Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Sunday, July 4, 2010

Master Boot Record

Source
An Examination of the Windows 2000 ( NT5.0 )
and Windows XP ( NT5.1 )
MBR ( Master Boot Record ) [ Embedded in DMADMIN.EXE,
SPCMDCON.SYS or various other
System files; see Introduction ]

Web Presentation and Text are Copyright©2003, 2007 by Daniel B. Sedory
Reproduced in shorted form without Permission of the Author !
    This page examines the MBR code most likely to be found in a Microsoft® Windows™ 2000, XP or 2003 installation. All of these operating systems contain the same exact MBR code embedded in files such as DMADMIN.EXE (there are a few more places we didn't list above where either the MBR code or Boot Records can be found; if you're interested in that, read our Where's the code? page). This code will be written to Cylinder 0, Head 0, Sector 1 of a Hard Drive by various OS routines, such as the Disk Management Console,  if  the drive does not already have an existing MBR sector (recognized by Windows®) when it is installed. [Note: These OSs will still write data to the MBR sector when required (see our Disk Signature comments below).] For Windows™ XP (SP2), the MBR code is contained inside the file: C:\WINNT\system32\dmadmin.exe This file which is "224,768 bytes" and has a Modification Date of "Wednesday, August 04, 2004, 4:00:00 AM" is described as a "Logical Disk Manager service process" with "File version: 2600.2180.503.0" and: "Copyright © 1985-2000 Microsoft Corporation. All rights reserved. Portions Copyright © 1997-2000 Veritas Software. All rights reserved." The MBR code itself is found between offsets 34E28h through 35027h (of which only the last 80 bytes are shown here):

Figure 1. Note that the bytes "2c 44 63"are part of the MBR's image file in dmadmin.exe
    Under the original Windows™ XP, the MBR code was in the same file, but at offsets 2FFF8h (196,600) through 301F7h (197,111) for its August 23, 2001 5:00:00 AM version of 204,800 bytes. And unlike the very first file under Windows 2000 [see below], its copyright was changed to: "Copyright © 1985-2000 Microsoft Corporation" and only "Portions Copyright © 1997-2000 Veritas Software"; so it appears that Veritas got an offer from Microsoft® they couldn't refuse! For Windows™ 2000 (with SP3), the MBR code is contained inside the file C:\WINNT\system32\dmadmin.exe This file which is "147,728 bytes" and has a Modification Date of "Monday, July 22, 2002, 12:05:04 PM" is also described as a "Logical Disk Manager service process"; interestingly enough this file is "Copyright © VERITAS Software 1997" and not Microsoft. The MBR code itself is found between offsets 22A00h through 22BFFh (of which only the last 80 bytes are shown in this Hex editor window):

Figure 2. The bytes "2c 44 63"have always been part of this MBR's image file for English.
    The following is a disk editor view of how the bytes in this MBR are stored on your hard drive's first sector; that's Absolute (or Physical) Sector 0, or CHS 0,0,1. (See Examination of the Code below to find out where this data ends up in Memory when it's executed.)
    More

No comments: