Sponsored by:

Fully Managed Technology Services

 

A Disk Editor View of the
NT FAT32 Boot Record
and new "Bootstrap Code"
installed by Windows™ 2000 or XP

Web Presentation and Text are Copyright © 2010 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !


This page is still under construction!


For a detailed analysis of the code displayed here, see our NT FAT32 Boot Record page.

Like all other MS Boot Records, the first three bytes form what's often called the Jump Instruction. Only the first two bytes (EB 58 in this case) have ever been used to form the actual JMP (Jump) instruction* to the main block of executable x86 (PC) Assembly code; the third byte (90h) is just a NOP instruction ('No Op' or do nothing). The next eight bytes are the System Name (MSWIN4.1); followed by the BPB (BIOS Parameter Block).

As expected, this _ BPB _ has many fields in common with the FAT16 and FAT32 Boot Records; such as Bytes per Sector, Sectors per Cluster, the old Media Descriptor byte (F8), etc., even the "Volume Label" ("WIN98_DATA" in this case) and the "System ID" ("FAT32   "). However, at offset 0170h, immediately after this sector's 278 bytes of code, you'll find a major difference.

The first sector of a sample FAT32 Boot Record after being converted by a Windows™ XP installation:

 Absolute Sector 63 (Cylinder 0, Head 1, Sector 1)

                                              BPB         "System Name"
                                               |                |
         0  1  2  3  4  5  6  7  8  9  A  B  C |D  E  F         |
 0000:  EB 58 90 4D 53 57 49 4E 34 2E 31 00 02 08 20 00  .X.MSWIN4.1... .
 0010:  02 00 00 00 00 F8 00 00 3F 00 FF 00 EE 39 D7 00  ........?....9..
 0020:  BD 86 BB 00 CD 2E 00 00 00 00 00 00 93 B2 0B 00  ................
 0030:  01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0040:  80 00 29 56 2F BF 10 57 49 4E 39 38 5F 44 41 54  ..)V/..WIN98_DAT
 0050:  41 00 46 41 54 33 32 20 20 20 33 C9 8E D1 BC F4  A.FAT32   3..... 
 0060:  7B 8E C1 8E D9 BD 00 7C 88 4E 02 8A 56 40 B4 08  {......|.N..V@..
 0070:  CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66 0F  ..s......f...@f.
 0080:  B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F B7  ....?.......Af..
 0090:  C9 66 F7 E1 66 89 46 F8 83 7E 16 00 75 38 83 7E  .f..f.F..~..u8.~
 00A0:  2A 00 77 32 66 8B 46 1C 66 83 C0 0C BB 00 80 B9  *.w2f.F.f.......
 00B0:  01 00 E8 2B 00 E9 48 03 A0 FA 7D B4 7D 8B F0 AC  ...+..H...}.}...
 00C0:  84 C0 74 17 3C FF 74 09 B4 0E BB 07 00 CD 10 EB  ..t.<.t.........
 00D0:  EE A0 FB 7D EB E5 A0 F9 7D EB E0 98 CD 16 CD 19  ...}....}.......
 00E0:  66 60 66 3B 46 F8 0F 82 4A 00 66 6A 00 66 50 06  f`f;F...J.fj.fP.
 00F0:  53 66 68 10 00 01 00 80 7E 02 00 0F 85 20 00 B4  Sfh.....~.... ..
 0100:  41 BB AA 55 8A 56 40 CD 13 0F 82 1C 00 81 FB 55  A..U.V@........U
 0110:  AA 0F 85 14 00 F6 C1 01 0F 84 0D 00 FE 46 02 B4  .............F..
 0120:  42 8A 56 40 8B F4 CD 13 B0 F9 66 58 66 58 66 58  B.V@......fXfXfX
 0130:  66 58 EB 2A 66 33 D2 66 0F B7 4E 18 66 F7 F1 FE  fX.*f3.f..N.f...
 0140:  C2 8A CA 66 8B D0 66 C1 EA 10 F7 76 1A 86 D6 8A  ...f..f....v....
 0150:  56 40 8A E8 C0 E4 06 0A CC B8 01 02 CD 13 66 61  V@............fa
 0160:  0F 82 54 FF 81 C3 00 02 66 40 49 0F 85 71 FF C3  ..T.....f@I..q.. 
 0170:  4E 54 4C 44 52 20 20 20 20 20 20 00 00 00 00 00  NTLDR      .....
 0180:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0190:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01A0:  00 00 00 00 00 00 00 00 00 00 00 00 0D 0A 4E 54  ..............NT
 01B0:  4C 44 52 20 69 73 20 6D 69 73 73 69 6E 67 FF 0D  LDR is missing..
 01C0:  0A 44 69 73 6B 20 65 72 72 6F 72 FF 0D 0A 50 72  .Disk error...Pr
 01D0:  65 73 73 20 61 6E 79 20 6B 65 79 20 74 6F 20 72  ess any key to r
 01E0:  65 73 74 61 72 74 0D 0A 00 00 00 00 00 00 00 00  estart..........
 01F0:  00 00 00 00 00 00 00 00 00 AC BF CC 00 00 55 AA  ..............U.

         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

The last 144 bytes of this sector begin with an NTFS system file name ("NTLDR      ") at offset 0170h. Can you figure out where this string is referenced in the assembly instructions? The number of "zero bytes" which follow, depends upon the length of the error messages in various languages.

The Error Message Strings (which also reference the file, "NTLDR") are followed by more zero-bytes and then the Message Offset bytes (AC BF CC; indicating the offset of each English string, 1ACh, 1BFh and 1CCh), two more zero-bytes, and lastly the Word-sized signature ID (or Magic number) of AA55h. (Remember that hex Words (numerical data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last to make CPU processing quicker!)

Each string of the Error Messages begins with the Hex bytes 0Dh and 0Ah which are a Carriage Return and Line Feed, forming a separate line on the screen when displayed. The first line of each message (there are only two; either: "NTLDR is missing" or: "Disk error") ends with an FFh byte (which the code checks for at memory location 7CC4), both continuing with the same last line ("Press any key to restart"; followed by another Carriage Return and Line Feed) which ends with a 00h byte, making this what's commonly known as a 'zero-terminated' or 'sz' string (the string plus a zero byte).

Unlike the original FAT32 Boot Record, after its conversion by a Windows™ 2000 or XP OS, a third section is added to the original two sections of the Boot Record:

Although the first and second sections may appear to be similar in structure to their original FAT32 sectors, upon comparison, we find the so-called 'backup' boot record (the 'second set' of 3 sectors) was left exactly as before! So, there's really no 'backup' copy for the new NTFS FAT32 Boot Record. Then there's a new, third section, comprised of a single sector of all new code, located all by itself at Logical Sector 12 (or 0Ch); it's separated from the others by 3 zero-filled sectors, just as the original 'backup sectors' are from the new NT FAT32 Boot Record.

(See our Side-by-Side Comparison of the FAT32 Boot Records for all the details.) As with all FAT32 Boot Records, you could say they're actually comprised of 32 sectors, since the FAT table typically does not begin until the 33rd sector of the partition:

Logical Sectors in Partition
Section
Contents
0 - 2
1
New Boot Record
3 - 5
1
3 sectors of all zero bytes
6 - 8
2
Original 'Backup sectors' (left unchanged)
9 - 11
2
3 sectors of all zero bytes
12
3
New NT 'Bootstrap Code' Added
 

The new NT code installed by Windows™ XP in the 13th sector of our FAT32 OS partition:


Absolute Sector 75 (Cylinder 0, Head 1, Sector 13) Off. 0 1 2 3 4 5 6 7 8 9 A B C D E F 0000 66 0F B6 46 10 66 8B 4E 24 66 F7 E1 66 03 46 1C f..F.f.N$f..f.F. 0010 66 0F B7 56 0E 66 03 C2 66 89 46 FC 66 C7 46 F4 f..V.f..f.F.f.F. 0020 FF FF FF FF 66 8B 46 2C 66 83 F8 02 0F 82 A6 FC ....f.F,f....... 0030 66 3D F8 FF FF 0F 0F 83 9C FC 66 50 66 83 E8 02 f=........fPf... 0040 66 0F B6 5E 0D 8B F3 66 F7 E3 66 03 46 FC BB 00 f..^...f..f.F... 0050 82 8B FB B9 01 00 E8 87 FC 38 2D 74 1E B1 0B 56 .........8-t...V 0060 BE 70 7D F3 A6 5E 74 1B 03 F9 83 C7 15 3B FB 72 .p}..^t......;.r 0070 E8 4E 75 DA 66 58 E8 65 00 72 BF 83 C4 04 E9 55 .Nu.fX.e.r.....U 0080 FC 00 20 83 C4 04 8B 75 09 8B 7D 0F 8B C6 66 C1 .. ....u..}...f. 0090 E0 10 8B C7 66 83 F8 02 0F 82 3A FC 66 3D F8 FF ....f.....:.f=.. 00A0 FF 0F 0F 83 30 FC 66 50 66 83 E8 02 66 0F B6 4E ....0.fPf...f..N 00B0 0D 66 F7 E1 66 03 46 FC BB 00 00 06 8E 06 81 80 .f..f.F......... 00C0 E8 1D FC 07 66 58 C1 EB 04 01 1E 81 80 E8 0E 00 ....fX.......... 00D0 0F 83 02 00 72 D0 8A 56 40 EA 00 00 00 20 66 C1 ....r..V@.... f. 00E0 E0 02 E8 11 00 26 66 8B 01 66 25 FF FF FF 0F 66 .....&f..f%....f 00F0 3D F8 FF FF 0F C3 BF 00 7E 66 0F B7 4E 0B 66 33 =.......~f..N.f3 0100 D2 66 F7 F1 66 3B 46 F4 74 3A 66 89 46 F4 66 03 .f..f;F.t:f.F.f. 0110 46 1C 66 0F B7 4E 0E 66 03 C1 66 0F B7 5E 28 83 F.f..N.f..f..^(. 0120 E3 0F 74 16 3A 5E 10 0F 83 AB FB 52 66 8B C8 66 ..t.:^.....Rf..f 0130 8B 46 24 66 F7 E3 66 03 C1 5A 52 8B DF B9 01 00 .F$f..f..ZR..... 0140 E8 9D FB 5A 8B DA C3 00 00 00 00 00 00 00 00 00 ...Z............ 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA ..............U. 0 1 2 3 4 5 6 7 8 9 A B C D E F





* Note on JUMP Instruction: Although Microsoft has always used two-byte SHORT jumps (which begin with the byte EB) in their Boot Records, one could just as easily use a jump of the DIRECT form which begins with the byte E9 and requires three bytes. For example, the EB 58 90 (two-byte SHORT jump plus the 'Do Nothing' byte) in this Boot Record could just as easily have been replaced by the three bytes: E9 57 00 (all three of which are part of the Direct JMP instruction vs. the two-byte Short JMP instruction).


Created: September 15, 2010 [2010.09.15].


You can write to me using this: online reply form. (It opens in a new window.)

BACK TO: The FAT32 Boot Record under Windows™ 2000 and XP

asm/mbr/ MBR and Boot Records Index Page

The Starman's Realm Index Page