标题: Boot Sector

Boot Sector (from www.microsoft.com)

The boot sector, located at sector 1 of each volume, is a critical disk
structure for starting your computer. It contains executable code and data
required by the code, including information that the file system uses to
access the volume. The boot sector is created when you format a volume. At
the end of the boot sector is a two-byte structure called a signature word
or end of sector marker, which is always set to 0x55AA. On computers running
Windows 2000, the boot sector on the active partition loads into memory and
starts Ntldr, which loads the operating system.

The Windows 2000 boot sector consists of the following elements:

An x86-based CPU jump instruction.
The original equipment manufacturer identification (OEM ID).
The BIOS parameter block (BPB), a data structure.
The extended BPB.
The executable boot code (or bootstrap code) that starts the operating
system.

Note All Windows 2000 boot sectors contain these elements. However, the NTFS
boot sector, the FAT16, and the FAT32 boot sectors are all formatted
differently.
The BPB describes the physical parameters of the volume: the extended BPB
begins immediately after the BPB. Due to differing types of fields and the
amount of data they contain, the length of the BPB is different for FAT16,
FAT32,
and NTFS boot sectors.

The information in the BPB and the extended BPB is used by disk device
drivers
to read and configure volumes. The area following the extended BPB typically
contains executable boot code, which performs the actions necessary to
continue
the startup process.

标题: Boot Sector Startup Processes

Boot Sector Startup Processes(From www.microsoft.com)

Computers use the boot sector to run instructions during startup. The
initial
startup process is summarized in the following steps:

The system BIOS and the CPU initiate the power-on self test (POST).
The BIOS searches for a boot device (typically a disk).
The BIOS loads the first physical sector of the boot device into memory and
transfers CPU execution to that memory address.

If the boot device is on a hard disk, the BIOS loads the MBR. The master
boot
code in the MBR loads the boot sector of the active partition, and transfers
CPU execution to that memory address. On computers that are running Windows
2000, the executable boot code in the boot sector finds Ntldr, loads it into
memory, and transfers execution to that file.

Note Windows 2000 cannot start up from a spanned, striped, or RAID-5 volume
that is running dynamic disk. These disk structures cannot be registered
into
the MBR's partition table, so a system partition using these structures is
not startable. Windows 2000 must be fully loaded into memory before they
can
be used.
If there is a floppy disk in drive A, the system BIOS loads the first sector
(the boot sector) of the disk into memory. If the disk is startable —
formatted by MS-DOS with core operating system files applied — the boot
sector
loads into memory and uses the executable boot code to transfer CPU
execution
to Io.sys, a core MS-DOS operating system file. If the floppy disk is not
bootable, the executable boot code displays an error message such as:

Non-System disk or disk error
Replace and press any key when ready

Note This error will not appear on normally functioning systems that are
configured to look for the startup files on drive C first. On many
computers,
an option in the CMOS setup program allows the user to set the sequence of
installed disks that the system searches for the startup files.
If you get similar errors when trying to start the computer from the hard
disk,
the boot sector might be corrupted. For more information about
troubleshooting
boot sector problems, see "Damaged MBRs and Boot Sectors" later in th
is chapter.
Initially, the startup process is independent of disk format and operating
system. The unique characteristics of operating and file systems become
important when the boot sector's executable boot code starts.

标题: Components of a Boot Sector

Components of a Boot Sector (From www.microsoft.com)

The MBR transfers CPU execution to the boot sector, so the first three bytes
of the boot sector must be valid, executable x86-based CPU instructions.
This
includes a jump instruction that skips the next several nonexecutable bytes.

Following the jump instruction is the 8-byte OEM ID, a string of characters
that identifies the name and version number of the operating system that
formatted the volume. To preserve compatibility with MS-DOS, Windows 2000
records "MSDOS5.0" in this field on FAT16 and FAT32 disks. On NTFS disks,
Windows 2000 records "NTFS."

Note You may also see the OEM ID "MSWIN4.0" on disks formatted by Windows 95
and "MSWIN4.1" on disks formatted by Windows 95 OSR2 and Windows 98.
Windows
2000 does not use the OEM ID field in the boot sector except for verifying
NTFS volumes.

Following the OEM ID is the BPB, which provides information that enables the
executable boot code to locate Ntldr. The BPB always starts at the same
offset,
so standard parameters are in a known location. Disk size and geometry
variables are encapsulated in the BPB. Because the first part of the boot
sector is an x86 jump instruction, the BPB can be extended in the future by
appending new information at the end. The jump instruction needs only a
minor
adjustment to accommodate this change. The BPB is stored in a packed
(unaligned) format.

标题: FAT32 Boot Sector

FAT32 Boot Sector(From www.microsoft.com)

Table 1.9 describes the boot sector of a volume formatted with the FAT32
file
system.

Note The FAT32 boot sector is structurally very similar to the FAT16 boot
sector, but the FAT32 BPB contains additional fields. The FAT32 extended BPB
uses the same fields as FAT16, but the offset addresses of these fields
within the boot sector are different than those found in FAT16 boot sectors.
Drives formatted in FAT32 are not readable by operating systems that are
incompatible with FAT32.

Table 1.9 Boot Sector Sections on a FAT32 Volume

Byte Offset Field Length Field Name
0x00 3 bytes Jump Instruction
0x03 LONGLONG OEM ID
0x0B 53 bytes BPB
0x40 26 bytes Extended BPB
0x5A 420 bytes Bootstrap Code
0x01FE WORD End of Sector Marker

The following example illustrates a hexadecimal printout of the boot sector
on a FAT32 volume. The printout is formatted in three sections:

Bytes 0x00? 0x0A are the jump instruction and the OEM ID (shown in bold pri
nt).
Bytes 0x0B? 0x59 are the BPB and the extended BPB.

The remaining section is the bootstrap code and the end of sector marker (sh
own in bold print).
Physical Sector: Cyl 878, Side 0, Sector 1

00000000: EB 58 90 4D 53 44 4F 53 - 35 2E 30 00 02 08 20 00 .X.MSDOS5.0... .
00000010: 02 00 00 00 00 F8 00 00 - 3F 00 FF 00 EE 39 D7 00 ........?....9..
00000020: 7F 32 4E 00 83 13 00 00 - 00 00 00 00 02 00 00 00 2N.............
00000030: 01 00 06 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
00000040: 80 00 29 8B 93 6D 54 4E - 4F 20 4E 41 4D 45 20 20 ..)..mTNO NAME
00000050: 20 20 46 41 54 33 32 20 - 20 20 33 C9 8E D1 BC F4 FAT32 3.....
00000060: 7B 8E C1 8E D9 BD 00 7C - 88 4E 02 8A 56 40 B4 08 {......|.N..V@..
00000070: CD 13 73 05 B9 FF FF 8A - F1 66 0F B6 C6 40 66 0F ..s......f...@f.
00000080: B6 D1 80 E2 3F F7 E2 86 - CD C0 ED 06 41 66 0F B7 ....?.......Af..
00000090: C9 66 F7 E1 66 89 46 F8 - 83 7E 16 00 75 38 83 7E .f..f.F..~..u8.~
000000A0: 2A 00 77 32 66 8B 46 1C - 66 83 C0 0C BB 00 80 B9 *.w2f.F.f.......
000000B0: 01 00 E8 2B 00 E9 48 03 - A0 FA 7D B4 7D 8B F0 AC ...+..H...}.}...
000000C0: 84 C0 74 17 3C FF 74 09 - B4 0E BB 07 00 CD 10 EB ..t.<.t.........
000000D0: EE A0 FB 7D EB E5 A0 F9 - 7D EB E0 98 CD 16 CD 19 ...}....}.......
000000E0: 66 60 66 3B 46 F8 0F 82 - 4A 00 66 6A 00 66 50 06 f`f;F...J.fj.fP.
000000F0: 53 66 68 10 00 01 00 80 - 7E 02 00 0F 85 20 00 B4 Sfh.....~.... ..
00000100: 41 BB AA 55 8A 56 40 CD - 13 0F 82 1C 00 81 FB 55 A..U.V@........U
00000110: AA 0F 85 14 00 F6 C1 01 - 0F 84 0D 00 FE 46 02 B4 .............F..
00000120: 42 8A 56 40 8B F4 CD 13 - B0 F9 66 58 66 58 66 58 B.V@......fXfXfX
00000130: 66 58 EB 2A 66 33 D2 66 - 0F B7 4E 18 66 F7 F1 FE fX.*f3.f..N.f...
00000140: C2 8A CA 66 8B D0 66 C1 - EA 10 F7 76 1A 86 D6 8A ...f..f....v....
00000150: 56 40 8A E8 C0 E4 06 0A - CC B8 01 02 CD 13 66 61 V@............fa
00000160: 0F 82 54 FF 81 C3 00 02 - 66 40 49 0F 85 71 FF C3 ..T.....f@I..q..
00000170: 4E 54 4C 44 52 20 20 20 - 20 20 20 0D 0A 4E 54 4C NTLDR ..NTL
00000180: 44 52 20 69 73 20 6D 69 - 73 73 69 6E 67 FF 0D 0A DR is missing...
00000190: 44 69 73 6B 20 65 72 72 - 6F 72 FF 0D 0A 50 72 65 Disk error...Pre
000001A0: 73 73 20 61 6E 79 20 6B - 65 79 20 74 6F 20 72 65 ss any key to re
000001B0: 73 74 61 72 74 0D 0A 00 - 00 00 00 00 00 00 00 00 start...........
000001C0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000001D0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000001E0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
000001F0: 00 00 00 00 00 00 00 00 - 00 7B 8E 9B 00 00 55 AA .........{....U.

Tables 1.10 and 1.11 illustrate the layout of the BPB and the extended BPB
for FAT32 volumes. The sample values correspond to the data in the preceding
example.

Table 1.10 BPB Fields for FAT32 Volumes
Byte Offset Field Length Value Field Name and Definition
0x0B WORD 0x0002 Bytes Per Sector. The size of a
hardware
sector. Valid decimal values for
this
field are 512, 1024, 2048, and
4096.For
most disks used in the United
States,
the value of this field is 512.
0x0D BYTE 0x08 Sectors Per Cluster. The number of
sectors in a cluster. Because FAT32
can
only track a finite number of
clusters
(up to 4,294,967,296), extremely
large volumes are
supported by increasing the number of
sectors per cluster. The de
fault cluster size for a volume
depends on the volume size. Valid
decimal values for this field are 1, 2,
4, 8, 16, 32, 64, and 128. Th
e Windows 2000 implementation
of FAT32 allows for the creation of
volumes only up to a maximum of
32 GB. However, larger volumes
created by other operating
systems (Windows 95 OSR2 and later) are
accessible in Windows 2000.
0x0E WORD 0x0200 Reserved Sectors. The number of
sectors preceding t
he start of the first FAT,
including the boot sector. The decimal
value of this field is typically 32.
0x10 BYTE 0x02 Number of FATs. The number of copies
of the FAT on th
e volume. The value of this field is
always 2.
0x11 WORD 0x0000 Root Entries (FAT12/FAT16 only). For
FAT32 volume
s, this field must be set to zero.
0x13 WORD 0x0000 Small Sectors (FAT12/FAT16 only).
For FAT32
volumes, this field must be set to
zero.
0x15 BYTE 0xF8 Media Descriptor. Provides
information
about the media being used. A value
of 0xF8 indicates a hard disk
and 0xF0 indicates a
high-density 3.5-inch floppy disk.
Media de
scriptor entries are a legacy of
MS-DOS FAT16 disks and are not u
sed in Windows 2000.
0x16 WORD 0x0000 Sectors Per FAT (FAT12/FAT16 only).
For
FAT32 volumes, this field must be
set to zero.
0x18 WORD 0x3F00 Sectors Per Track. Contains the
"sectors per track"
geometry value for disks that use INT 13h.
The volume is broken down
into tracks by multiple heads and
cylinders.
0x1A WORD 0xFF00 Number of Heads. Contains the "count
of heads" geom
etry value for disks that use INT 13h. For
example, on a 1.44-MB, 3.5-
inch floppy disk this value is 2.
0x1C DWORD 0xEE39D700 Hidden Sectors. The number of
sectors on the vo
lume before the boot sector. This
value is used during the boot sequenc
e to calculate the absolute
offset to the root directory and
data
areas. This field is generally
only relevant for media that are
visible on interrupt 13h. It must
always be zero on media that are
not partitioned.
0x20 DWORD 0x7F324E00 Large Sectors. Contains the total
number of se
ctors in the FAT32 volume.
0x24 DWORD 0x83130000 Sectors Per FAT (FAT32 only). The
number of se
ctors occupied by each FAT on the
volume. The computer uses this numbe
r and the number of FATs and
hidden sectors (described in
this t
able), to determine where the
root directory begins. The
compute
r can also determine where the user data
area of the volume begin
s based on the number of entries in the
root directory.
0x28 WORD 0x0000 Extended Flags (FAT32 only). The
value of the bit
s in this two-byte structure are:
Bits 0?3: Number of the active FAT
(starting count at 0, not 1). It is
only valid if mirroring is dis
abled.Bits 4?6: Reserved.Bit 7: A
value of 0 means the FAT is mi
rrored at run time into all
FATs. A value of 1 means only one FAT is
active (referenced in bits 0-3).Bits 8?
15: Reserved.
0x2A WORD 0x0000 File System Version (FAT32 only).
The high byte i
s the major revision number, whereas the
low byte is the minor re
vision number. This field supports the
ability to extend the FAT32 medi
a type in the future with concern
for old FAT32 drivers mounting
the volume. If the field is
non-zero, back-level Windows
version
s will not mount the volume.
0x2C DWORD 0x02000000 Root Cluster Number (FAT32 only).
The cluster
number of the first cluster of
the root directory. This value is
typically, but not always, 2.
0x30 WORD 0x0100 File System Information Sector
Number (FAT32 only)
. The sector number of the File
System Information (FSINFO)
stru
cture in the reserved area of the
FAT32 volume. The value is typically
1. A copy of the FSINFO structure is
kept in the Backup Boot Sec
tor, but it is not kept up-to-date.
0x34 WORD 0x0600 Backup Boot Sector (FAT32 only). A
non- zero val
ue indicates the sector number in
the reserved area of the volume in
which a copy of the boot sector is
stored. The value of this fiel
d is typically 6. No other value
is recommended.
0x36 12 bytes 0x00000000000
0000000000000 Reserved (FAT32 only). Reserved
space for future exp
ansion. The value of this field should
always be zero.
Table 1.11 Extended BPB Fields for FAT32 Volumes
Byte Offset Field Length Value Field Name and Definition
0x40 BYTE 0x80 Physical Drive Number. Related to
the BIOS physica
l drive number. Floppy disk drives are
identified as 0x00 and phy
sical hard disks are identified as
0x80, regardless of the number of
physical disk drives. Typically,
this value is set prior to issui
ng an INT 13h BIOS call to specify the
device to access. It is on
ly relevant if the device is a
boot device.
0x41 BYTE 0x00 Reserved. FAT32 volumes are always
set to zero.
0x42 BYTE 0x29 Extended Boot Signature. A field
that must have the
value 0x28 or 0x29 to be
recognized by Windows 2000.
0x43 DWORD 0xA88B3652 Volume Serial Number. A random
serial num
ber created when formatting a disk,
which helps to distinguish between
disks.
0x47 11 bytes NO NAME Volume Label. A field once used to
store the vo
lume label. The volume label is
now stored as a special file in the ro
ot directory.
0x52 LONGLONG FAT32 System ID. A text field with a value
of FAT32.

标题: NTFS Boot Sector

NTFS Boot Sector(From www.microsoft.com)

Table 1.12 describes the boot sector of a volume formatted with NTFS. The bo
otstrap code for an NTFS volume is longer than the 426 bytes, as shown in Ta
ble 1.12. When you format an NTFS volume, the format program allocates the f
irst 16 sectors for the boot sector and the bootstrap code.
Table 1.12 Boot Sector Sections on an NTFS Volume Byte Offset
Field Length
Field Name
0x00
3 bytes
Jump Instruction
0x03
LONGLONG
OEM ID
0x0B
25 bytes
BPB
0x24
48 bytes
Extended BPB
0x54
426 bytes
Bootstrap Code
0x01FE
WORD
End of Sector Marker
On NTFS volumes, the data fields that follow the BPB form an extended BPB. T
he data in these fields enables Ntldr to find the master file table (MFT) du
ring startup. On NTFS volumes, the MFT is not located in a predefined sector
, as on FAT16 and FAT32 volumes. For this reason, the MFT can be moved if th
ere is a bad sector in its normal location. However, if the data is corrupte
d, the MFT cannot be located, and Windows 2000 assumes that the volume has n
ot been formatted.
The following example illustrates the boot sector of an NTFS volume formatte
d while running Windows 2000. The printout is formatted in three sections:
Bytes 0x00? 0x0A are the jump instruction and the OEM ID (shown in bold pri
nt).
Bytes 0x0B?0x53 are the BPB and the extended BPB.
The remaining code is the bootstrap code and the end of sector marker (shown
in bold print).
Physical Sector: Cyl 0, Side 1, Sector 1
00000000: EB 52 90 4E 54 46 53 20 - 20 20 20 00 02 08 00 00 .R.NTFS .....
00000010: 00 00 00 00 00 F8 00 00 - 3F 00 FF 00 3F 00 00 00 ........?...?...

00000020: 00 00 00 00 80 00 80 00 - 4A F5 7F 00 00 00 00 00 ........J......
00000030: 04 00 00 00 00 00 00 00 - 54 FF 07 00 00 00 00 00 ........T.......

00000040: F6 00 00 00 01 00 00 00 - 14 A5 1B 74 C9 1B 74 1C ...........t..t.

00000050: 00 00 00 00 FA 33 C0 8E - D0 BC 00 7C FB B8 C0 07 .....3.....|....

00000060: 8E D8 E8 16 00 B8 00 0D - 8E C0 33 DB C6 06 0E 00 ..........3.....

00000070: 10 E8 53 00 68 00 0D 68 - 6A 02 CB 8A 16 24 00 B4 ..S.h..hj....$..

00000080: 08 CD 13 73 05 B9 FF FF - 8A F1 66 0F B6 C6 40 66 ...s......f...@f

00000090: 0F B6 D1 80 E2 3F F7 E2 - 86 CD C0 ED 06 41 66 0F .....?.......Af.

000000A0: B7 C9 66 F7 E1 66 A3 20 - 00 C3 B4 41 BB AA 55 8A ..f..f. ...A..U.

000000B0: 16 24 00 CD 13 72 0F 81 - FB 55 AA 75 09 F6 C1 01 .$...r...U.u....

000000C0: 74 04 FE 06 14 00 C3 66 - 60 1E 06 66 A1 10 00 66 t......f`..f...f

000000D0: 03 06 1C 00 66 3B 06 20 - 00 0F 82 3A 00 1E 66 6A ....f;. ...:..fj

000000E0: 00 66 50 06 53 66 68 10 - 00 01 00 80 3E 14 00 00 .fP.Sfh.....>...

000000F0: 0F 85 0C 00 E8 B3 FF 80 - 3E 14 00 00 0F 84 61 00 ........>.....a.

00000100: B4 42 8A 16 24 00 16 1F - 8B F4 CD 13 66 58 5B 07 .B..$......fX[.
00000110: 66 58 66 58 1F EB 2D 66 - 33 D2 66 0F B7 0E 18 00 fXfX.-f3.f.....
00000120: 66 F7 F1 FE C2 8A CA 66 - 8B D0 66 C1 EA 10 F7 36 f......f..f....6

00000130: 1A 00 86 D6 8A 16 24 00 - 8A E8 C0 E4 06 0A CC B8 ......$.........

00000140: 01 02 CD 13 0F 82 19 00 - 8C C0 05 20 00 8E C0 66 ........... ...f

00000150: FF 06 10 00 FF 0E 0E 00 - 0F 85 6F FF 07 1F 66 61 ..........o..fa
00000160: C3 A0 F8 01 E8 09 00 A0 - FB 01 E8 03 00 FB EB FE ................

00000170: B4 01 8B F0 AC 3C 00 74 - 09 B4 0E BB 07 00 CD 10 .....<.t........

00000180: EB F2 C3 0D 0A 41 20 64 - 69 73 6B 20 72 65 61 64 .....A disk read

00000190: 20 65 72 72 6F 72 20 6F - 63 63 75 72 72 65 64 00 error occurred.
000001A0: 0D 0A 4E 54 4C 44 52 20 - 69 73 20 6D 69 73 73 69 ..NTLDR is missi

000001B0: 6E 67 00 0D 0A 4E 54 4C - 44 52 20 69 73 20 63 6F ng...NTLDR is co


000001C0: 6D 70 72 65 73 73 65 64 - 00 0D 0A 50 72 65 73 73 mpressed...Press

000001D0: 20 43 74 72 6C 2B 41 6C - 74 2B 44 65 6C 20 74 6F Ctrl+Alt+Del to
000001E0: 20 72 65 73 74 61 72 74 - 0D 0A 00 00 00 00 00 00 restart........
000001F0: 00 00 00 00 00 00 00 00 - 83 A0 B3 C9 00 00 55 AA ..............U.

Table 1.13 describes the fields in the BPB and the extended BPB on NTFS volu
mes. The fields starting at 0x0B, 0x0D, 0x15, 0x18, 0x1A, and 0x1C match tho
se on FAT16 and FAT32 volumes. The sample values correspond to the data in t
he preceding example.
Table 1.13 BPB and Extended BPB Fields on NTFS Volumes Byte Offset
Field Length
Sample Value
Field Name
0x0B
WORD
0x0002
Bytes Per Sector
0x0D
BYTE
0x08
Sectors Per Cluster
0x0E
WORD
0x0000
Reserved Sectors
0x10
3 BYTES
0x000000
always 0
0x13
WORD
0x0000
not used by NTFS
0x15
BYTE
0xF8
Media Descriptor
0x16
WORD
0x0000
always 0
0x18
WORD
0x3F00
Sectors Per Track
0x1A
WORD
0xFF00
Number Of Heads
0x1C
DWORD
0x3F000000
Hidden Sectors
0x20
DWORD
0x00000000
not used by NTFS
0x24
DWORD
0x80008000
not used by NTFS
0x28
LONGLONG
0x4AF57F0000000000
Total Sectors
0x30
LONGLONG
0x0400000000000000
Logical Cluster Number for the file $MFT
0x38
LONGLONG
0x54FF070000000000
Logical Cluster Number for the file $MFTMirr
0x40
DWORD
0xF6000000
Clusters Per File Record Segment
0x44
DWORD
0x01000000
Clusters Per Index Block
0x48
LONGLONG
0x14A51B74C91B741C
Volume Serial Number
0x50
DWORD
0x00000000
Checksum