NTFS boot record.

NTFSD
1

Hi,
Would any one tell me where exactly, i can find details of “BOOT RECORD”
data structure, for a NTFS file systems.(the one like, for FAT which tells
us details abt that partitions). I was unable to exactly locate the
information in microsoft’s technet, where it gives all details abt MFT and
MFT zones but not abt boot record.

thanks,
Venkat Raghavulu A.R

"

Zensar Technologies Ltd. Mail Disclaimer: This e-mail and any files
transmitted with it are confidential and the views expressed in the same are
not necessarily the views of Zensar Technologies Ltd., and its directors,
management or employees. This communication represents the originator’s
personal views and opinions. If you are not the intended recipient or the
person responsible for delivering the e-mail to the intended recipient, be
advised that you have received this e-mail by error, and that any use,
dissemination, forwarding, printing, or copying of this e-mail is strictly
prohibited. You shall be under obligation to keep the contents of this
e-mail, strictly confidential and shall not disclose, disseminate or divulge
the same to any Person, Company, Firm or Entity. Please ensure you have
adequate virus protection before you open or detach any documents from this
transmission. ZenSar Technologies Ltd. does not accept any liability for
viruses. If you received this e-mail in error, please immediately notify
xxxxx@zensar.com. The rights to monitor all e-mail communication
through our network are reserved with us.

"

2

NTFS boot record.http://linux-ntfs.sourceforge.net/ntfs/files/boot.html
----- Original Message -----
From: Venkat Raghavulu
To: File Systems Developers
Sent: Friday, October 04, 2002 9:07 AM
Subject: [ntfsd] NTFS boot record.

Hi,
Would any one tell me where exactly, i can find details of “BOOT RECORD” data structure, for a NTFS file systems.(the one like, for FAT which tells us details abt that partitions). I was unable to exactly locate the information in microsoft’s technet, where it gives all details abt MFT and MFT zones but not abt boot record.

3

NTFS boot record.Linux NTFS source. The people have reverse-engineered the NTFS layout.

Max

----- Original Message -----
From: Venkat Raghavulu
To: File Systems Developers
Sent: Friday, October 04, 2002 11:07 AM
Subject: [ntfsd] NTFS boot record.

Hi,
Would any one tell me where exactly, i can find details of “BOOT RECORD” data structure, for a NTFS file systems.(the one like, for FAT which tells us details abt that partitions). I was unable to exactly locate the information in microsoft’s technet, where it gives all details abt MFT and MFT zones but not abt boot record.

thanks,
Venkat Raghavulu A.R

"

Zensar Technologies Ltd. Mail Disclaimer: This e-mail and any files transmitted with it are confidential and the views expressed in the same are not necessarily the views of Zensar Technologies Ltd., and its directors, management or employees. This communication represents the originator’s personal views and opinions. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail by error, and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. You shall be under obligation to keep the contents of this e-mail, strictly confidential and shall not disclose, disseminate or divulge the same to any Person, Company, Firm or Entity. Please ensure you have adequate virus protection before you open or detach any documents from this transmission. ZenSar Technologies Ltd. does not accept any liability for viruses. If you received this e-mail in error, please immediately notify xxxxx@zensar.com. The rights to monitor all e-mail communication through our network are reserved with us.

"

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

4

NTFS boot record.Offset Size Description

0x0000 3 Jump to the boot loader routine
0x0003 8 System Id: "NTFS "
0x000B 2 Bytes per sector
0x000D 1 Sectors per cluster
0x000E 7 Unused
0x0015 1 Media descriptor (a)
0x0016 2 Unused
0x0018 2 Sectors per track
0x001A 2 Number of heads
0x001C 8 Unused
0x0024 4 Always 80 00 80 00
0x0028 8 Number of sectors in the volume
0x0030 8 LCN of VCN 0 of the $MFT
0x0038 8 LCN of VCN 0 of the $MFTMirr
0x0040 4 Clusters per MFT Record (b)
0x0044 4 Clusters per Index Record
0x0048 8 Volume serial number
~ ~ ~
0x0200 Windows NT Loader

typedef struct {
UCHAR Jump[3];
UCHAR Format[8];
USHORT BytesPerSector;
UCHAR SectorsPerCluster;
USHORT BootSectors;
UCHAR Mbz1;
USHORT Mbz2;
USHORT Reserved1;
UCHAR MediaType;
USHORT Mbz3;
USHORT SectorsPerTrack;
USHORT NumberOfHeads;
ULONG PartitionOffset;
ULONG Reserved2[2];
ULONGLONG TotalSectors;
ULONGLONG MftStartLcn;
ULONGLONG Mft2StartLcn;
ULONG ClustersPerFileRecord;
ULONG ClustersPerIndexBlock;
ULONGLONG VolumeSerialNumber;
UCHAR Code[0x1AE];
USHORT BootSignature;
} BOOT_BLOCK, *PBOOT_BLOCK;
OS.

5

Hello

Sunday, October 06, 2002, 3:09:44 AM, you wrote:

O> NTFS boot record.Offset Size Description
O> ------ - ---------------
O> 0x0000 3 Jump to the boot loader routine
O> 0x0003 8 System Id: "NTFS "
O> 0x000B 2 Bytes per sector
O> 0x000D 1 Sectors per cluster
O> 0x000E 7 Unused
O> 0x0015 1 Media descriptor (a)
O> 0x0016 2 Unused
O> 0x0018 2 Sectors per track
O> 0x001A 2 Number of heads
O> 0x001C 8 Unused
O> 0x0024 4 Always 80 00 80 00
O> 0x0028 8 Number of sectors in the volume
O> 0x0030 8 LCN of VCN 0 of the $MFT
O> 0x0038 8 LCN of VCN 0 of the $MFTMirr
O> 0x0040 4 Clusters per MFT Record (b)
O> 0x0044 4 Clusters per Index Record
O> 0x0048 8 Volume serial number
O> ~ ~ ~
O> 0x0200 Windows NT Loader

jmp near loc_0054
nop

db 'NTFS ’

bpb equ $

bytez_per_sec dw 200h ; bytes per sector
sec_per_cluster db 08h ; sectors per cluster
sectorz_2_read dw 0 ; reserved sectorz
read_sector db 0 ; number of FATs - nonsense on NTFS so its used
; as read_sector counter

dw 0
dw 0

db 0F8h ; media descriptor
dw 0

secz_per_cyl dw 3fh ; sectorz per cylinder
number_of_headz dw 0f0h ; number of headz
hidden_secz dw 3fh ; hidden secz

dw 0

big_tot_sec dd 0 ; big total number of secz
drive_number dw 80h ; drive number
dw 80h ; extended boot signature

db 0E0h, 76h, 2Bh, 01h, 00h, 00h, 00h, 00h ; number of sectorz on the volume

mft_lcn dd 4 ; LCN of $MFT
dd 0

dd 12B76Eh ; LCN of $MFT_mirror
dd 0

file_record_size_ dd 0F6h

dd 1 ; index_buffer_size
dd 14b571c0h ; volume serial number
dd 0a014b598h

dd 0

loc_0054:

this is what i found while reversing NTFS boot sector and ntldr stub.
if you want the disassembly drop me an email (contains NTFS read only
code in asm - that was the purpose i did it) …


Best regards,
Ratter

6

Try this link, which has pretty explanation
http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/ProRK/prcb_dis_qxql.htm

Regards,
Satish K.S

----- Original Message -----
From: “Ratter”
To: “File Systems Developers”
Sent: Sunday, October 06, 2002 9:59 PM
Subject: [ntfsd] Re: NTFS boot record.

> Hello
>
> Sunday, October 06, 2002, 3:09:44 AM, you wrote:
>
> O> NTFS boot record.Offset Size Description
> O> ------ - ---------------
> O> 0x0000 3 Jump to the boot loader routine
> O> 0x0003 8 System Id: "NTFS "
> O> 0x000B 2 Bytes per sector
> O> 0x000D 1 Sectors per cluster
> O> 0x000E 7 Unused
> O> 0x0015 1 Media descriptor (a)
> O> 0x0016 2 Unused
> O> 0x0018 2 Sectors per track
> O> 0x001A 2 Number of heads
> O> 0x001C 8 Unused
> O> 0x0024 4 Always 80 00 80 00
> O> 0x0028 8 Number of sectors in the volume
> O> 0x0030 8 LCN of VCN 0 of the $MFT
> O> 0x0038 8 LCN of VCN 0 of the $MFTMirr
> O> 0x0040 4 Clusters per MFT Record (b)
> O> 0x0044 4 Clusters per Index Record
> O> 0x0048 8 Volume serial number
> O> ~ ~ ~
> O> 0x0200 Windows NT Loader
>
> jmp near loc_0054
> nop
>
> db 'NTFS '
>
> bpb equ $
>
> bytez_per_sec dw 200h ; bytes per sector
> sec_per_cluster db 08h ; sectors per cluster
> sectorz_2_read dw 0 ; reserved sectorz
> read_sector db 0 ; number of FATs - nonsense on NTFS so
its used
> ; as read_sector counter
>
> dw 0
> dw 0
>
> db 0F8h ; media descriptor
> dw 0
>
> secz_per_cyl dw 3fh ; sectorz per cylinder
> number_of_headz dw 0f0h ; number of headz
> hidden_secz dw 3fh ; hidden secz
>
> dw 0
>
> big_tot_sec dd 0 ; big total number of secz
> drive_number dw 80h ; drive number
> dw 80h ; extended boot signature
>
> db 0E0h, 76h, 2Bh, 01h, 00h, 00h, 00h, 00h ; number of
sectorz on the volume
>
> mft_lcn dd 4 ; LCN of $MFT
> dd 0
>
> dd 12B76Eh ; LCN of $MFT_mirror
> dd 0
>
> file_record_size_ dd 0F6h
>
> dd 1 ; index_buffer_size
> dd 14b571c0h ; volume serial number
> dd 0a014b598h
>
> dd 0
>
> loc_0054:
>
> this is what i found while reversing NTFS boot sector and ntldr stub.
> if you want the disassembly drop me an email (contains NTFS read only
> code in asm - that was the purpose i did it) …
>
> –
> Best regards,
> Ratter
>
>
>
> —
> You are currently subscribed to ntfsd as: xxxxx@aalayance.net
> To unsubscribe send a blank email to %%email.unsub%%

7

NTFS boot record. My corrections to NTFS boot sector layout.
Source: NtfsIsBootSectorNtfs disassembly.

The System ID is "NTFS " padded by spaces.

0x000B 2 Bytes per sector

The junior byte of this 16bit word must be zero.

0x000E 7 Unused

Yes, really unused, must be zero.

0x0015 1 Media descriptor (a)

Unused, do not pay any attention to it.

0x0016 2 Unused

2 must-be-zero bytes at 0x16 - 0x17

0x0018 2 Sectors per track

8 unused bytes till 0x20 , must not even be zero.
Then 4 bytes must be zero till 0x24
Then 4 ignored bytes till 0x28
0x0028 8 Number of sectors in the volume
0x0030 8 LCN of VCN 0 of the $MFT
0x0038 8 LCN of VCN 0 of the $MFTMirr
0x0040 4 Clusters per MFT Record (b)
0x0044 4 Clusters per Index Record
0x0048 8 Volume serial number
~ ~ ~
0x0200 Windows NT Loader

Max