www.ehow.com/...t-hiberfil.html

[pes2013]

I never said the hibernation file went there.... I said this is probably what is happening -
The WHY it removes the drive letter that you ASSIGN IT.

The 100MB partition AS IS has no drive letter. My problem is that it has no label. If I assign a drive letter to it, the label reappears (I don't even retype the label in again). If I remove it, the label stays.

In a x amount of time, it gets removed again and I have to do the same process.

Please read the thread before jumping to statements

[redvamp128]

The 100MB partition AS IS has no drive letter. My problem is that it has no label. If I assign a drive letter to it, the label reappears (I don't even retype the label in again). If I remove it, the label stays.

In a x amount of time, it gets removed again and I have to do the same process.

Please read the thread before jumping to statements

I did read everything-- I was telling you that system files are on that partition and therefore the system overwrites any changes you make to that.


Have you tried to permanently hide it-- you can use Gpedit.msc

 Administrative Templates> Windows Components > WindowsExplorer
then look for the hide specific drives 
click enable

then choose the drives

Now yes I have read everything ....
You keep trying to change something as an Administrator that is managed by SYSTEM.

I suggest since you are having hibernation problems-- to follow my link --
the one about removing the hibernation file- then defragmenting- then re-creating the hibernation file- it is possible the one there already is corrupted


-