A Disk Editor View of
the NTFS Boot Sector
and "Bootstrap Code"
for Windows™ 2000 and XP

Web Presentation and Text are Copyright © 2004 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !

Like all previous MS Boot Records (all the way back to MS-DOS 2.00), the first three bytes have often been called the Jump Instruction. But only the first two bytes (EB 52 in this case) have ever been used to form the actual JMP (Jump) instruction* to the rest of the executable x86 (PC) Assembly code; the third byte (90h) is just a NOP instruction ('No Op' or do nothing). The next 8 bytes are the "OEM ID" or System Name ("NTFS" and four blank spaces); followed by the BPB (BIOS Parameter Block).

Although this _ NTFS BPB _ does have many fields in common with the FAT16 and FAT32 Boot Records; such as Bytes per Sector, Sectors per Cluster, etc. and even the old Media Descriptor byte (F8), it does not contain either the "System ID" or "Volume Label" fields, nor any system file names. You will, however, find a number of system files such as NTOSKRNL.EXE and BOOT.INI mentioned in the code which follows the initial Boot Sector; we'll have more to say about that below.

Furthermore, the old 4-byte "Volume Serial Number" has been replaced with a new eight-byte NTFS Volume Serial Number (for more details on the NTFS BPB, see the NTFS Boot Record page).


 Absolute Sector 63 (Cylinder 0, Head 1, Sector 1)

                                          NTFS BPB          "OEM ID"
                                              |                 |
         0  1  2  3  4  5  6  7  8  9  A  B  C| D  E  F         |
 0000:  EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00  .R.NTFS    .....
 0010:  00 00 00 00 00 F8 00 00 3F 00 FF 00 3F 00 00 00  ........?...?...
 0020:  00 00 00 00 80 00 80 00 AE 39 D7 00 00 00 00 00  .........9......
 0030:  04 00 00 00 00 00 00 00 8D EF 00 00 00 00 00 00  ................
 0040:  F6 00 00 00 01 00 00 00 FC 5D E1 A4 99 E1 A4 B4  .........]......
 0050:  00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB B8 C0 07  .....3.....|....
 0060:  8E D8 E8 16 00 B8 00 0D 8E C0 33 DB C6 06 0E 00  ..........3.....
 0070:  10 E8 53 00 68 00 0D 68 6A 02 CB 8A 16 24 00 B4  ..S.h..hj....$..
 0080:  08 CD 13 73 05 B9 FF FF 8A F1 66 0F B6 C6 40 66  ...s......f...@f
 0090:  0F B6 D1 80 E2 3F F7 E2 86 CD C0 ED 06 41 66 0F  .....?.......Af.
 00A0:  B7 C9 66 F7 E1 66 A3 20 00 C3 B4 41 BB AA 55 8A  ..f..f. ...A..U.
 00B0:  16 24 00 CD 13 72 0F 81 FB 55 AA 75 09 F6 C1 01  .$...r...U.u....
 00C0:  74 04 FE 06 14 00 C3 66 60 1E 06 66 A1 10 00 66  t......f`..f...f
 00D0:  03 06 1C 00 66 3B 06 20 00 0F 82 3A 00 1E 66 6A  ....f;. ...:..fj
 00E0:  00 66 50 06 53 66 68 10 00 01 00 80 3E 14 00 00  .fP.Sfh.....>...
 00F0:  0F 85 0C 00 E8 B3 FF 80 3E 14 00 00 0F 84 61 00  ........>.....a.
 0100:  B4 42 8A 16 24 00 16 1F 8B F4 CD 13 66 58 5B 07  .B..$.......fX[.
 0110:  66 58 66 58 1F EB 2D 66 33 D2 66 0F B7 0E 18 00  fXfX..-f3.f.....
 0120:  66 F7 F1 FE C2 8A CA 66 8B D0 66 C1 EA 10 F7 36  f......f..f....6
 0130:  1A 00 86 D6 8A 16 24 00 8A E8 C0 E4 06 0A CC B8  ......$.........
 0140:  01 02 CD 13 0F 82 19 00 8C C0 05 20 00 8E C0 66  ........... ...f
 0150:  FF 06 10 00 FF 0E 0E 00 0F 85 6F FF 07 1F 66 61  ..........o...fa
 0160:  C3 A0 F8 01 E8 09 00 A0 FB 01 E8 03 00 FB EB FE  ................
 0170:  B4 01 8B F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10  .....<.t........
 0180:  EB F2 C3 0D 0A 41 20 64 69 73 6B 20 72 65 61 64  .....A disk read
 0190:  20 65 72 72 6F 72 20 6F 63 63 75 72 72 65 64 00   error occurred.
 01A0:  0D 0A 4E 54 4C 44 52 20 69 73 20 6D 69 73 73 69  ..NTLDR is missi
 01B0:  6E 67 00 0D 0A 4E 54 4C 44 52 20 69 73 20 63 6F  ng...NTLDR is co
 01C0:  6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 73  mpressed...Press
 01D0:  20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 6F   Ctrl+Alt+Del to
 01E0:  20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 00   restart........
 01F0:  00 00 00 00 00 00 00 00 83 A0 B3 C9 00 00 55 AA  ..............U.
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

The last 125 bytes of the Boot Record's first sector contain Error Messages, the Message Offset bytes and the Word-sized signature ID (or Magic number) of AA55h. Remember that hex Words (numerical data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last to make CPU processing quicker!

Each Error Message begins with the Hex bytes 0Dh and 0Ah which are a Carriage Return and Line Feed, and ends with a 00h byte making these what's commonly known in various programming languages as zero-terminated strings or 'sz' strings (the string plus a zero byte).

The six physical sectors directly following the NTFS Boot Sector, contain the code which interfaces with the NTLDR file in order to boot up an OS partition under Windows™ NT or 2000. This code is still necessary when booting up a Windows™ XP or 2003 OS (even though the NTLDR file does not appear to exist anywhere in these OS partitions).

The first sector of this “Bootstrap Code” (which I've also called the NTLDR Section elsewhere) looks like this:


 Absolute Sector 64 (Cylinder 0, Head 1, Sector 2)

        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
 0000  05 00 4E 00 54 00 4C 00 44 00 52 00 04 00 24 00  ..N.T.L.D.R...$.
 0010  49 00 33 00 30 00 00 E0 00 00 00 30 00 00 00 00  I.3.0......0....
 0020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0050  00 00 00 00 00 00 EB 12 90 90 00 00 00 00 00 00  ................
 0060  00 00 00 00 00 00 00 00 00 00 8C C8 8E D8 C1 E0  ................
 0070  04 FA 8B E0 FB E8 03 FE 66 0F B7 06 0B 00 66 0F  ........f.....f.
 0080  B6 1E 0D 00 66 F7 E3 66 A3 4E 02 66 8B 0E 40 00  ....f..f.N.f..@.
 0090  80 F9 00 0F 8F 0E 00 F6 D9 66 B8 01 00 00 00 66  .........f.....f
 00A0  D3 E0 EB 08 90 66 A1 4E 02 66 F7 E1 66 A3 52 02  .....f.N.f..f.R.
 00B0  66 0F B7 1E 0B 00 66 33 D2 66 F7 F3 66 A3 56 02  f.....f3.f..f.V.
 00C0  E8 0D 04 66 8B 0E 4A 02 66 89 0E 22 02 66 03 0E  ...f..J.f..".f..
 00D0  52 02 66 89 0E 26 02 66 03 0E 52 02 66 89 0E 2A  R.f..&.f..R.f..*
 00E0  02 66 03 0E 52 02 66 89 0E 3A 02 66 03 0E 52 02  .f..R.f..:.f..R.
 00F0  66 89 0E 42 02 66 B8 90 00 00 00 66 8B 0E 22 02  f..B.f.....f..".
 0100  E8 EC 08 66 0B C0 0F 84 57 FE 66 A3 2E 02 66 B8  ...f....W.f...f.
 0110  A0 00 00 00 66 8B 0E 26 02 E8 D3 08 66 A3 32 02  ....f..&....f.2.
 0120  66 B8 B0 00 00 00 66 8B 0E 2A 02 E8 C1 08 66 A3  f.....f..*....f.
 0130  36 02 66 A1 2E 02 66 0B C0 0F 84 24 FE 67 80 78  6.f...f....$.g.x
 0140  08 00 0F 85 1B FE 67 66 8D 50 10 67 03 42 04 67  ......gf.P.g.B.g
 0150  66 0F B6 48 0C 66 89 0E 62 02 67 66 8B 48 08 66  f..H.f..b.gf.H.f
 0160  89 0E 5E 02 66 A1 5E 02 66 0F B7 0E 0B 00 66 33  ..^.f.^.f.....f3
 0170  D2 66 F7 F1 66 A3 66 02 66 A1 42 02 66 03 06 5E  .f..f.f.f.B.f..^
 0180  02 66 A3 46 02 66 83 3E 32 02 00 0F 84 19 00 66  .f.F.f.>2......f
 0190  83 3E 36 02 00 0F 84 C8 FD 66 8B 1E 36 02 1E 07  .>6......f..6...
 01A0  66 8B 3E 46 02 E8 92 01 66 0F B7 0E 00 02 66 B8  f.>F....f.....f.
 01B0  02 02 00 00 E8 96 07 66 0B C0 0F 84 0A 09 67 66  .......f......gf
 01C0  8B 00 1E 07 66 8B 3E 3A 02 E8 CE 05 66 A1 3A 02  ....f.>:....f.:.
 01D0  66 BB 80 00 00 00 66 B9 00 00 00 00 66 BA 00 00  f.....f.....f...
 01E0  00 00 E8 AC 00 66 0B C0 0F 85 3E 00 66 B9 80 00  .....f....>.f...
 01F0  00 00 66 A1 3A 02 E8 59 08 66 0B C0 0F 84 C8 08  ..f.:..Y.f......
        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

Although the exact purpose of each byte in the area with a RED background has not yet been determined, it's essentially used by the Bootstrap Code to store intermediate calculations and data about the partition.

The first time we examined this code, we thought there was a jump into this sector at offset 56h -- since there's a JMP instruction there (EB 12; followed by 90 90) which would carry any program execution to offset 6Ah (which begins with a "mov ax,cs" instruction; the bytes "8C C8"). However, upon examining the code (see the page NTLDR Section Disassembled for more information), we found that program execution jumps directly into this sector at offset 6Ah (from the NTFS Boot Record). So, it's still a mystery as to why the four bytes (at offset 56h) were ever placed there!

* Note on JUMP Instruction: Although Microsoft has always used two-byte SHORT jumps (which begin with the byte EB) in their Boot Records, one could just as easily use a jump of the DIRECT form which begins with the byte E9 and requires three bytes. For example, the EB 52 90 (two-byte SHORT jump plus the 'Do Nothing' byte) in this Boot Record could just as easily have been replaced by the three bytes: E9 51 00 (all three of which are part of the Direct JMP instruction vs. the two-byte Short JMP instruction).

Last Update: December 20, 2004 (20.12.04).

You can write to me using this: online reply form. (It opens in a new window.)

BACK TO: NTFS Boot Record Secrets

asm/mbr/ MBR and Boot Records Index Page

The Starman's Realm Index Page

A Disk Editor View of the NTFS Boot Sector and "Bootstrap Code" for Windows™ 2000 and XP Web Presentation and Text are Copyright © 2004 by Daniel B. Sedory NOT to be reproduced in any form without Permission of the Author !

A Disk Editor View of
the NTFS Boot Sector
and "Bootstrap Code"
for Windows™ 2000 and XP

Web Presentation and Text are Copyright © 2004 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !