Sponsoring website: Emergency Boot CD


Examining The Windows 98, 98 SE,
Win ME and Win XP Boot Disks
with Symantec's Norton Utilities (NU)
Disk Editor and/or MS-DOS DEBUG

Copyright©2003,2007 by Daniel B. Sedory
[Do NOT reproduce without permission from the author.]

Examples in Learning How Disk
Boot Records, FATs and Directories Function

We'll begin with Floppy Disks, but much
here can be applied to Hard Disks as well.


Introduction
• The Norton Disk Editor and ...
  • MD5 Checksums -- links for obtaining some free MD5 programs (required).
How to make a Windows Startup Disk
Make more than one copy!
• Can DISKEDIT run under Windows 2000/XP or Windows 9x/ME ?
• Running DISKEDIT under DOS
DIRECTORY View of the Windows 98 Startup Disk
   • "Layout" of a 1440 kb diskette (Boot Record, FATs, Directory and Data)
   • Windows 98 SE Startup Disk Directory
   • Windows ME Startup Disk Directory
   • The Windows XP Startup Disk (only an edited version of the Win ME disk!)
MD5 Sums for checking every file on all the Windows Startup Disks!


Introduction

This page makes use of DISKEDIT.EXE (one of the utility programs in the Norton Utilities package) to examine the contents of the Windows 98, 98 SE, ME and XP Startup Disks.
[Note: Although Microsoft's DEBUG.EXE program is quite limited compared to DISKEDIT, there are a number of things you can learn here using only DEBUG.]

The version of DISKEDIT we'll be using is from the Norton System Works 2002 CD by Symantec (Spammers have been hawking this one at reduced prices for a long time... NOTE: Most of the software on this CD is what I consider overbloated and will stuff the Windows REGISTRY full of junk, a practice which always disgusts me! Obviously, I'm not encouraging you to install everything on this CD nor to purchase it just for this page! I have, however, found a few of their programs helpful; though some are also dangerous!
Caution: I do not recommend ever using NDD on a system with many logical drives; especially if you have both a Win NT/2000/XP OS and Windows 98 (perhaps as a dual boot system) which will share any FAT/FAT32 drives. If you do happen to run NDD, never use 'fix' on any drive; unless you SAVE all the changes to an Undo file first!).
ALTERNATE METHOD for Obtaining a Rescue Version of DISKEDIT.EXE:
Search Symantec's Public FTP site (ftp://ftp.symantec.com/public/english_us_canada/tools/win95nt/)
for files related to NAV, and you just might find a download which contains the DISKEDIT utility! When we looked in 2007, the file ned_2001.exe (NED="Norton Emergency Disks"), included DISKEDIT.EXE inside the file, Disk2.img (a floppy diskette image file). Either use the executable (ned_2001) to create only diskette 2 (it gives you a choice for each disk), or find an imaging program to extract the files (the .exe and its DOS help, DISKEDIT.HLP).

What you will Learn

These pages are intended to show you how to use a Disk Editor to both view (at first) and make changes to a floppy diskette, or even your hard drives (later on). We are examining The Windows 98 (and the Win ME or Win XP) Startup (boot) Disks and using the Norton Disk Editor, simply because these are readily available (there are other commercial disk editors; such as WinHex, which can be used while running a Win NT/2000/XP OS). At the same time, you will also be learning about the FAT file systems (how their Boot Records, FATs and Directory structures function); also some facts about the OSs which use these file systems and possibly a bit about NTFS and others as well.

The Details of Norton's DISKEDIT.EXE

DISKEDIT.EXE can be found in the \NU directory of this CD along with its "Help file" DISKEDIT.HLP and some other helpful utilities. It is not necessary to go through an install process in order to use DISKEDIT (or UNERASE.EXE; which I'll be commenting on later); as a matter of fact, I'd avoid using the Windows install programs on this CD if you can. The DOS utilities can be run 'as is' from the CD itself in an emergency.

To be as specific as possible, this version of DISKEDIT.EXE has an MD5 checksum* of:
98fa8bf2ac5b64726515369db2e72a1f  DISKEDIT.EXE
and a size of: 677,872 bytes. It may have a date/time of:
08-10-2001 6:00 am associated with it (but I've seen copies of the same CD with other dates and times for the same exact DISKEDIT program; for example, a date/time of 08-09-2001 10:00 pm is also common).

If you extracted DISKEDIT.EXE and DISKEDIT.HLP from the second Norton Emergency Disk, its stats should be:
753b0bd4a940215f3e348151bfd96aee   DISKEDIT.EXE
(size: 677,808 bytes; may be time/dated: 05:00.00 2000-08-27)
0a449fd009ef17fd0435e387817e375b   DISKEDIT.HLP
(size: 96,117 bytes; and possible time/date: 05:00.00 2000-08-27)

However, there are a few other versions of DISKEDIT which could still be used; even with a FAT32 file system and this web page. The ones listed above are the latest versions I could find. Other versions include the very first DISKEDIT (actually an UPGRADE version for FAT32 partitions) that came with the Norton Utilities for Windows 95 (©1996) and a rather slow version (under Win 9x) that came with Norton Utilities 2000 (©1999). For example:
8bd37c30a62348da1b122c3e9c09908b  DISKEDIT.EXE
(662,144 bytes    09-24-1996 10:00 am) or:
1a5c3b2f527fb5b385d708940a1a3a13  DISKEDIT.EXE
(677,280 bytes    08-09-1999 12:00 am)

[To the best of my knowledge, no version of DISKEDIT will run under Win 2000/XP and/or understand NTFS 5.0 (NTFS 4.x was the file system for Win NT4). The only disk editors I know of that run under Win 2000/XP are: WinHex (which I recommend; it has MANY features in a single program!) or Runtime Software's disk explorer for NTFS (a 'spinoff' of their recovery software); you must purchase separate programs for either FAT32 or NTFS from them! If you know of a similar disk editor (not one that is just someone's dream or still in alpha tests), please tell me about it.]

DISKEDIT.EXE can be installed anywhere on your computer (in a FAT32 or FAT16 file system) or even on a floppy diskette (FAT12). If you run Win 2k/XP, place it on a floppy and consider creating a FAT32 partition on your hard disk for such programs. If you run Win9x, you should place a copy in your C:\WINDOWS directory (along with its help file), so you have it available at any DOS/Win9x Command prompt.
____________
* MD5 checksums are essentially a unique way of identifying files or streams of bytes. They are created by use of an open source mathematical algorithm which has been built into many security applications. You can read more about MD5 checksums and find links to some free MD5 programs here: Free MD5 Programs. MD5 programs will be required to complete the exercises.




How to make a Windows Startup (Boot) Disk

Note: Making a Windows ME Startup Disk is very similar to what you'll see below. However, for Windows XP you insert a diskette in the floppy drive and open the FORMAT Dialog (such as right-clicking on the drive letter under Explorer), but before starting the actual format process, you select the checkbox to make a "Startup Disk" instead.

Making a Windows 98, 98 SE (or ME) Startup Disk

This section will explain how to make a Windows 98 Startup Disk from a Win 98 installation (so we can all have the same copy of a diskette to examine and work on; well, almost the same, since the OEM field in your Startup Disk's Boot Record will likely have a different "IHC" string and also have a different serial number depending upon when the diskette was created. There are also a couple other files that will be dated at the time of its creation).

You may already have one!

Since this is also the same disk that Windows asks you to create during the installation process, you may already have one! In that case, the OEM field in its Boot Record will contain the phrase "MSWIN4.1" rather than an "IHC" string.

NOTE: If you do not have a bootable Windows 98 or 98 SE OS on your computer, you should still be able to download a copy of the Windows 98 Startup Disk from the Internet (you could start looking for one at: www.bootdisk.com), or possibly borrow one from a friend to remedy the situation.

The Procedure for Creating a Win 98 Startup Disk

If your hard disk does not contain a folder titled "win98" which contains all of the ".CAB" install files for your OS, then at some point during this process you will be asked to insert the Windows 98 CD in your CD-ROM drive:

1) Click on the "Start" button, select "Settings" and then "Control Panel" (or bring up the Control Panel some other way).

2) Double-click on the "Add/Remove Programs" item.

3) Click on the tab at the top labeled "Startup Disk" and then on the "Create Disk" button like this:

4) At this point, a progress bar will appear in the dialog box which counts up to 20% while displaying: "Preparing startup disk files..." like this:

5) You should then see the following dialog box; follow the directions (although you should label the diskette as suggested, remember that this what most techs simply refer to as a  boot  disk), then Click on the "OK" button:

and follow the progress of your Boot Disk's creation in the same box as before while it writes the files to your diskette:

5) Once the progress bar reaches 100% it will disappear and the floppy disk drive activity light should turn off. If you're going to keep the diskette as one of your trusted Boot Disks, then remove it from the drive and set the write-protect tab to read-only and test to make sure that it will boot up your computer; running a check on the MD5 sums for your diskette (see below) will make sure that all the files on your disk are OK. If you use the disk at a later date and something doesn't work, you could check the MD5 sums again (perhaps on another machine) to make sure it hasn't become corrupted. Make two or more boot disks (preferably with even more utility programs than just the Microsoft versions; I'll comment on that later) and store them in clean and safe locations so you'll always have one when necessary.

For the diskette we'll be using here, you can just leave it in the drive as is (since we'll actually be making changes to it later on).

 

NOTE: Do NOT use the only Windows Startup Disk you have here!
[ We'll be altering its contents; and you may need it! ]
Make another copy if you wish to have a known good Startup Disk!

 

Running DiskEdit under Windows 2000

Although I do not recommend doing so, it is actually possible to run the Norton Disk Editor under Windows 2000/XP if and only if you:
1) Force it to do so,
2) Understand that this will only be possible for a diskette in your floppy drive (never for a hard disk!) and
3) Accept the consequences of whatever side-effects may arise from doing so; such as DISKEDIT running at a slower speed than normal.

First, make sure you have placed a floppy diskette in your A: drive (with the write-protect tab set to read-only). After executing DISKEDIT, it may take quite some time before you see anything happen! When you finally see this warning message, click on the "Ignore" button:

After waiting again for some time, you will finally be able to select your floppy drive as a Logical drive from the menu (use the ALT+ENTER keys to switch between a DOS-Window and full-screen). I wouldn't try doing much more than simply viewing the diskette's Boot Record, FATs or Directory under these conditions; trying to write to the disk may cause other problems. This is, however, one way you could study the HELP file without having to boot into real DOS. Each time you execute DISKEDIT under Win 2000, a note will be placed in Win2000's System Event Log stating: "Application popup: 16 bit MS-DOS Subsystem : DISKEDIT.EXE    An application has attempted to directly access the hard disk, which cannot be supported. This may cause the application to function incorrectly. Choose 'Close' to terminate the application."

Running DISKEDIT under Windows 9x or Win ME

If you run Norton's DISKEDIT program under these Windows OSs, you'll see the following warning messages:

The ominous warnings you saw above from the Windows 2000 OS and in DISKEDIT itself are mainly directed at someone trying to use DISKEDIT to edit a hard disk under Windows; you probably could use DISKEDIT to make changes to a floppy diskette under any Windows OS (I've done it), but you must assume any and all risks if you do so!


Real (16-bit) DOS

I do not recommend that you make changes with DISKEDIT under any Windows OS! Therefore, we'll be switching to Real (16-bit) DOS in order to complete any exercise that uses DISKEDIT.

NOTE: Although it's not absolutely necessary, DISKEDIT may be a lot easier to use if you install a DOS mouse driver before executing the program. Try searching for "mouse" on your system; if that fails, look in an older OS or search the Net for one. Place the mouse program on the same floppy disk or in the same folder as DISKEDIT (if it's not in the PATH) and run it prior to using the Disk Editor (note: special mice such as 'trackballs' or 'pads' often come with their own DOS driver; try those first).

If you're running Win 2000 or Win XP, you can boot up your computer with a Windows 98 Startup Disk, place the target diskette in the drive and run DISKEDIT from a FAT32 partition. If you use Win 98, you can select the "Restart in MS-DOS mode" before shutting down or use the same Win 98 Startup Disk to boot into DOS.

After booting into DOS and placing your Win 98 Startup Disk into the A: drive, start DISKEDIT from whatever directory you placed it into (or any other prompt if it's in the PATH) with this command:

Drive:\somefolder>DISKEDIT A:

This starts DISKEDIT with its standard  Logical Drive / Root Directory View of whatever media happens to be in the A: drive at the time.



The Directory of The Windows 98 Startup Disk

DISKEDIT will briefly (blink and you'll miss it!) display this dialog box while it quickly checks the Boot Record for any errors and "scans" the file data in its Root Directory:

This procedure could take a few minutes or longer for many hard drives; the amount of time depends upon how many directories there are. Under DOS 7.1 or above, you'll see a small dialog box that declares the drive has been "locked" by the OS after its directories have been scanned:

This means that only DISKEDIT should normally be allowed to change the contents of the A: drive (instead of the OS) until it is "unlocked" by DOS. Here's what the Windows 98 Startup Disk Directory should look like in DISKEDIT (we'll be looking at the Win 98 SE diskette next):

This picture is actually a composite of two different screenshots so you can see all the files on the diskette at once. NOTE: The date and time for the two underlined files, MSDOS.SYS and EBD.SYS, are always the same as when the Disk was copied by the Windows OS to your floppy drive; so this diskette was made at 8:02 pm on March 31, 2003. All of the other files on an original Windows 98 Startup Disk; except for the two files mentioned above and EXTRACT.EXE (which is dated 11-24-98 8:02 am) are dated: 5-11-98  7:01 pm. For some odd reason, the file EXTRACT.EXE (which is part of the .CAB file archiving and extraction system from Microsoft) has the same date/time as all the files on the Win 98 install CD (11-24-98 8:02 am) rather than this diskette.

For the Windows 98 SE OS, all the files on its Startup Disk (except for MSDOS.SYS and EBD.SYS) are dated: 4-23-99  10:22 pm. More info will be provided later about the Win 98 SE and other Startup Disks.

Selecting the "Object" menu in DISKEDIT:

And then choosing the "Sector..." item from the list, results in:

This dialog box gives you a simple map of a 1440 kb diskette's layout after having been formatted with the FAT12 file system: It shows where the Boot Record, both copies of the FAT, the Root Directory and the beginning of the Data Area are located:

The Layout of all 1440 kb Diskettes
Formatted with the FAT12 File System*
Sectors
Contents
0
Boot Record
1 - 9
FAT 1
10 - 18
FAT 2
19 - 32
Root Directory
33 - 2879
Data Area
*They have: 18 Sectors Per Track, 80 Tracks, 2 Sides, 512 bytes per Sector and use 1 Sector per Cluster.

The "Data Area" isn't just restricted to files though, you can also create sub-directories in the Data Area with files that appear to be contained inside them (note: Subdirectories are really nothing more than special files which list all of the files they 'contain' and all the relevant data about each file; such as, the location of each file's Starting Cluster, date, time and file size).

 

The Windows 98 SE Startup Disk is quite similar to its predecessor. If you select "Tools" and then "Print Object As..." from the DISKEDIT Menu while observing the Win 98 SE Startup Disk's Root Directory, like this (if you are using a Win 98, ME, XP or any other kind of Startup Disk, you should also carry out this procedure so you'll know how to save data from within DISKEDIT):



Then insert a file name such as the one shown below (W98SEDIR.TXT) and click "OK" to save it as a file:



That text file will appear similar to this:

   Windows 98 SE                Disk Editor
                          Symantec Core Component
                           April  1, 2003 2:58pm

                              **************
                              Root Directory
                              **************

Sector 19
Name     .Ext ID       Size      Date     Time   Cluster  76 A R S H D V
-------------------------------------------------------------------------
IO       SYS  File    222390   4-23-99  10:22 PM       2     A R S H - -
AUTOEXEC BAT  File      1103   4-23-99  10:22 PM     437     A - - - - -
CONFIG   SYS  File       629   4-23-99  10:22 PM     440     A - - - - -
SETRAMD  BAT  File      1416   4-23-99  10:22 PM     442     A - - - - -
README   TXT  File     14764   4-23-99  10:22 PM     445     A - - - - -
FINDRAMD EXE  File      6855   4-23-99  10:22 PM     474     A - - - - -
RAMDRIVE SYS  File     12663   4-23-99  10:22 PM     488     A - - - - -
ASPI4DOS SYS  File     14386   4-23-99  10:22 PM     513     A - - - - -
BTCDROM  SYS  File     21971   4-23-99  10:22 PM     542     A - - - - -
ASPICD   SYS  File     29620   4-23-99  10:22 PM     585     A - - - - -
BTDOSM   SYS  File     30955   4-23-99  10:22 PM     643     A - - - - -
ASPI2DOS SYS  File     35330   4-23-99  10:22 PM     704     A - - - - -
ASPI8DOS SYS  File     37564   4-23-99  10:22 PM     774     A - - - - -
ASPI8U2  SYS  File     40792   4-23-99  10:22 PM     848     A - - - - -
FLASHPT  SYS  File     64425   4-23-99  10:22 PM     927     A - - - - -
EXTRACT  EXE  File     93242   4-23-99  10:22 PM    1054     A - - - - -
Sector 20
FDISK    EXE  File     63916   4-23-99  10:22 PM    1238     A - - - - -
DRVSPACE BIN  File     68871   4-23-99  10:22 PM    1363     A - - - - -
COMMAND  COM  File     93890   4-23-99  10:22 PM    1498     A - - - - -
HIMEM    SYS  File     33191   4-23-99  10:22 PM    1682     A - - - - -
OAKCDROM SYS  File     41302   4-23-99  10:22 PM    1747     A - - - - -
EBD      CAB  File    272206   4-23-99  10:22 PM    1828     A - - - - -
MSDOS    SYS  File         9   4-01-03   9:53 am    2360     A R S H - -
EBD      SYS  File         0   4-01-03   9:53 am             A R S H - -

Once again, you'll see that the two files, MSDOS.SYS and EBD.SYS (the only zero-length file) were added at the time the Disk was created; so this diskette was made at 9:53 am on April 1st, 2003.

Before examining them, you can imagine it would make sense for the Windows 98 SE Startup Disk's README.TXT file to be different than that of the original Startup Disk; and it is: The first thing they did was to remove some erroneous remarks about an "uninstal.exe" file that was never included on the Win 98 diskette, so references to it shouldn't have been in the final README.TXT file either; yet they were! The other differences are less interesting. However, the IO.SYS, FDISK.EXE and COMMAND.COM files are not the same either. Although the IO.SYS files are both exactly 222,390 bytes, there are many differences in the actual machine code; just as there are in the COMMAND.COM file (which has hundreds of differences). But for sheer numbers, the FDISK.EXE file appears to differ the most! For anyone who wants to do some serious file comparisons between these FDISK files, you really need to unpack them first! Much of the files are packed like .ZIP files are (with an executable file packer); you can read more about FDISK here: Detailed Notes on Microsoft's FDISK.EXE program.


Although the Windows ME Startup Disk is still similar to that of the Windows 98 and 98 SE diskettes, it is also quite different because it includes some files (such as EBDUNDO.EXE and HIBINV.EXE) that interact with files from the Windows Operating System.

      Windows ME                Disk Editor
                          Symantec Core Component
                           April 25, 2003 4:45pm

                              **************
                              Root Directory
                              **************

Sector 19
Name     .Ext ID      Size      Date     Time   Cluster  76 A R S H D V
------------------------------------------------------------------------
IO       SYS  File   116736   6-08-00   5:00 PM       2     A R S H - -
AUTOEXEC BAT  File     1253   6-08-00   5:00 PM     230     A - - - - -
CONFIG   SYS  File      847   6-08-00   5:00 PM     233     A - - - - -
SETRAMD  BAT  File     1443   6-08-00   5:00 PM     235     A - - - - -
README   TXT  File    12661   6-08-00   5:00 PM     238     A - - - - -
FINDRAMD EXE  File     6855   6-08-00   5:00 PM     263     A - - - - -
FIXIT    BAT  File     1247   6-08-00   5:00 PM     277     A - - - - -
RAMDRIVE SYS  File    12663   6-08-00   5:00 PM     280     A - - - - -
ASPI4DOS SYS  File    14386   6-08-00   5:00 PM     305     A - - - - -
BTCDROM  SYS  File    21971   6-08-00   5:00 PM     334     A - - - - -
ASPICD   SYS  File    29606   6-08-00   5:00 PM     377     A - - - - -
BTDOSM   SYS  File    30955   6-08-00   5:00 PM     435     A - - - - -
ASPI2DOS SYS  File    35330   6-08-00   5:00 PM     496     A - - - - -
ASPI8DOS SYS  File    37564   6-08-00   5:00 PM     566     A - - - - -
ASPI8U2  SYS  File    44828   6-08-00   5:00 PM     640     A - - - - -
FLASHPT  SYS  File    64425   6-08-00   5:00 PM     728     A - - - - -
Sector 20
EXTRACT  EXE  File    53767   6-08-00   5:00 PM     854     A - - - - -
FDISK    EXE  File    66060   6-08-00   5:00 PM     960     A - - - - -
COMMAND  COM  File    93040   6-08-00   5:00 PM    1090     A - - - - -
HIMEM    SYS  File    33191   6-08-00   5:00 PM    1272     A - - - - -
OAKCDROM SYS  File    41302   6-08-00   5:00 PM    1337     A - - - - -
EBDUNDO  EXE  File    29843   6-08-00   5:00 PM    1418     A - - - - -
CHECKSR  BAT  File      922   6-08-00   5:00 PM    1477     A - - - - -
HIBINV   EXE  File     3501   6-08-00   5:00 PM    1479     A - - - - -
EBD      CAB  File   264631   6-08-00   5:00 PM    1486     A - - - - -
MSDOS    SYS  File        9   4-25-03  11:44 am    2003     A R S H - -
EBD      SYS  File        0   4-25-03  11:44 am             A R S H - -

Once again though, the files MSDOS.SYS and EBD.SYS are dated at the time when the diskette is copied by the OS, so we can see that this Windows ME Startup Disk was made on April 25th, 2003 at 11:44 am. (I may add a link to more information about the Windows ME Startup Disk later, but this page is for learning the basics of how to use a disk editor; not the Win ME OS.)

 

"The Windows XP Startup Disk can almost be thought of as a hacked version of the Win ME Startup Disk!" Why? Well for one thing, you can still see all of the deleted Windows ME filenames in its Directory! Microsoft took a Win ME Disk and simply erased most of the files, edited the IO.SYS file then added some new ones to it. It boots up to the same DOS 8.0 Command prompt as Windows ME. You can find all the evidence on my WinXPSD page which includes a forensic analysis of all the MAC Times from its Directory (MAC Times will be explained on the next page of this course; along with a link to the WinXPSD page!)

If you place a copy of the Windows XP Startup Disk in the drive and open the A:\ folder in the NORTON UNERASE.EXE program, you'll be able to recover all the deleted Win ME files that were not overwritten by Microsoft. (If you use Windows XP, this will be one of your exercises.)


 

MD5 Sums for All Startup Disks


This section provides known good MD5 sums for every file that is supposed to be on any of the Windows Startup Disks.

Once you have installed the free hkSFV Windows program, all you need to do is place your Startup Disk in the A: drive and click on the appropriate *.md5 file for your Win OS version! The hkSFV program will immediately begin checking each file to see if the MD5 sums match.

Operating System

See MD5 Checksums 

MD5 Download File

Windows 98

WIN98DSK.md5.TXT

W98SDMD5.zip

Windows 98 SE

W98SEDSK.md5.TXT 

( included in above )

Windows ME

WINMEDSK.md5.TXT

WMESDMD5.zip

Windows XP

WINXPDSK.md5.TXT

( included in above )

 

Page Two


The Starman.

Last Update: June 1, 2003.
(Added Diskedit download notes, July 8, 2007.)

 

Table of Contents

The Starman's Realm Index Page