Sponsoring website: Emergency Boot CD



An Examination of the
Windows™ 7 or 8
MBR ( Master Boot Record )

[Also embedded in vdsutil.dll,
winsetup.dll and various other
System files
; see Introduction
]


Web Presentation and Text are Copyright©2011 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !

This page examines the Windows 7 MBR code. (We had this page near completion, but lost it during our last move in May, 2010. Now even the Windows 7 RC versions have expired! This page is still a work in progress, but you'll find interesting facts about the code and a clear layout of each assembly instruction as with all our previous MBR/VBR pages.)

Whenever you install Windows 7 to a hard disk, even one with an existing MBR, its first sector may be overwritten with the Windows 7 MBR code. (Note: If necessary, it will also change the Volume Boot Record of an existing Active Windows boot OS; usually found in the first partition of a PC's first hard disk.) This code is also installed on blank hard drives when using Windows 7's Disk Management utility.

NOTE: On our Windows 7 RC Install DVD, all 512 bytes of this MBR (including the zero-bytes in the partition table) were found in boot\bootsect.exe, sources\upgdriver.dll and sources\winsetup.dll; see below for more files containing this code.

Like all other MBRs presented in this series, this MBR code could still be used to boot any OS on some x86 PCs if it meets the conditions listed here*.


Other Microsoft MBR pages:
  An Examination of the Standard MBR created by MS-DOS FDISK
  The MBR created by Windows 95B/98/98SE and ME's FDISK
  The MBR created by Windows 2000/XP/2003 Installs or Disk Management Utility
  The MBR created by Windows Vista Installs or Disk Management Utility

And Microsoft OS Volume Boot Records:
  An Examination of the Windows 95B/98/98SE/Me OS Boot Record (MSWIN4.1)
  An Examination of the Windows 2000/XP OS Boot Record (NTFS)
  An Examination of the Windows Vista OS Volume Boot Record
  An Examination of the Windows 7 OS Volume Boot Record

Confused? Send me an email if you have a specific question about the MBR or any Boot Records...

 

IMPORTANT: One of the first things that any PC user should do after setting up a new hard disk (or creating a new partition with a utility such as Partition Magic) is to make a copy of its MBR; especially if you have more than one partition on the disk! Why? If you accidentally overwrite this sector, or are infected by a Boot sector virus, you may never be able to access some or even all of your disk again!   Even the most expensive HD utility might not correctly restore the Partition Table of a multi-partitioned hard disk!
Some advice: Save the Partition Table data on floppy disks or write it down on paper(!); it does no good to have the data you need to access your HD on the un-accessible HD itself! There are many ways you can do this... See our MBR Tools Page. Any good Disk Editor will allow you to manually enter data you've written down under an easy to use Partition Table View, or you can use a utility program, such as "MbrFix" (for Win NT/2K, XP, 2003, PE, Vista & 7; even 64-bit versions!) to save the binary data to a file on say a thumb drive, and later on restore the MBR from that saved file.

____________
*

NOTE: Even though we're examining code created by a Microsoft Operating System, this MBR can also be used to start the boot process for any operating system's Boot Record on an x86-CPU based (PC) computer as long as that OS is: 1) on the Primary Master hard drive, 2) set to be the only Active partition and 3) it has a boot loader in the first sector of that partition. Most Linux OS distributions can install LILO or GRUB as a Boot Record rather than in the MBR and following sectors, so even the oldest MBR by Microsoft could still be used to boot Linux; as long as its boot code was at or under the 1024 cylinder limit that is.

Furthermore, the processor must be an 80386 or later in order to use the Win7 MBR code, since it includes the "Operand-Size Prefix" (66h which can only be executed by an 80386 or later CPU. See Code, location 0659). When certain 16-bit assembly instructions, such as PUSHA (PUSH All registers onto the Stack), are prefixed by the byte 0x66, it forces that instruction to act as if it were running in 32-bit mode. So PUSHA effectively becomes a PUSHAD instruction, pushing all the 32-bit registers onto the Stack.

Windows 7 can also boot multiple OSs using its console (Command Prompt) program BCDEDIT (Boot Configuration Data Editor; "Sets properties in boot database to control boot loading") and BOOTMGR files, so for systems with multiple OSs, this would be a far more practical approach than changing the Active partition in the MBR each time you want to boot up a different OS. If you intend to install a Linux OS, it would probably be best to do so after installing Win7, then use the GRUB boot manager as the first boot code to load the others from. By the way, BCDEDIT (like any program that affects system files) must first have the Command Prompt window opened in Administrator mode (right-click on the icon or program name and choose to open it as Administrator). Running BCDEDIT without any switches will display a few facts about BOOTMGR and the Windows Boot Loader (another program first created for Vista); which is the Windows 7 OS Loader: \Windows\system32\winload.exe.

There have been many MBRs or IPLs (Initial Program Loaders) created for booting an OS and even for booting multiple OSs. See Multi-OS Booting on our "Tools and References" Page for some alternative code and Boot Managers.

 

 


Introduction


Figure 3.   Showing the bytes "63 7B 9A"which are part of the Win7 MBR's code.

 

Disk Editor View of the Windows 7 MBR

 Absolute Sector 0 (Cylinder 0, Head 0, Sector 1)

        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
 0000  33 C0 8E D0 BC 00 7C 8E C0 8E D8 BE 00 7C BF 00  3.....|......|..
 0010  06 B9 00 02 FC F3 A4 50 68 1C 06 CB FB B9 04 00  .......Ph.......
 0020  BD BE 07 80 7E 00 00 7C 0B 0F 85 0E 01 83 C5 10  ....~..|........
 0030  E2 F1 CD 18 88 56 00 55 C6 46 11 05 C6 46 10 00  .....V.U.F...F..
 0040  B4 41 BB AA 55 CD 13 5D 72 0F 81 FB 55 AA 75 09  .A..U..]r...U.u.
 0050  F7 C1 01 00 74 03 FE 46 10 66 60 80 7E 10 00 74  ....t..F.f`.~..t
 0060  26 66 68 00 00 00 00 66 FF 76 08 68 00 00 68 00  &fh....f.v.h..h.
 0070  7C 68 01 00 68 10 00 B4 42 8A 56 00 8B F4 CD 13  |h..h...B.V.....
 0080  9F 83 C4 10 9E EB 14 B8 01 02 BB 00 7C 8A 56 00  ............|.V.
 0090  8A 76 01 8A 4E 02 8A 6E 03 CD 13 66 61 73 1C FE  .v..N..n...fas..
 00A0  4E 11 75 0C 80 7E 00 80 0F 84 8A 00 B2 80 EB 84  N.u..~..........
 00B0  55 32 E4 8A 56 00 CD 13 5D EB 9E 81 3E FE 7D 55  U2..V...]...>.}U
 00C0  AA 75 6E FF 76 00[E8 8D 00 75 17 FA B0 D1 E6 64  .un.v....u.....d
 00D0  E8 83 00 B0 DF E6 60 E8 7C 00 B0 FF E6 64 E8 75  ......`.|....d.u
 00E0  00 FB B8 00 BB CD 1A 66 23 C0 75 3B 66 81 FB 54  .......f#.u;f..T
 00F0  43 50 41 75 32 81 F9 02 01 72 2C 66 68 07 BB 00  CPAu2....r,fh...
 0100  00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66  .fh....fh....fSf
 0110  53 66 55 66 68 00 00 00 00 66 68 00 7C 00 00 66  SfUfh....fh.|..f
 0120  61 68 00 00 07 CD 1A]5A 32 F6 EA 00 7C 00 00 CD  ah.....Z2...|...
 0130  18 A0 B7 07 EB 08 A0 B6 07 EB 03 A0 B5 07 32 E4  ..............2.
 0140  05 00 07 8B F0 AC 3C 00 74 09 BB 07 00 B4 0E CD  ......<.t.......
 0150  10 EB F2 F4 EB FD[2B C9 E4 64 EB 00 24 02 E0 F8  ......+..d..$...
 0160  24 02 C3]49 6E 76 61 6C 69 64 20 70 61 72 74 69  $..Invalid parti
 0170  74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72  tion table.Error
 0180  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69   loading operati
 0190  6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E  ng system.Missin
 01A0  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74  g operating syst
 01B0  65 6D 00 00 00 63 7B 9A D4 34 A0 2E 00 00 80 20  em...c{..4..... 
 01C0  21 00 07 DF 13 0C 00 08 00 00 00 20 03 00 00 DF  !.......... ....
 01D0  14 0C 07 FE FF FF 00 28 03 00 hh hh hh hh 00 00  ................
 01E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U. 
        0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
Figure 4.


An Examination of the Assembly Code


Location of Error Messages and
Message Offsets in Memory

                3  4  5  6  7  8  9  A  B  C  D  E  F
0763           49 6E 76 61 6C 69 64 20 70 61 72 74 69     Invalid parti
0770  74 69 6F 6E 20 74 61 62 6C 65 00 45 72 72 6F 72  tion Table.Error
0780  20 6C 6F 61 64 69 6E 67 20 6F 70 65 72 61 74 69   loading operati
0790  6E 67 20 73 79 73 74 65 6D 00 4D 69 73 73 69 6E  ng system.Missin
07A0  67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74  g operating syst
07B0  65 6D 00 00 00 63 7B 9A                          em...c{.
       0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

Location of Sample Disk Signature
and Partition Table in Memory

                               8  9  A  B  C  D  E  F
07B8                          D4 34 A0 2E 00 00 80 20          .4..... 
07C0  21 00 07 DF 13 0C 00 08 00 00 00 20 03 00 00 DF  !.......... ....
07D0  14 0C 07 FE FF FF 00 28 03 00 hh hh hh hh 00 00  ................
07E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
07F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.
       0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

This is how it would be seen in a disk editor that can interpret Partition Table data:

  Partition    Active  Starting Loc   Ending Loc    Relative   Number of
    Type        Boot   Cyl Head Sec  Cyl  Head Sec   sectors     sectors
-------------  ------  ------------  -------------  --------   ---------
     NTFS       Yes      0   32  33    12  223  19      2048      204800
     NTFS        No     12  223  20  1023  254  63    206848   nnnnnnnnn

[Note: Cylinders and heads start counting at ZERO; sectors at 1. So, a CHS of
 0,32,33 gives us 32 'full' heads of 63 sectors each, or 32 x 63 = 2016; the
 33rd head including only up to sector 33, for a total of: 2016 + 33 = 2049, or
 Absolute Sector 2048 as the sector where Win7 partitions begin on the disk;
 with 2048 sectors preceding.

 12,223,20 gives us 12 'full' cylinders of 255 x 63 = 16065 sectors each, or
 12 x 16065 = 192780 sectors. The 13th cylinder being only 223 'full' heads or
 14049; the 224th head including only up to sector 20, for a total of:
 192780 + 14049 + 20 = 206849, or Absolute Sector 206848 as the sector where
 this disk's second primary partition begins.]

Three views of PT Calc showing: 1) The CHS values for a Vista or Windows 7 OS install's first partition (at Absolute Sector 2048) for either a typical desktop or notebook disk, and 2) How disks which are assigned a different number of Heads in their BIOS (255 and 240 are shown) can have different CHS values for exactly the same sector (206848).

Note:
The sector must have a 'signature' of 0xAA55. It's located at the very end of the partition table (remember that low-bytes appear first and high-bytes last). The BIOS checks for the signature and if it's not there, you'll see an error message such as "Operating System not found." (The message being dependent upon the BIOS code; most PhoenixBIOS, including those modified for VMWare, display this one. But under BOCHS, you would see: "Boot failed: not a bootable disk" and on a PC using Award BIOS 6.00PG, it actually displays: DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS ENTER.)


 

First Published: March 12, 2011 (12.03.11).
Updated: March 22, 2011 (22.03.2011); May 8, 2011 (08.05.2011); May 14, 2011 (14.05.2011); March 28, 2012 (28.03.2012); April 18, 2012 (18.04.2012); May 12, 2013 (12.05.2013); June 29, 2013 (29.06.2013).
Last Update: July 11, 2013. (11.07.2013)


You can write to me using this: online reply form. (It opens in a new window.)

The Starman's FREE TOOLS Page

MBR and Boot Records Index

The Starman's Realm Index Page