NTFS MBR Information

NTFSD
1

Hi all,
I am newbie in File system. Recently, i started studying about NTFS and MBR.
Its quite confusing for me.
Can anybody help me with the below queries?

  1. If i do CreateFile() on “\\.\PhysicalDrive0” and then do ReadFile() on first 512 bytes,
    will i get MBR code, provided this is an active partition?
  2. How to I read MBR code to get the each Partition Table’s information?
  3. What informations are useful from each partition table?
  4. How can i read MFT to get all the files name present within the disk?
  5. Can I get the starting and ending of each Partition on disk?
  6. Most imp. I want to know how should i use the bit information of Table like MFT, Partition table, etc. to proceed further in programming?

I know i am asking lot of questions at one time. But i will clear most of my doubts.

2

> 1. If i do CreateFile() on “\\.\PhysicalDrive0” and then do ReadFile() on first 512 bytes,

will i get MBR code, provided this is an active partition?

“\\.\PhysicalDrive0” is not a partition, it is the whole disk.

Yes, such a read will read the MBR.

  1. How to I read MBR code to get the each Partition Table’s information?

Google for “mbr format” or “mbr layout”

  1. What informations are useful from each partition table?

With MBR, each partition has this:
Start…End (both in sectors and in CHS values)
IsBootable flag
Type byte (7 for NTFS).

Also, MBR has a single global 32bit value of “MBR signature”, which is, BTW, a key to assign drive letters to volumes on this disk.

  1. How can i read MFT to get all the files name present within the disk?

I think there was FSCTL_READ_MFT_RECORD of something like.

  1. Can I get the starting and ending of each Partition on disk?

Either read and parse the MBR (and GPT!) yourself, or use IOCTL_DISK_GET_DRIVE_LAYOUT(_EX), which will return you the partition table content converted to some generic abstract form.

etc. to proceed further in programming?

What do you want to program? :slight_smile:


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

3

Thanks Maxim for quick reply.
I checked out about “FSCTL_READ_MFT_RECORD” but didn’t find anything. :frowning:
Anyways will find out something related to it on MSDN. :slight_smile:

Regarding Programming, how can i start with File System Programming?

4

One more question Maxim regarding MBR.

Is MBR code present on each partition of Hard disk?

5

Jagdish, what are you trying to achieve?

hope you understand the risk of fiddling the data in MBR, incorrect updates to MBR can lead os unbootable.

Mohan Tarole
HCL Technologies, Hyderabad, India.

6

Hi Mohan,
I just want to clear my doubts about MBR theoretically.
Just wanted to know, if i create a 3 partitions on my Hard disk, does MBR code gets present in 1st sector of all 3 partitions or only on the partition which is active?

7

Hi,

Read this:

http://wiki.osdev.org/MBR_(x86)

Also “disk editors”, like HxD (free) or the trial of Active Disk Editor are
your friends.

Regards,

Julián

El viernes, 5 de junio de 2015, escribió:

> Hi Mohan,
> I just want to clear my doubts about MBR theoretically.
> Just wanted to know, if i create a 3 partitions on my Hard disk, does MBR
> code gets present in 1st sector of all 3 partitions or only on the
> partition which is active?
>
> —
> NTFSD is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

8

No. It’s the first part of the disk.

Max wasn’t saying that was the value, just pointing out there was some sort of FSCTL for this.

Here are several to consider:

FSCTL_GET_BOOT_AREA_INFO - used to grab the MBR area

typedef struct _BOOT_AREA_INFO {

ULONG BootSectorCount; // the count of boot sectors present on the file system
struct {
LARGE_INTEGER Offset;
} BootSectors[2]; // variable number of boot sectors.

} BOOT_AREA_INFO, *PBOOT_AREA_INFO;

FSCTL_GET_NTFS_VOLUME_DATA - retrieve NTFS data from the volume (not the MBR)

typedef struct {

LARGE_INTEGER VolumeSerialNumber;
LARGE_INTEGER NumberSectors;
LARGE_INTEGER TotalClusters;
LARGE_INTEGER FreeClusters;
LARGE_INTEGER TotalReserved;
ULONG BytesPerSector;
ULONG BytesPerCluster;
ULONG BytesPerFileRecordSegment;
ULONG ClustersPerFileRecordSegment;
LARGE_INTEGER MftValidDataLength;
LARGE_INTEGER MftStartLcn;
LARGE_INTEGER Mft2StartLcn;
LARGE_INTEGER MftZoneStart;
LARGE_INTEGER MftZoneEnd;

} NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;

And other NTFS specific FSCTLs:

FSCTL_GET_NTFS_FILE_RECORD
FSCTL_GET_VOLUME_BITMAP

Look in ntifs.h - there’s a lot of FSCTL operations, some of which relate to NTFS.

There’s a function HalExamineMBR (ntddk.h)
And storduid.h has information about “storage device identifiers”, including the ability to determine if a given storage device is using MBR or GPT.

Tony
OSR

9

> Is MBR code present on each partition of Hard disk?

MBR boot loader machine code is only in sector 0.

As about MBR data - it is in primary MBR (sector 0) and extended MBRs (somewhere on the disk). The boot loader code in extended MBRs is usually zeroes.

The usual picture in Windows is that the primary MBR only describes 1 partition (“primary partition”) and provides for the location of the 1st extended MBR. Then each extended MBR describes 1 partition (“logical volume”) and the next extended MBR.

But also the UI allows you to create several partitions described by the primary MBR (“primary partitions”). As about having several partitions described by the extended MBR - this is a strange thing and I think Windows UI does not allow you to create such.

Each MBR has 4 entries.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

10

Thanks guys for all the information.
Will study about them and will work on it.