Boot Sectors


To manage a disk and enable all applications to see a consistent interface to the file system no matter what type of storage hardware is being used, the operating system creates several structures on the disk. The most important of these are the boot sectors (also called boot records), of which there are two main types, called Master Boot Records , or MBRs , and Volume Boot Records , or VBRs .

There is only one MBR on a physical disk, and it is always found at the beginning of the disk. A single disk can contain multiple partitions (also called volumes ), and there is a VBR at the start of each volume. The structure of the MBR is consistent among different operating systems and file systems, however the VBR depends mainly on the type of file system used on the volume. The following section looks into the structure and design of both MBRs and VBRs.

Figure 10.4 is a simple diagram showing the relative locations of the MBR and VBR on an 8.4GB disk with a single FAT partition.

Figure 10.4. FAT16 file-management structures on a typical 8.4GB drive.

Note

Some removable cartridge drives, such as the SuperDisk (LS-120 and LS-240) and Iomega Zip drives, function like high-capacity floppy drives. They lack a master boot record (MBR) and can't be partitioned like hard disk drives. Other higher-capacity removable drives, such as the legacy Iomega Jaz or Castlewood Orb, function like hard drives and must be partitioned.


All PC hard drives using the FAT16 file system are similar.

Each disk area has a purpose and function. If one of these special areas is damaged, serious consequences can result. Damage to one of these sensitive structures usually causes a domino effect, limiting access to other areas of the disk or causing further problems in using the disk. For example, the OS normally can't access a drive at all if the MBR is corrupted. Therefore, you should understand these data structures well enough to be able to repair them when necessary. Rebuilding these special tables and areas of the disk is essential to the art of data recovery, which is covered in more detail in Chapter 11.

Master Boot Record

The first PC OS to support hard disks, DOS 2.0 (released on March 8, 1983), was also the first to introduce the capability to partition a drive. Partitioning assigns the available space on the drive to one or more volumes (drive letters ). A common misunderstanding among newer users is to think that partitioning is necessary only if multiple volumes are desired, but the truth is that all drives that can be partitioned must be partitioned; in other words you have to partition a drive even if you are going to assign all of the space to a single volume.

Although the primary use for partitioning today is to divide a single drive into one or more volumes for use by a single OS, originally it was intended to allow multiple different operating systems, each with different file systems, to coexist on a single drive. This multi-OS capability still exists today; however, after-market utilities are often used to manage and boot multiple operating systems on a single machine.

Tip

If you want to dual-boot or multi-boot different Windows versions without purchasing after-market boot manager software, merely install the older versions such as Windows 95, 98, or Me first and then install newer versions such as Windows NT/2000/XP or later in succession, with the newest OS last. Each OS must be installed in a separate volume (drive letter) to prevent conflicts with shared folders and files. One rule is that you can only install one instance of either Windows 95, 98/98SE, or Me, because those operating systems share the same system files.

Another solution (which I prefer) is to use a virtual machine program such as Microsoft Virtual PC (www.microsoft.com/virtualpc) or VMware (www.vmware.com) to create multiple virtual machines, each capable of managing and loading a separate OS. This software allows you to run multiple instances of the same or different operating systems on a single machine without repartitioning or reformatting any drives.


To use a hard disk with different operating systems, you can create partitions to logically divide the disk. You can, for example, create one or more FAT or NTFS partitions for use with Windows and leave the rest of the disk storage area for use by another non-Windows OS, such as Linux. Each of the FAT or NTFS partitions appears to an OS that supports it as a separate drive letter. For example, Windows 9x/Me ignores any non-FAT partitions, whereas Windows 2000/XP and later sees both FAT and NTFS partitions but ignores others such as Linux and OS/2 HPFS partitions.

Even though Windows NT/2000/XP and later have an optional command-line disk partitioning program called DISKPART, disk partitions are usually prepared with the GUI-based Disk Management tool (also called Disk Administrator in some versions).

Information about each of the partitions on the disk is stored in a partition (or volume) boot record at the beginning of each partition. Additionally, a main table lists the partitions embedded in the master boot record.

The MBR, which is also sometimes called the master boot sector, is always located in the first physical sector of a disk (cylinder 0, head 0, sector 1) and consists of the following structures:

  • Bootstrap code. The instructions used to locate and load the VBR from the active (bootable) partition.

  • Master partition table. A table consisting of four 16-byte entries for up to four primary partitions, or three primary partitions and one extended partition. Each primary partition defines a logical drive, and an extended partition can be further partitioned into multiple logical drives. A given partition entry indicates which type of partition it is, whether it is bootable, where it is located physically on the disk, and how many sectors it occupies.

  • Signature bytes. A 2-byte signature (55 AAh) used by the motherboard ROM and other code to validate the sector.

Primary and Extended Partitions

Most operating systems are designed to support up to 24 volumes on a single hard disk drive (represented by the drive letters C:Z:), but the partition table in the master boot record (MBR) can have a maximum of only four entries. These entries can be for various types of partitions; however, Windows will normally recognize only primary and extended partitions.

An extended partition is listed in the master partition table the same as a primary partition, but it differs in that you can use its disk space to create multiple logical partitions, or volumes . You can create only one extended partition on a single drive, meaning that in many cases there will never be more than two entries in the master partition table, one primary and one extended.

The logical volumes you create in the extended partition appear as separate drive letters to the operating system, but they are not listed in the master partition table. Volumes in the extended partition are not normally bootable. You can create up to 23 volumes out of a single extended partition ( assuming that you have already created a primary partition, which brings the total number of volumes to 24).

Each of the subpartitions in an extended partition includes an extended partition table located in the first sector of the subpartition. The first sector of the extended partition contains an extended partition table that points to the first subpartition and, optionally , another extended partition. The first sector of that extended partition has another extended partition table that can reference another volume as well as an additional extended partition. This chain of references continues, linking all the volumes in the extended partition to the master partition table. It is important to note that, if the entry for the extended partition in the MBR is lost or damaged, the chain will be broken at the start and all volumes contained within will be inaccessibleessentially meaning that they will disappear.

Few people have any reason to create 24 partitions on a single disk drive, but the extended partition can create a chain of linked partitions on the disk that makes it possible to exceed the four-entry limitation of the master partition table.

Because the master boot record contains the first program loaded from disk that the system executes when you boot a PC, it has been a frequent target for creators of computer viruses or other malicious software. A program that infects or destroys the MBR can make it impossible for the BIOS to find the active partition, thus preventing the operating system from loading. Because the MBR contains the first program executed by the system, a virus stored there loads before any antivirus code can be loaded to detect it. To remove an MBR virus, you must first boot the system from a clean, uninfected disk, such as a floppy, bootable CD/DVD, or USB drive, and then run an antivirus program to test and possibly repair or restore the MBR.

Each volume on a disk contains a volume boot record starting in the first sector. With FDISK, DISKPART, or Disk Management tools, you can designate a primary partition as active (or bootable). The master boot record bootstrap code causes the VBR from the active primary partition to receive control whenever the system is started.

Although FAT12, FAT16, FAT32, or NTFS partitions are mainly used when running Windows, you can also create additional disk partitions for Linux, Novell NetWare, OS/2's HPFS, AIX (Unix), XENIX, or other file systems or operating systems, using disk utilities provided with the alternative OS or in some cases a third-party disk partitioning tool such as PartitionMagic from Symantec. A partition that is not recognized by a particular operating system is simply ignored. If you install multiple operating systems on a single drive, a boot manager program (which might be included with the operating systems or installed separately) can be used to allow you to select which partition to make active each time you boot the system. As another alternative, you could install different operating systems in multiple different primary partitions and then use FDISK, DISKPART, Disk Management, or some other partitioning program to change the one you want to boot as active.

Table 10.11 shows the format of the master boot record and the included partition tables. The table lists the fields in each of the master partition table's four entries, the location on the disk where each field begins (the offset), and its length.

Table 10.11. Master Boot Record Format

Master Boot Program Code

Offset (hex)

Offset (dec)

Name

Length

Description

000h

Boot Code

446 bytes

Bootstrap code; loads the VBR from the active partition.

Partition Table Entry #1

Offset (hex)

Offset (dec)

Name

Length

Description

1BEh

446

Boot Indicator

1 byte

Boot status; 80h = active (bootable). Otherwise , it's 00h.

1BFh

447

Starting Head

1 byte

Starting head (or side) of partition in CHS mode.

1C0h

448

Starting Cylinder/Sector

16 bits

Starting cylinder (10 bits) and sector (6 bits) in CHS mode.

1C2h

450

System Indicator

1 byte

Partition type/file system.

1C3h

451

Ending Head

1 byte

Ending head (or side) of partition in CHS mode.

1C4h

452

Ending Cylinder/Sector

16 bits

Ending cylinder (10 bits) and sector (6 bits) in CHS mode.

1C6h

454

Relative Sector

4 bytes

Count of sectors before partition, which is the starting sector of partition in LBA mode.

1CAh

458

Total Sectors

4 bytes

Total number of partition sectors in LBA mode.

Partition Table Entry #2

Offset (hex)

Offset (dec)

Description

Length

Description

1CEh

462

Boot Indicator

1 byte

Boot status; 80h = active (bootable). Otherwise, it's 00h.

1CFh

463

Starting Head

1 byte

Starting head (or side) of partition in CHS mode.

1D0h

464

Starting Cylinder/Sector

16 bits

Starting cylinder (10 bits) and sector (6 bits) in CHS mode.

1D2h

466

System Indicator

1 byte

Partition type/file system.

1D3h

467

Ending Head

1 byte

Ending head (or side) of partition in CHS mode.

1D4h

468

Ending Cylinder/Sector

16 bits

Ending cylinder (10 bits) and sector (6 bits) in CHS mode.

1D6h

470

Relative Sector

4 bytes

Count of sectors before partition, which is the starting sector of the partition in LBA mode.

1DAh

474

Total Sectors

4 bytes

Total number of partition sectors in LBA mode.

Partition Table Entry #3

Offset (hex)

Offset (dec)

Description

Length

Description

1DEh

478

Boot Indicator

1 byte

Boot status; 80h = active (bootable). Otherwise, it's 00h.

1DFh

479

Starting Head

1 byte

Starting head (or side) of partition in CHS mode.

1E0h

480

Starting Cylinder/Sector

16 bits

Starting cylinder (10 bits) and sector (6 bits) in CHS mode.

1E2h

482

System Indicator

1 byte

Partition type/file system.

1E3h

483

Ending Head

1 byte

Ending head (or side) of partition in CHS mode.

1E4h

484

Ending Cylinder/Sector

16 bits

Ending cylinder (10 bits) and sector (6 bits) in CHS mode.

1E6h

486

Relative Sector

4 bytes

Count of sectors before partition, which is the starting sector of partition in LBA mode.

1EAh

490

Total Sectors

4 bytes

Total number of partition sectors in LBA mode.

Partition Table Entry #4

Offset (hex)

Offset (dec)

Description

Length

Description

1EEh

494

Boot Indicator

1 byte

Boot status; 80h = active (bootable). Otherwise, it's 00h.

1EFh

495

Starting Head

1 byte

Starting head (or side) of partition in CHS mode.

1F0h

496

Starting Cylinder/Sector

16 bits

Starting cylinder (10 bits) and sector (6 bits) in CHS mode.

1F2h

498

System Indicator

1 byte

Partition type/file system.

1F3h

499

Ending Head

1 byte

Ending head (or side) of partition in CHS mode.

1F4h

500

Ending Cylinder/Sector

16 bits

Ending cylinder (10 bits) and sector (6 bits) in CHS mode.

1F6h

502

Relative Sector

4 bytes

Count of sectors before partition, which is the starting sector of partition in LBA mode.

1FAh

506

Total Sectors

4 bytes

Total number of partition sectors in LBA mode.

Signature Bytes

Offset (hex)

Offset (dec)

Description

Length

Description

1FEh

510

Signature

2 bytes

Boot sector signature; must be 55 AAh.

CHS = Cylinder head sector

LBA = Logical block address


The data in the partition table entries tells the system where each partition starts and ends on the drive, how big it is, whether it is bootable, and which type of file system is contained in the partition. The starting cylinder, head, and sector values are used only by systems running in CHS mode, which is standard for all drives of 8.4GB or less. CHS values do not work past 8.4GB and therefore cannot represent partitions on drives larger than that. Drives larger than 8.4GB can be fully addressed only in LBA mode. In that case, the starting cylinder, head, and sector values in the table are ignored, and only the Relative Sector and Total Sectors fields are used. The Relative Sector field indicates the precise LBA where the partition begins, and the Total Sectors field indicates the length, which is always contiguous. Thus, from those two values the system can know exactly where a partition is physically located on a disk.

Note

The processors on which the PC is based have an interesting design characteristic that is important to know for anybody editing or interpreting boot sectors. Numbers larger than 1 byte are actually read backward! This is called little endian format (as in reading the number from the little end first) or reverse-byte ordering . People typically read numbers in big endian format , which means from left to right, from the big end first. However, because PC processors read in little endian format, most numeric values larger than 1 byte are stored so that the least significant byte appears first and the most significant byte appears last. For example, the value for the Relative Sector field in the MBR for the first partition is usually 63, which is 3Fh in hex, or 0000003Fh (4 bytes long) in standard big endian hexadecimal format. However, the same number stored in little endian format would appear as 3F000000h. As another example, if a partition had 23,567,292 total sectors (about 12GB), which is 01679BBCh in hexadecimal, the number would be stored in the MBR partition table Total Sectors field in reverse-byte/little endian format as BC9B6701h.

As an aside, the use of reverse-byte order numbers stems from the way processors evolved from 8-bit (1 byte) designs to 16-bit (2 byte), 32-bit (4 byte), 64-bit (8-byte) designs, and beyond. The way the internal registers are organized and implemented dictates how a processor deals with numbers. Many processors, such as the Motorola PowerPC chips used in older Macintosh systems, read numbers in big endian format. Intel and AMD processors, on the other hand, are based on Intel x86 processor designs dating back to the original Intel 8088 processor used in the first IBM PC. Of course, how a particular processor reads numbers doesn't make any difference to those using a system. In the PC, the only people who have to deal with reverse-byte order or little endian numbers directly are machine or assembly language programmersand of course those who also want to edit, modify, repair, or simply interpret raw boot sectors!


Each partition table entry contains a system indicator byte that identifies the type of partition and file system used in the partition referenced by that entry. Table 10.12 shows the standard values and meanings of the system indicator bytes for Microsoft operating systems, and Table 10.13 lists the values used by other systems.

Table 10.12. Standard System Indicator Byte Values

Value

Partition Type

Address Mode

Partition Size

00h

None

01h

Primary FAT12

CHS

016MiB

04h

Primary FAT16

CHS

16MiB32MiB

05h

Extended

CHS

02GiB

06h

Primary FAT16

CHS

32MiB2GiB

07h

NTFS/HPFS

Any

Any

0Bh

Primary FAT32

CHS

512MiB2TiB

0Ch

Primary FAT32

LBA

512MiB2TiB

0Eh

Primary FAT16

LBA

32MiB2GiB

0Fh

Extended

LBA

2GiB2TiB

42h

Dynamic

Any

Any

CHS = Cylinder head sector

LBA = Logical block address


Table 10.13. Nonstandard System Indicator Byte Values

Value

Partition Type

Value

Partition Type

02h

MS-XENIX Root

80h

Minix v.1.1v1.4a

03h

MS-XENIX usr

81h

Minix v1.4b-up or Linux

08h

AIX File System Boot

82h

Linux swap file

09h

AIX Data

83h

Linux Ext native file system

0Ah

OS/2 Bootmanager

83h

Suspend to Disk (S2D)

12h

HP/Compaq EISA Configuration

93h

Amoeba file system

40h

ENIX 80286

94h

Amoeba bad block table

50h

Ontrack Disk Manager read-only DOS

B7h

BSDI file system (secondary swap)

51h

Ontrack Disk Manager read/write DOS

B8h

BSDI file system (secondary file system)

52h

CP/M or Microport System V/386

DBh

DR Concurrent DOS/CPM-86/CTOS

54h

Ontrack Disk Manager non-DOS

DEh

Dell OEM (hiddensystem recovery/diagnostic)

55h

Micro House EZ-Drive non-DOS

E1h

SpeedStor 12-bit FAT extended

56h

Golden Bow Vfeature Deluxe

E4h

SpeedStor 16-bit FAT extended

61h

Storage Dimensions SpeedStor

F2h

DOS 3.3+secondary

63h

IBM 386/ix or Unix System V/386

F4h

SpeedStor primary

64h

Novell NetWare 286

FEh

IBM OEM (hiddensystem recovery/diagnostic)

65h

Novell NetWare 386

FFh

Unix/Xenix Bad Block Table Partition

75h

IBM PC/IX

   

These values can be useful for somebody trying to manually repair a partition table using a disk editor such as the DiskProbe utility (DSKPROBE.EXE) included with the free Windows Support Tools on the Windows NT/2000/XP or later install disc, the Disk Edit program included with Norton Utilities (now part of Norton SystemWorks), or WinHex from X-Ways Software (www.winhex.com).

Windows DiskProbe

DiskProbe (DSKPROBE.EXE) is a sector editor utility, and is one of the more powerful and interesting programs included in the Windows Support Tools package, which can be downloaded for free from Microsoft (the support tools can also be found on some of the Windows NT and later installation discs). DiskProbe allows you to read and write individual physical or logical sectors on a drive. This is similar in nature to the DiskEdit utility included with the Norton SystemWorks by Symantec as well as the WinHex utility from X-Ways Software (www.winhex.com). For the most part, DiskProbe does not have all of the features of DiskEdit, but it does have a slight advantage in decoding NTFS boot sectors.

DiskProbe can read any physical or logical sector on a drive, and has special features for decoding and editing the Master Boot Record (MBR), partition tables, and volume boot sectors (VBRs). Because some of these structures are literally outside of the file system on a drive, they are not accessible through most other applications. With this tool, a knowledgeable user can restore these important data structures if they are damaged, for example, by a boot sector virus. Using DiskProbe, data structures such as the MBR, partition tables, and VBRs can be edited directly.

In addition to editing, you can also use DiskProbe for preventive maintenance by making backups of these critical sectors as files, which can be stored on another removable disk or media (such as a floppy, CD, flash drive, and so on). Once saved, they can be later restored in the event that these sectors are corrupted on your hard drive.

To run DiskProbe, first download the Windows Support Tools from Microsoft (to find them, visit www.microsoft.com and search for "Windows Support Tools Download") or locate the tools on the Windows installation CD (they are normally in the \SUPPORT\TOOLS folder on the CD) and install them. Once the tools are installed, select Start, Windows Support Tools, and Command Prompt. At the prompt, enter Dskprobe. The program will then launch in a window. Optionally you can run the program by opening Windows Explorer and navigating to the \Program Files\Support Tools folder, and then click on Dskprobe. The documentation for the program is available via the Help command on the menu bar.

The following figure shows DiskProbe editing the MBR (Master Boot Record) on one of my systems:

Figure 10.5. Editing an MBR with DiskProbe.

Note that editing critical sectors such as the MBR is like performing open -heart surgery on your system. DiskProbe and other sector editors such as Norton DiskEdit function at a level below the Windows file system, which means that the standard safety protocols are not in effect. DiskProbe gives you access to every byte on the physical disk without regard to normal security or access privileges, which makes it possible to damage or overwrite critical areas of the disk. If you change so much as a single byte inappropriately, you could render your system non-bootable, and possibly render the drive unrecognizable even if the system is booted from a floppy or CD. Fortunately the DiskProbe program defaults to read-only mode, which means you can run the program to view sectors without worrying about accidentally making changes. Before you do make any changes with a low-level tool such as DiskProbe, make sure you have a backup of any important data.

I have specialized in data recovery for many years , and in that line of work I regularly use sector editors such as DiskProbe to repair or restore critical boot sectors on hard drives that had otherwise been inaccessible by Windows. In a recent example, a client of mine was editing some rather large video files on an external FireWire drive. While working with the video editing program, the program crashed, and the system suddenly stopped recognizing the drive. Upon disconnecting and reconnecting the drive, Windows saw the drive as a new unformatted drive and offered to format it! Hundreds of hours of shooting and editing video seemed lost forever.

To solve the problem, I took the drive out of the FireWire enclosure and connected it internally as a standard ATA slave drive to one of my test systems running Windows XP. I then started up the test system, loaded DiskProbe, and did a manual inspection of the MBR and VBRs. As is the case with most external USB or FireWire drives, the drive had been formatted with the FAT32 file system, and I very quickly discovered that somehow the first sector of the 3-sector long FAT32 volume boot record, which was at Logical Block Address (LBA) 63, had been overwritten with zeros! I knew from experience that FAT32 keeps a backup copy of the 3-sector long VBR at LBAs 66 through 68. So I used DiskProbe to copy sector 66 and paste it over sector 63, thereby restoring sector 63 and instantly solving the problem. I then powered the system off, removed the drive from my test system, reinstalled it into the FireWire enclosure, and reconnected it to the client's system, whereupon the drive was instantly recognized and all data was fully accessible.

Total elapsed time from "zero" to "hero" was less than 10 minutes after I received the drive; needless to say the client was ecstatic. Even a relatively simple job like this would cost hundreds to possibly thousands of dollars if sent to a professional data recovery service. Now you see why most people who know data recovery don't like to teach it (except me, of course).

FIXMBR

The Windows NT/2000/XP Recovery Console has a special utility program called FIXMBR, which is designed to rebuild a corrupt MBR. FIXMBR overwrites only the master boot program code, leaving the existing partition table entries intact. This means that if the problem was in the boot code, FIXMBR will solve it by replacing the code; however, if the problem is instead with the actual partition tables, FIXMBR will not resolve the problem.

Caution

If your system uses non-standard MBR code, beware that FIXMBR will replace it with standard MBR code, meaning that whatever functionality was being provided by the non-standard code (such as a multi-boot loader) may be lost. Even more importantly, if you are using BIOS overlay software to override BIOS drive-size limitations (something I do not recommend in general), replacing the MBR code in this manner may result in your system becoming unbootable as well as losing access to any or all of the drives! Also, certain MBR virus programs (such as the infamous Monkey virus) relocate and encrypt the original MBR code before replacing it with virus code. If the MBR is rewritten by a program such as FIXMBR, you will lose access to the original MBR containing the partition tables. This means that unless you are able to re-create the partition table data manually using a sector editor you will lose access to all of the partitions on the drive. In that case a data recovery specialist should be able to rebuild the partition tables and recover the data if no further writing is done to the drive.


Use the following steps to start the Recovery Console and use FIXMBR to rewrite the MBR program code:

1.
Ensure that your system is capable of booting from a CD, and that the CD/DVD drive precedes the hard disk in the boot sequence. Hint: You may need to change your BIOS setup to inspect or change the startup boot sequence.

2.
Insert the Windows Setup CD into the CD/DVD drive, and restart the system.

3.
If prompted to press a key to start the computer from the CD-ROM, press any key (such as the spacebar) to continue and start from the CD.

4.
When the text-based part of Windows Setup begins, follow the prompts until the Welcome to Setup screen appears, then press the "R" key to Repair Windows, which also means to start the Recovery Console.

5.
If you are repairing a system that has more than one operating system installed, from the Recovery Console, choose the Windows installation that you need to access or repair.

6.
When you are prompted, type the Administrator password. If the Administrator password is blank, just press Enter. If a password has been set but you do not have the correct password, or if the security database for the installation of Windows you are attempting to access is corrupted, Recovery Console will not allow access to the disks.

7.
To replace the MBR program code, at the Recovery Console command prompt, type

 FIXMBR 

8.
Press the "Y" key to proceed, or press the "N" key to cancel. If you press "Y," the MBR program code will be replaced .

9.
Finally, remove the CD and restart the system.

If you are using Windows 9x/Me or an older version of Windows or DOS, you can perform the same task as FIXMBR by using an undocumented feature in FDISK found in all versions of FDISK from MS-DOS 5.x to Windows Me. The undocumented FDISK feature can also be used on a Windows NT/2000/XP or later system by simply booting from a Windows 9x/Me startup floppy or installation CD, and running the command from the floppy or CD.

Undocumented FDISK

In DOS 5 and later versions, including Windows 9x/Me, FDISK gained some additional capabilities that were not originally documented by Microsoft. There are several undocumented FDISK parameters, but the one I am speaking about here is the /MBR (master boot record) parameter, which causes FDISK to rewrite the master boot record code, leaving the partition table area intact. This performs exactly the same function as the FIXMBR command included in Windows NT/2000/XP and later versions.

As with FIXMBR , the FDISK /MBR command is tailor-made for eliminating boot sector virus programs that infect the master boot record (located at cylinder 0, head 0, sector 1) of a hard disk. To use this feature, enter the following at a command prompt:

  FDISK /MBR  

FDISK then rewrites the boot record code, leaving the partition tables intact. This should not cause any problems on a normally functioning system, but just in case, I recommend backing up the partition table information to floppy disk before trying it. You can do this by using a third-party product such as Norton Utilities.

Be aware that using FDISK with the /MBR switch overwrites the partition tables if the two signature bytes at the end of the sector (55 AAh) are damaged. This situation is highly unlikely , however. In fact, if these signature bytes were damaged, you would knowthe system would not boot and would act as though there were no partitions at all. If you are unable to access your hard disk after booting from a clean floppy or removable-media drive, your system might be infected with a boot sector virus. You should scan for viruses with an up-to-date antivirus program and use it to guide repair.

Caution

Also note that FDISK /MBR should be used only on systems using the normal master boot record structure. As with FIXMBR , if a BIOS overlay program such as Disk Manager, Disc Wizard, EZ-Drive, MaxBlast, Data Lifeguard Tools, or similar is being used to allow your system to access the drive's full capacity, do not use FDISK /MBR because these programs use a modified MBR for disk access. Using FDISK /MBR will wipe out the changes they made to your drive and could make your data inaccessible.


Volume Boot Records

The volume boot record (VBR) starts in the first sector on any area of a drive addressed as a volume, including primary partitions or logical volumes inside an extended partition. On a floppy disk or removable cartridge (such as a Zip disk), for example, the volume boot record starts at the physical beginning of the disk because the disk is recognized as a volume without the need for partitioning. On a hard disk, the volume boot record is located as the first sectors within any disk area allocated as a primary partition, or as a logical drive (volume) inside an extended partition. Refer to Figure 10.4 for an idea of the physical relationship between this volume boot record and the other data structures on a disk. The specific length and content of the VBR varies according to the specific file system, but all of them have certain similar features. The volume boot record loosely resembles the master boot record in that it contains several similar elements such as program code, disk-specific data, and signature bytes. The specific elements in the volume boot record include

  • Jump Instruction to Boot Code. A 3-byte Intel x86 unconditional branch (or jump) instruction that jumps to the start of the operating system bootstrap code within the sector.

  • BIOS Parameter Block. Contains specific information about the volume, such as its size, the number of disk sectors it uses, the size of its clusters, and the volume label name. Used by the file system driver to determine the type and status of the media. Varies according to the type of file system on the media.

  • Boot Code. The instructions used to locate and load the initial operating system kernel or startup file, usually either IO.SYS or NTLDR (depending on the Windows version).

  • Signature Bytes. A two-byte signature (55 AAh) used by the motherboard ROM and other code to validate the boot sector.

Either the motherboard ROM or the master boot record on a hard disk loads the volume boot record of the active partition on a disk. The program code in the volume boot record is given control of the system; it performs some tests and then attempts to load the first operating system file (in DOS/Windows 9x/Me the file is IO.SYS and in Windows NT/2000/XP the file is NTLDR ). The volume boot record, similar to the master boot record, is transparent to the running system; it is outside the data area of the disk on which files are stored.

Note

Many of today's systems are capable of booting from drives other than standard floppy disk and hard disk drives. In these cases, the system BIOS must specifically support the boot drive. For example, some BIOS products enable you to select an ATAPI CD-ROM (or DVD) as a boot device, in addition to the floppy and hard disk drives. Many can also boot from drives connected to USB ports, adding even more flexibility to the system.

Other types of removable media, such as Zip cartridges and LS-120 disks, can also be made bootable. When the BIOS properly supports it, an LS-120 drive can replace the existing floppy disk drive as drive A:. Check the setup screens in your system BIOS to determine which types of drives can be used to start your system.


The VBR is typically created on a volume when the volume is high-level formatted. This can be done with the FORMAT command included with DOS and Windows, or you can also use Windows NT's Disk Administrator and Windows 2000/XP's Disk Management programs to perform this task after partitioning the disk. All volumes have a VBR starting in the first sector of the volume.

The VBR contains both program code and data. The single data table in this sector is called the media parameter block or disk parameter block. The operating system needs the information this table contains to verify the capacity of the disk volume as well as the location of important structures, such as the FATs on FAT volumes or the Master File Table on NTFS volumes. The format of this data is very specific.

Although all VBRs contain boot code in addition to the BIOS parameter block (BPB) and other structures, only the boot code from the VBR in the bootable volume is executed. The others are read by the operating system during startup to determine the volume parameters.

The VBR on FAT12 and FAT16 volumes is 1 sector long and contains the jump instruction, the main BPB, bootstrap code, and signature bytes. Table 10.14 shows the format and layout of the FAT12/16 VBR.

Table 10.14. FAT12/16 Volume Boot Record Format

Offset (hex)

Offset (dec)

Name

Length (bytes)

Description

000h

BS_jmpBoot

3

Jump instruction to boot code, usually EB3C90h.

003h

3

BS_OEMName

8

OEM ID. Indicates which system formatted the volume. Typically, it's MSWIN4.1 . Not used by the OS after formatting.

00Bh

11

BPB_BytsPerSec

2

Bytes per sector; normally 512.

00Dh

13

BPB_SecPerClus

1

Sectors per cluster. It must be a power of 2 greater than 0; typically 1, 2, 4, 8, 16, 32, or 64.

00Eh

14

BPB_RsvdSecCnt

2

Number of sectors reserved for the boot record(s); it should be 1 on FAT12/16 volumes.

010h

16

BPB_NumFATs

1

Count of FAT structures on the volume; usually 2.

011h

17

BPB_RootEntCnt

2

Count of 32-byte folder entries in the root folder of FAT12 and FAT16 volumes; it should be 512 on FAT12/16 volumes.

013h

19

BPB_TotSec16

2

16-bit total count of sectors on volumes with less than 65,536 sectors. If 0, then BPB_TotSec32 contains the count.

015h

21

BPB_Media

1

Media descriptor byte; normally F8h on all nonremovable media, and F0h on most removable media.

016h

22

BPB_FATSz16

2

FAT12/16 16-bit count of sectors occupied by one FAT.

018h

24

BPB_SecPerTrk

2

Sectors per track geometry value for interrupt 13h; it's usually 63 on hard disks.

01Ah

26

BPB_NumHeads

2

Number of heads for interrupt 13h; it's usually 255 on hard disks.

01Ch

28

BPB_HiddSec

4

Count of hidden sectors preceding the partition that contains this volume; it's usually 63 for the first volume.

020h

32

BPB_TotSec32

4

32-bit total count of sectors on volumes with 65,536 or more sectors. If 0, then BPB_TotSec16 contains the count.

024h

36

BS_DrvNum

1

Int 13h drive number; it's usually 00h for floppy disks or 80h for hard disks.

025h

37

BS_Reserved1

1

Reserved (used by Windows NT); it should be 0.

026h

38

BS_BootSig

1

Extended boot signature; it should be 29h if the following three fields are present. Otherwise, it's 00h.

027h

39

BS_VolID

4

Volume serial number; used with BS_VolLab to support volume tracking on removable media. Normally generated using the date and time as a seed when the volume is formatted.

02Bh

43

BS_VolLab

11

Volume label. Matches the 11-byte volume label recorded in the root folder; it should be set to NO NAME if there is no volume label.

036h

54

BS_FilSysType

8

Should be FAT12, FAT16 , or FAT . Not used by the OS after formatting.

03Eh

62

BS_BootCode

448

Bootstrap program code.

1FEh

510

BS_Signature

2

Signature bytes; should be 55 AAh.


The VBR on a FAT32 volume is 3 sectors long, although 32 sectors are reserved at the beginning of the volume for the default and backup VBRs. The default VBR is in sectors 0, 1, and 2, and the backup VBR is in sectors 6, 7, and 8. These are all created at the time the volume is formatted and do not change during normal use. The first sector contains a jump instruction, the BPB, initial bootstrap code, and signature bytes. The second sector is called the FSInfo (file system information) sector and contains signature bytes and information used to assist the file system software; the third sector contains only additional bootstrap code and signature bytes. Table 10.15 shows the format and layout of the first sector of the 3-sector long FAT32 VBR.

Table 10.15. FAT32 VBR Format, BPB Sector 0

Offset (hex)

Offset (dec)

Name

Length (bytes)

Description

000h

BS_jmpBoot

3

Jump instruction to boot code; it's usually EB5890h.

003h

3

BS_OEMName

8

OEM ID; indicates which system formatted the volume. It's typically MSWIN4. 1 . Not used by the OS after formatting.

00Bh

11

BPB_BytsPerSec

2

Bytes per sector; normally 512.

00Dh

13

BPB_SecPerClus

1

Sectors per cluster; it must be a power of 2 greater than 0. It's normally 1, 2, 4, 8, 16, 32, or 64.

00Eh

14

BPB_RsvdSecCnt

2

Number of sectors reserved for the boot record(s); it should be 32 on FAT32 volumes.

010h

16

BPB_NumFATs

1

Count of FAT structures on the volume; usually 2.

011h

17

BPB_RootEntCnt

2

Count of 32-byte folder entries in the root folder of FAT12 and FAT16 volumes; should be 0 on FAT32 volumes.

013h

19

BPB_TotSec16

2

16-bit total count of sectors on volumes with less than 65,536 sectors. If 0, then BPB_TotSec32 contains the count. Must be 0 for FAT32 volumes.

015h

21

BPB_Media

1

Media descriptor byte, normally F8h on all nonremovable media, F0h on most removable media.

016h

22

BPB_FATSz16

2

FAT12/16 16-bit count of sectors occupied by one FAT; it should be 0 on FAT32 volumes, and BPB_FATSz32 contains the FAT size count.

018h

24

BPB_SecPerTrk

2

Sectors per track geometry value for interrupt 13h; usually 63 on hard disks.

01Ah

26

BPB_NumHeads

2

Number of heads for interrupt 13h; usually 255 on hard disks.

01Ch

28

BPB_HiddSec

4

Count of hidden sectors preceding the partition that contains this volume; usually 63 for the first volume.

020h

32

BPB_TotSec32

4

32-bit total count of sectors on volumes with 65,536 or more sectors. If 0, then BPB_TotSec16 contains the count. Must be non-zero on FAT32 volumes.

024h

36

BPB_FATSz32

4

FAT32 32-bit count of sectors occupied by one FAT. BPB_FATSz16 must be 0.

028h

40

BPB_ExtFlags

2

FAT32 only:

       

Bits 03. Zero-based number of active FAT. Valid only if mirroring is disabled (bit 7 = 1).

       

Bits 46. Reserved.

       

Bit 7. 0 indicates FAT is mirrored; 1 indicates only the FAT referenced in bits 03 is active.

       

Bits 815. Reserved.

02Ah

42

BPB_FSVer

2

Version number of the FAT32 volume. A high byte is a major revision number; a low byte is a minor revision number. It should be 00h:00h.

02Ch

44

BPB_RootClus

4

Cluster number of the first cluster of the root folder; usually 2.

030h

48

BPB_FSInfo

2

Sector number of extended FSInfo boot sector structure in the reserved area of the FAT32 volume; usually 1.

032h

50

BPB_BkBootSec

2

Sector number of the backup copy of the boot record; it's usually 6.

034h

52

BPB_Reserved

12

Reserved; should be 0.

040h

64

BS_DrvNum

1

Int 13h drive number; it's usually 00h for floppy disks or 80h for hard disks.

041h

65

BS_Reserved1

1

Reserved (used by Windows NT); it should be 0.

042h

66

BS_BootSig

1

Extended boot signature; it should be 29h if the following three fields are present. Otherwise, it's 00h.

043h

67

BS_VolID

4

Volume serial number; used with BS_VolLab to support volume tracking on removable media. Normally generated using the date and time as a seed when the volume is formatted.

047h

71

BS_VolLab

11

Volume label. Matches the 11-byte volume label recorded in the root folder, should be NO NAME if there is no volume label.

052h

82

BS_FilSysType

8

Should be FAT32 . Not used by the OS after formatting.

05Ah

90

BS_BootCode

420

Bootstrap program code.

1FEh

510

BS_Signature

2

Signature bytes; it should be 55 AAh.


Table 10.16 shows the format and layout of the FAT32 FSInfo sector, which is the second sector of the 3-sector-long FAT32 volume boot record.

Table 10.16. FAT32 VBR Format, FSInfo Sector 1

Offset (hex)

Offset (dec)

Name

Length (bytes)

Description

000h

FSI_LeadSig

4

Lead signature, validates sector; it should be 52526141h.

004h

4

FSI_Reserved1

480

Reserved; it should be 0.

1E4h

484

FSI_StrucSig

4

Structure signature; it validates sector and should be 72724161h.

1E8h

488

FSI_Free_Count

4

Last known free cluster count on the volume. If FFFFFFFFh, the free count is unknown and must be recalculated by the OS.

1ECh

492

FSI_Nxt_Free

4

Next free cluster; it indicates where the system should start looking for free clusters. Usually set to the last cluster number allocated. If the value is FFFFFFFFh, the system should start looking at cluster 2.

1F0h

496

FSI_Reserved2

12

Reserved; it should be 0.

1FCh

508

FSI_TrailSig

4

Trailing signature; it should be 00 00 55 AAh.


Table 10.17 shows the format and layout of the FAT32 Boot Code sector, which is the third and final sector of the 3-sector-long FAT32 volume boot record.

Table 10.17. FAT32 VBR Format, Boot Code Sector 2

Offset (hex)

Offset (dec)

Name

Length (bytes)

Description

000h

BS_BootCode

510

Boot program code

1FEh

510

BS_Signature

2

Signature bytes; should be 55 AAh


It is interesting to note that this third sector has no system-specific information in it, which means the contents are the same from system to system. Thus, if this sector (and its backup at LBA 8) were damaged on one system, you could obtain a copy of this sector from any other FAT32 volume and use it to restore the damaged sector.

The VBR on NTFS volumes is 7 sectors long, although 16 sectors are reserved at the beginning of the disk for the VBR. A backup of the 16 sector VBR area is reserved at the end of the volume, which contains a backup VBR. The first sector of the 7 is the BPB sector, and it contains a jump instruction, the BPB, and signature bytes. Sectors 27 contain only additional boot code, with no signature bytes or any other structures. Because the boot code is not system specific, all but the first VBR sector should be the same on any NTFS volume. Table 10.18 shows the format and layout of the first sector of the 7-sector-long NTFS VBR.

Table 10.18. NTFS VBR Format, BPB Sector 0

Offset (hex)

Offset (dec)

Name

Length (bytes)

Description

000h

BS_jmpBoot

3

Jump instruction to boot code; it's usually EB5290h.

003h

3

BS_OEMName

8

OEM ID; indicates which system formatted the volume. Typically, it's NTFS. Not used by the OS after formatting.

00Bh

11

BPB_BytsPerSec

2

Bytes per sector; it's usually 512.

00Dh

13

BPB_SecPerClus

1

Sectors per cluster; must be a power of 2 greater than 0. It's normally 1, 2, 4, or 8.

00Eh

14

BPB_RsvdSecCnt

2

Reserved sectors before the VBR; the value must be 0 or NTFS fails to mount the volume.

010h

16

BPB_Reserved

3

Value must be 0 or NTFS fails to mount the volume.

013h

19

BPB_Reserved

2

Value must be 0 or NTFS fails to mount the volume.

015h

21

BPB_Media

1

Media descriptor byte; it's normally F8h on all nonremovable media and F0h on most removable media.

016h

22

BPB_Reserved

2

Value must be 0 or NTFS fails to mount the volume.

018h

24

BPB_SecPerTrk

2

Sectors per track geometry value for interrupt 13h; usually 63 on hard disks.

01Ah

26

BPB_NumHeads

2

Number of heads for interrupt 13h; usually 255 on hard disks.

01Ch

28

BPB_HiddSec

4

Count of hidden sectors preceding the partition that contains this volume; normally 63 for the first volume.

020h

32

BPB_Reserved

4

Value must be 0 or NTFS fails to mount the volume.

024h

36

Reserved

4

Not used or checked by NTFS; it's normally 80008000h.

028h

40

BPB_TotSec64

8

Total count of sectors on the volume.

030h

48

BPB_MftClus

8

Logical cluster number for the start of the $MFT file.

038h

56

BPB_MirClus

8

Logical cluster number for the start of the $MFTMirr file.

040h

64

BPB_ClusPerMft

1

Clusters per MFT file/folder record. If this number is positive (00h7Fh), it represents clusters per MFT record. If the number is negative (80hFFh), the size of the record is 2 raised to the absolute value of this number.

041h

65

Reserved

3

Not used by NTFS.

044h

68

BPB_ClusPerIndx

1

Clusters per index buffer; it's used to allocate space for folders. If this number is positive (00h7Fh), it represents clusters per MFT record. If the number is negative (80hFFh), the size of the record is 2 raised to the absolute value of this number.

045h

69

Reserved

3

Not used by NTFS.

048h

72

BS_VolID

8

Volume serial number; used to support volume tracking on removable media. Normally generated using the date and time as a seed when the volume is formatted.

050h

80

Reserved

4

Not used by NTFS.

054h

84

BS_BootCode

426

Bootstrap program code.

1FEh

510

BS_Signature

2

Signature bytes; should be 55 AAh.


The Data Area

The data area of a partition is the place after the VBR where the actual files are stored. It is the area of the disk that is divided into clusters and managed by the file system. The specific content here varies based on what file system is used, the order in which the files are stored, the level of fragmentation of the files, and so forth. As such, it is not possible to show a specific structure here, because the structures are dynamicthat is, changing with the changing files and data on the drive.

Diagnostic Read-and-Write Cylinder

On older systems without LBA (logical block address) support, partitioning programs such as FDISK normally reserve the last cylinder of a hard disk for use as a special diagnostic test cylinder. Because this cylinder is reserved, FDISK might report fewer total cylinders than the drive manufacturer states are available. If present, operating systems do not use this cylinder for any normal purpose because it lies outside the partitioned area of the disk.

On systems using a Host Protected Area (HPA), the system can reserve space on the end of a drive for system recovery or restoration software, diagnostics, and other utilities. This situation can account for additional discrepancies between the total capacity reported by FDISK and the drive manufacturer's reported capacity.

The diagnostics area enables software such as a manufacturer-supplied diagnostics disk to perform read-and-write tests on a hard disk without corrupting any user data. Many of these programs also swap spare cylinders for damaged cylinders if damaged cylinders are detected during testing.





Upgrading and Repairing Microsoft Windows
Upgrading and Repairing Microsoft Windows (2nd Edition)
ISBN: 0789736950
EAN: 2147483647
Year: 2005
Pages: 128

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net