Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Sunday, May 12, 2013

All about MBR

http://www.ntfs.com/mbr-damaged.htm
MBR is damaged
The Master Boot Record (MBR) will be created when you create the first partition on the hard disk. It is very important data structure on the disk. The Master Boot Record contains the Partition Table for the disk and a small amount of executable code for the boot start. The location is always the first sector on the disk.
The first 446 (0x1BE) bytes are MBR itself, the next 64 bytes are the Partition Table, the last two bytes in the sector are a signature word for the sector and are always 0x55AA.
For our disk layout we have MBR:
Physical Sector: Cyl 0, Side 0, Sector 1
000000000   33 C0 8E D0 BC 00 7C FB  50 07 50 1F FC BE 1B 7C   3AZ??.|uP.P.u?.|
000000010   BF 1B 06 50 57 B9 E5 01  F3 A4 CB BE BE 07 B1 04   ?..PW?a.o¤E??.±.
000000020   38 2C 7C 09 75 15 83 C6  10 E2 F5 CD 18 8B 14 8B   8,|.u.??.aoI.‹.‹
000000030   EE 83 C6 10 49 74 16 38  2C 74 F6 BE 10 07 4E AC   i??.It.8,to?..N¬
000000040   3C 00 74 FA BB 07 00 B4  0E CD 10 EB F2 89 46 25   <.tu»..?.I.eo‰F%
000000050   96 8A 46 04 B4 06 3C 0E  74 11 B4 0B 3C 0C 74 05   –SF.?.<.t.?.<.t.
000000060   3A C4 75 2B 40 C6 46 25  06 75 24 BB AA 55 50 B4   :Au+@?F%.u$»?UP?
000000070   41 CD 13 58 72 16 81 FB  55 AA 75 10 F6 C1 01 74   AI.Xr.?uU?u.oA.t
000000080   0B 8A E0 88 56 24 C7 06  A1 06 EB 1E 88 66 04 BF   .Sa?V$C.?.e.?f.?
000000090   0A 00 B8 01 02 8B DC 33  C9 83 FF 05 7F 03 8B 4E   ..?..‹U3E?y..‹N
0000000A0   25 03 4E 02 CD 13 72 29  BE 46 07 81 3E FE 7D 55   %.N.I.r)?F.?>?}U
0000000B0   AA 74 5A 83 EF 05 7F DA  85 F6 75 83 BE 27 07 EB   ?tZ?i.U…ou??'.e
0000000C0   8A 98 91 52 99 03 46 08  13 56 0A E8 12 00 5A EB   S?'R™.F..V.e..Ze
0000000D0   D5 4F 74 E4 33 C0 CD 13  EB B8 00 00 00 00 00 00   OOta3AI.e?......
0000000E0   56 33 F6 56 56 52 50 06  53 51 BE 10 00 56 8B F4   V3oVVRP.SQ?..V‹o
0000000F0   50 52 B8 00 42 8A 56 24  CD 13 5A 58 8D 64 10 72   PR?.BSV$I.ZX?d.r
000000100   0A 40 75 01 42 80 C7 02  E2 F7 F8 5E C3 EB 74 49   .@u.B€C.a?o^AetI
000000110   6E 76 61 6C 69 64 20 70  61 72 74 69 74 69 6F 6E   nvalid partition
000000120   20 74 61 62 6C 65 00 45  72 72 6F 72 20 6C 6F 61    table.Error loa
000000130   64 69 6E 67 20 6F 70 65  72 61 74 69 6E 67 20 73   ding operating s
000000140   79 73 74 65 6D 00 4D 69  73 73 69 6E 67 20 6F 70   ystem.Missing op
000000150   65 72 61 74 69 6E 67 20  73 79 73 74 65 6D 00 00   erating system..
000000160   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000170   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000180   00 00 00 8B FC 1E 57 8B  F5 CB 00 00 00 00 00 00   ...‹u.W‹oE......
000000190   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0000001A0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
0000001B0   00 00 00 00 00 00 00 00  A6 34 1F BA 00 00 80 01   ........¦4.?..€.
0000001C0   01 00 07 FE 7F 3E 3F 00  00 00 40 32 4E 00 00 00   ...?>?...@2N...
0000001D0   41 3F 06 FE 7F 64 7F 32  4E 00 A6 50 09 00 00 00   A?.?d2N.¦P....
0000001E0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 AA   ..............U?
What will happen if the first sector has been damaged (by virus, for example)?
Lets overwrite the first 16 bytes with zeros.
000000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
000000010   BF 1B 06 50 57 B9 E5 01  F3 A4 CB BE BE 07 B1 04   ?..PW?a.o¤E??.±.
When we try to boot after hardware testing procedures, we see just blank screen without any messages. It means the piece of code at the beginning of the MBR could not be executed properly.
That's why even error messages could not be displayed. However, if we boot from the floppy, we can see FAT partition, files on it and we are able to perform standard operations like file copy, program execution...
It happens because in our example only part of the MBR has been damaged which does not allow the system to boot properly. However, the partition table is safe and we can access our drives when we boot from the operating system installed on the other drive.
What will happen if sector signature (last word 0x55AA) has been removed or damaged?
Lets write zeros to the location of sector signature.
Physical Sector: Cyl 0, Side 0, Sector 1
0000001E0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
When we try to boot now, we see an error message like "Operating System not found".
Thus the first thing if computer does not boot is to run Disk Viewer and check the first physical sector on HDD, whether it looks like valid MBR or not:
  • check, may be it's filled up with zeros or any other single character
  • check whether error messages (like you can see above "Invalid partition table"...) are present or not
  • check whether disk signature (0x55AA) is present or not
The simplest way to repair or re-create MBR is to run Microsoft's standard utility called FDISK with a parameter /MBR, like
A:\> FDISK.EXE  /MBR
FDISK is a standard utility included in MS-DOS, Windows 95, 98, ME.
If you have Windows NT / 2000 / XP, you can boot from startup floppy disks or CD-ROM, choose repair option during setup, and run Recovery Console. When you are logged on, you can run FIXMBR command to fix MBR.
Also you can use third party MBR recovery software or if you've created MBR backup, restore it from there (Active@ Partition Recovery has such capabilities).
What will happen if the first sector is bad/unreadable?
Most likely we'll get the same black screen, which we got when trying to boot. When you try to read it using Disk Viewer/Editor you should get an error message saying that sector is unreadable. In this case recovery software is unable to help you to bring HDD back to the working condition, i.e. physical partition recovery is not possible.
The only thing that can be done is to scan and search for partitions (i.e. perform virtual partition recovery), and in case if something is found — display them and give the user an opportunity to save important data to another location. Third party software, like Active@ File Recovery, will help you here.
==========================
Master Boot Record (MBR) Repair
Infections in the Master Boot Record (MBR) are a tricky business, and may sometimes require a user to take additional steps to completely remove the infection.
 If available, the Description of the relevant malware may provide removal details tailored to the suspect malware or specific infection scenario.
If specific removal instructions are not yet available, this page provides more general actions for repairing an infected MBR. Click the link to jump to the relevant instructions:

Automatic Disinfection

 In some cases, F-Secure's security products can disinfect the MBR without further action from the user.

Alternatives

If a suspicious hidden file is detected and FSAV does not immediately remove the file, there are several actions you can perform by manually selecting one of the displayed option:
  • If you don't want to do anything about the hidden item, select "None" as the action
  • If you don't want to be notified about the file in the future, select "Exclude" as the action
  • If you are sure the item is not part of a normal program, you can rename it by selecting "Rename" as the action. This will prevent the hidden program from starting in the future. You should use the "Rename" action very carefully, because renaming important files may break the computer.

Contact Support

In certain cases, more complex malware (e.g., rootkits) may have sufficiently altered the MBR so that regular automatic disinfection is not possible, or not fully effective.
If you suspect this is the case, you may wish to send a sample of the suspect MBR to our Labs for further analysis.

Submitting a sample of an infected MBR

For detailed instructions on how to obtain a sample of the suspect MBR for submission, please see the following Support KB Article:

Advanced: Manual MBR Repair

Note: MBR repair, if incorrectly performed, may result in additional damage; it is only advisable for advanced users.
In certain cases, a user may attempt to manually replace the suspect MBR with a clean version.
Users attempting manual data recovery and repair may want to use our free utility program, the F-Secure Rescue CD, to do so.

Additional Options

Windows includes tools to replace an infected MBR with a copy of the original, clean MBR. To do so:
  1. Boot into the Recovery Console.
  2. Depending on the operating system in question, run the appropriate command on all infected drives:

    • On Windows XP, run: fixmbr
    • On Windows 7, run: bootrec /mbr
=============================
nstructions 1 Run MbrFix.exe from floppy drive, optical disk drive or from USB and follow the on screen instructions. 2 Check your boot preference in BIOS settings and select optical drive as a first preference. Now insert bootable DVD of windows into your optical disk drive and restart the pc. [BIOS_advancedBIOS] 3 Once boot process is completed, you will have to set “Language”, “Time” and “Keyboard” preferences, best option is to set them to default settings and continue. [windows-7-install-5] 4 Now you will come up with several options. Click on the “Repair Your Computer” option, it will give you access to a window used for System Recovery. Now select command prompt from here. You need to get into the command prompt to to run Bootsect.exe utility. This utility is located inside the boot folder of windows. You need to change your current directory to boot folder. The syntax to change the directory is “CD [/D] [drive:][path]”. 5 Now execute “bootsect /nt60 C:/ “ without including the quotes assuming that you had windows 7 installed in C: drive. This will repair your windows partition. Eject your windows DVD and restart your computer. Your windows will now boot normally.

Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
nstructions 1 Run MbrFix.exe from floppy drive, optical disk drive or from USB and follow the on screen instructions. 2 Check your boot preference in BIOS settings and select optical drive as a first preference. Now insert bootable DVD of windows into your optical disk drive and restart the pc. [BIOS_advancedBIOS] 3 Once boot process is completed, you will have to set “Language”, “Time” and “Keyboard” preferences, best option is to set them to default settings and continue. [windows-7-install-5] 4 Now you will come up with several options. Click on the “Repair Your Computer” option, it will give you access to a window used for System Recovery. Now select command prompt from here. You need to get into the command prompt to to run Bootsect.exe utility. This utility is located inside the boot folder of windows. You need to change your current directory to boot folder. The syntax to change the directory is “CD [/D] [drive:][path]”. 5 Now execute “bootsect /nt60 C:/ “ without including the quotes assuming that you had windows 7 installed in C: drive. This will repair your windows partition. Eject your windows DVD and restart your computer. Your windows will now boot normally.

Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
nstructions 1 Run MbrFix.exe from floppy drive, optical disk drive or from USB and follow the on screen instructions. 2 Check your boot preference in BIOS settings and select optical drive as a first preference. Now insert bootable DVD of windows into your optical disk drive and restart the pc. [BIOS_advancedBIOS] 3 Once boot process is completed, you will have to set “Language”, “Time” and “Keyboard” preferences, best option is to set them to default settings and continue. [windows-7-install-5] 4 Now you will come up with several options. Click on the “Repair Your Computer” option, it will give you access to a window used for System Recovery. Now select command prompt from here. You need to get into the command prompt to to run Bootsect.exe utility. This utility is located inside the boot folder of windows. You need to change your current directory to boot folder. The syntax to change the directory is “CD [/D] [drive:][path]”. 5 Now execute “bootsect /nt60 C:/ “ without including the quotes assuming that you had windows 7 installed in C: drive. This will repair your windows partition. Eject your windows DVD and restart your computer. Your windows will now boot normally.

Read more at: How to Repair Corrupted Master Boot Record (MBR) on Windows 7 http://www.stepbystep.com/how-to-repair-corrupted-master-boot-record-mbr-on-windows-7-1249/
=============================
Instructions
  1. Insert the Windows 7 installation DVD and boot from your DVD drive. You may have to change the boot order through system BIOS to boot from your DVD. 
  2. Choose your default "Language," "Time" and "Keyboard Input" on the first window and click "Next."
  3. Click on the "Repair Your Computer" option to gain access to the System Recovery window. Now choose "Command Prompt" to run the Bootsect.exe utility. Bootsect is located inside the boot folder so change your directory to boot. Now run "bootsect /nt60 C:\" (without quotes) if you had Windows 7 initially installed in the C partition. Alternatively, you can run "bootsect /nt60 SYS" or "bootsect /nt60 ALL" (without quotes) to repair the system partition or all partitions. Eject the DVD and restart your computer. Your computer should now boot Windows 7 again.
=============================
Author: Systemintegrasjon AS
Version: 1.3.0.0  File Date: 8/5/2009  Number of Downloads: 291601  File size: 136 K

File Description:
Tool to fix or create Master Boot Record (MBR) on harddisks, for instance when using Windows PE. With an x64-edition as well as the 32-bit edition.
Now with support for Windows Vista and Windows 7 MBR's!
The new version has some new, cool features, like creating DOS boot sectors, changing partition types, etc!
Read more
=============================
Windows startet nicht, weil der Boot-Speicher keinen gültigen Eintrag enthält (Thumbnail)Auch wenn das Tool bcdedit auf den zweiten Blick weniger sperrig zu bedienen ist, als es auf den ersten scheint, kann es doch nicht alle Aufgaben abdecken, die nötig sind, ein nicht mehr startendes System wieder flottzukriegen. Ist der Boot-Speicher etwa korrupt, keine Partition aktiv oder kein gültiger Master Boot Record (MBR) vorhanden, behebt es solche Fehler nicht. Es ist eben nur für die Kon­fi­gu­ra­tion der zu startenden Systeme selbst zuständig, unter der Annahme, dass der Rest drum herum schon in Ordnung sei.

Stufen des Bootens: MBR, Bootmanager, Be­triebs­sys­tem

Windows startet nicht, weil der Boot-Speicher keinen gültigen Eintrag enthältSchuld ist die althergebrachte Technik des Bootens auf BIOS-basierten Rechnern, an der auch moderne Be­triebs­sys­teme nichts ändern können; die sind ja zu diesem Zeitpunkt noch nicht in Funktion. Der PC liest nach dem Einschalten zunächst die ersten 512 Byte der ersten Festplatte ein und kennt danach die darauf vorhandenen Partitionen sowie die Sektor-Adresse eines Bootloaders, zu dem er springt und dessen Code er abarbeitet.

Unter Windows seit NT führt dies dann dazu, dass der Bootmanager aufgerufen wird. Es handelt sich bei aktuellen Windows-Versionen um das Programm bootmgr an einer physisch festen Position auf der aktiven Partition, die in der Regel versteckt ist. Es liest den Boot-Speicher \Boot\BCD auf dieser Partition aus und präsentiert die daraus resultierende Auswahl an startbaren Be­triebs­sys­temen als Boot-Menü.
Gibt es nichts auszuwählen, etwa weil sich nur ein OS auf dem Rechner befindet und der Benutzer nicht ‹F8› gedrückt hat, sieht man von diesem Vorgang nichts. Vor Windows Vista/Windows Server 2008 hieß das Programm ntldr, wertete die Textdatei boot.ini aus und baute daraus das Boot-Menü.
Wenn man so will, handelt es sich dabei jeweils bereits um ein rudimentäres Be­triebs­sys­tem: Immerhin kann es Informationen anzeigen und Eingaben entgegennehmen sowie diese verarbeiten. Das mehrstufige Booten birgt jedoch auch einige Fehlerquellen, und zwar an jeder der Stufen:
  1. der MBR kann ungültig sein, das heißt er enthält nicht die Adresse eines gültigen Bootloaders,
  2. auf der aktiven Partition findet sich kein Programm bootmgr, etwa weil eine alte Windows-Installation wieder ntldr darüber geschrieben hat,
  3. bootmgr kann den Boot-Speicher \Boot\BCD nicht lesen, weil dieser beschädigt wurde,
  4. es ist keine Partition aktiv, was für Windows ein Problem darstellt. Andere Be­triebs­sys­teme wie Linux werten das „Aktiv“-Attribut nicht aus und benötigen es nicht.

Reparatur mit diskpart und bootrec

Unter WinRE macht die automatische Sys­tem­start­repa­ra­tur im Allgemeinen einen wirklich guten Job, um diese 4 Probleme zu erkennen und zu beheben. Falls sie es doch einmal nicht tut, bleiben auf der WinRE-Kommandozeile 2 Tools, um das Problem manuell anzugehen: diskpart und bootrec.
  1. Ist der MBR ungültig, repariert dies der Befehl bootrec /FixMbr,
  2. bootmgr wird durch bootrec /FixBoot wiederhergestellt,
  3. einen komplett neuen Boot-Speicher baut bootrec /RebuildBcd, scannt danach nach Windows-Installationen und bietet die Möglichkeit, diese dem Boot-Speicher hinzuzufügen. Ist der Boot-Speicher an sich in Ordnung, und man will nur vermisste Einträge manuell hinzufügen, bietet bootrec /ScanOs einen nicht-schreibenden Modus, bei dem die beim Scan gefundene Systeme nur aufgeführt werden.
  4. Dass der Fehler an einem fehlenden „Aktiv“-Attribut liegt, erkennt man daran, dass die bootrec-Befehle der Punkte 2 und 3 den Fehler „Element not found“ ausgeben. In diesem Falle ruft man diskpart auf, und markiert mit der Befehlssequenz
    select disk 0
    select partition 1
    active
    exit
    etwa die erste Partition der ersten Festplatte als aktiv.
Die Befehle haben den Vorteil, dass man sie auch ohne Ursachenforschung eben mal so ausprobieren kann. Befehl 3 zerstört zwar ein eventuell angepasstes Boot-Menü, was aber in Anbetracht eines nicht mehr startenden Servers sicherlich verschmerzbar ist.

No comments: