Keywords |
  • Computer Science

MBR

The main boot record (MBR) is the first physical sector of any disk. In its 512 bytes it contains vital information on the structure of the support and the slightest alteration of its contents generally renders the disk unreadable.

On starting up a computer when the BIOS has finished its initialisation sequence (POST = Power-On Self Test) the last instruction that it executes sends the reading head to read the sector of the disk that the BIOS has recorded as the boot sector. The ensuing behaviour of the computer is dictated by the information contained in the MBR (master boot record). The contents are detailed from the end of the sector because this is paradoxically more logical from a functional point of view.

  • First of all the computer looks for the last two bytes numbered 55AA (in hexadecimal), also called "boot sector signature". In the absence of this signature, the operations cannot be performed.
  • There then follow 64 bytes making up the partition table, which shows the number of partitions on the disk, and their locations.
  • 4 bytes contain the digital signature of the disk allocated during formatting and used in many registry keys.
  • About a hundred bytes (variable depending on the language) are allocated to booting error messages (invalid partition table, No operating system, etc.).
  • Finally, the first 300 bytes in the sector contain executable code of capital importance.

After confirming the presence of the 55AA signature the computer executes this code. In the first step the code loads the partition table into memory, reads it to find which is the active partition (the one containing the operating system) and has the computer read the boot sector (for starting, not to be confused with the MBR) of this partition.

Boot sector of a partition

Each NTFS partition contains 16 reserved sectors (the last 9 are not used). The first one is the boot sector itself. Like the MBR, it contains the 5AA signature, an executable code, information on the structure of this partition and error messages (including the well known "NTLDR missing", NTLDR = New technology loader).

The executable code loads the information on the partition into memory and goes on to read the next part of the executable code in the 6 following sectors. The latter code is the bootstrap which in turn launches the execution of the NTLDR file (The Windows "loader). This loads NTDETECT.COM followed by all the Windows files. Any alteration to this boot sector of a partition will cause failure. The error message will vary according to the nature of the alteration. In particular, the NTLDR missing message does not usually mean the NTLDR is absent, but that it has not been found following a modification to the boot sector. The bootstrap, of course, is only used for the system partition.

The structure is somewhat different for a FAT (file allocation table) format partition, but the general principles are the same. In each partition there is a backup copy of the boot sector.

A few remarks

Alterations to the MBR can be repaired by the instruction FIXMBR executed from the retrieval panel of the Windows CD. This instruction rewrites the executable code and the 55AA signature. It does not modify the partition table that the sector contains.

A few years ago some viruses used the fact that the MBR contains executable code to usurp it and install themselves instead, thus launching themselves before the operating system. During the infection the virus placed a copy of the MBR on a random disk sector. After executing itself, the virus went to this copy which then launched the operating system so that everything appeared to be going normally. The classical solution that was given (for DOS and Windows 95, 98 and Millennium) was to execute the command FDISK/MBR (or FIXMBR for later versions of Windows) to restore the MBR. This solution only worked if the virus code did not extend to the space containing the information on the partitions. If the space allocated to this information is modified, the restored MBR will not get the copy of the original sector made by the virus because it does not know where it has been placed. As a result, the hard disk is no longer accessible. The only repair solution available to an anti-virus was to get the copy of the sector (with the partition table intact) and replace it in the MBR.

Recently, a rootkit using this old MBR infection technique was observed. In this case, FIXMBR works correctly since the code does not alter the partition table. It is by no means certain that it will work for future versions.

Alterations to the boot sector can be repaired by the command FIXBOOT (the first thing to do when there is an error message indicating a problem with the NTLDR).

The TestDisk utility is able to repair most failures due to an alteration of the MBR or boot sectors, in particular those that cause a worrying symptom: the disappearance of a partition or a partition becoming unreadable.


Latest

Fill out my online form.