The Starman's FREE TOOLS Page
MBR
and Boot Records Index The Starman's Realm Index Page
Where's
the Code?
|
This page simply shows you exactly where you can find copies of the Microsoft® Windows™ 2000 and XP MBR (Master Boot Record) and Boot Sector(s) code inside of System files that are stored on the HDDs for these Operating Systems. On our Windows™ 2000/XP MBR page, we listed only one source for the MBR code; here you'll find all of the copies; including those for the Windows™ 2000/XP Boot Record too! As a matter of fact, some of these files include code for File Systems other than NTFS; such as FAT32 and FAT12 (for Floppy diskettes). |
This work is the result of an extensive search for the code contained in both the MBR (Master Boot Record) and Boot Sectors for the Windows™ 2000 and XP Operating Systems in the System folders of each OS. Here we present both the list of files, and our comments on what we found inside them. (It's still possible that you may be able to find the code inside of other files we did not have access to.)
A listing of the files in which we found the Master Boot Record code for both Windows™ 2000 and XP:
|
File
Name
|
Location
|
Description
|
OS
|
|
C:\WINNT\system32\
|
Logical
Disk Manager
|
Win2000
|
|
|
C:\WINDOWS\system32\
|
Logical
Disk Manager
|
Win
XP
|
|
|
C:\WINNT\system32\
|
Mini
Command Console
|
Win2000
|
|
|
C:\WINDOWS\system32\
|
Mini
Command Console
|
Win
XP
|
|
|
SP3
Download; might be
on a newer install CD too |
Windows
NT (2000) Setup
|
Win2000
|
|
|
C:\WINDOWS\system32\
|
Diskpart
Application
|
Win
XP
|
It should be noted
that there are no differences whatsoever in the MBR code
found in any of the files listed above; no matter which version
we checked! (If you believe that you've found a difference, first check the
file details below and if you have a different file name/size/date/offset,
then please write to us for confirmation
and inclusion in this listing.)
|
File
Name
|
Location
|
Description
|
OS
|
|
C:\WINNT\system32\
|
Auto
Check Utility
|
Win2000
|
|
|
C:\WINDOWS\system32\
|
Auto
Check Utility
|
Win
XP
|
|
|
C:\WINDOWS\system32\
|
Auto
Check Utility
|
Win
XP
(SP2) |
|
|
autoconv.exe
|
C:\WINNT\system32\
|
Auto
File System Conversion Utility
|
Win2000
|
|
autoconv.exe
|
C:\WINDOWS\system32\
|
Auto
File System Conversion Utility
|
Win
XP
|
|
autoconv.exe
|
C:\WINDOWS\system32\
|
Auto
File System Conversion Utility
|
Win
XP
(SP2) |
|
autofmt.exe
|
C:\WINNT\system32\
|
Auto
File System Conversion Utility
|
Win2000
|
|
autofmt.exe
|
C:\WINDOWS\system32\
|
Auto
File System Conversion Utility
|
Win
XP
|
|
autofmt.exe
|
C:\WINDOWS\system32\
|
Auto
File System Conversion Utility
|
Win
XP
(SP2) |
|
setupdd.sys
|
SP3
Download; might be
on a newer install CD too |
Windows
NT (2000) Setup
|
Win2000
|
|
spcmdcon.sys
|
C:\WINNT\system32\
|
Mini
Command Console
|
Win2000
|
|
spcmdcon.sys
|
On
Win XP install CD
|
Mini
Command Console
|
Win
XP
|
|
spcmdcon.sys
|
On
Win XP install CD
|
Mini
Command Console
|
Win
XP
(SP2) |
|
UNTFS.DLL
|
C:\WINNT\system32\
|
NTFS
Utility DLL
|
Win2000
|
|
UNTFS.DLL
|
C:\WINDOWS\system32\
|
NTFS
Utility DLL
|
Win
XP
|
|
C:\WINDOWS\system32\
|
NTFS
Utility DLL
|
Win
XP
(SP2) |
Unlike the code for the MBR sector, we found major differences between what we'll refer to as the normal and "unknown" code within many of the files listed here. We're still not sure what the purpose is for these second sets of code within these files!
untfs.dll
From a
Windows™ XP Professional, Service Pack 2, Installation:
File Properties for untfs.dll
in this version of Windows™ XP are:
Wednesday, August 04, 2004, 4:00:00 AM 316,416
bytes
“File
Version: 5.1.2600.2180”
“Description: NTFS Utility
DLL”
“Copyright: © Microsoft Corporation. All rights reserved.”
There are no FAT file system records in this file; only the NTFS Boot
Record. All 16 sectors of the normal boot record code can be found
at offsets 46e10h through 48e0fh
in this file. The "unknown" (or abnormal) code immediately follows
at offsets 48e10h through 4ae0fh.
dmadmin.exe
For both
our original and SP3 versions of Windows™ 2000:
Tuesday, December
07, 1999, 5:00:00 AM 147,728 bytes
Monday, July 22, 2002, 12:05:04 PM 147,728
bytes
The SP3 version details
are:
“File
Version: 2195.4877.297.3”
“Description: Logical Disk Manager service process”
“Copyright: Copyright © VERITAS Software 1997”
The MBR code is found between offsets 22a00h
and 22bffh.
For the dmadmin.exe
in our version of Windows™ XP:
Thursday, August 23, 2001, 5:00:00 AM 204,800
bytes
“File
Version: 2600.0.503.0”
“Description: Logical Disk
Manager service process”
“Copyright: Copyright
© 1985-2000 Microsoft Corporation. All rights reserved. Portions Copyright
© 1997-2000 Veritas Software. All rights reserved.”
The MBR code is found between offsets 2fff8h
and 301f7h.
spcmdcon.sys
For both our original and SP3 versions of Windows™
2000:
Tuesday, December 07, 1999,
5:00:00 AM 147,728 bytes
Monday, July 22, 2002, 12:05:04 PM 147,728
bytes
For the SP3 version:
“File
Version: 2195.4877.297.3”
“Description: Windows NT Setup mini command console”
“Copyright: Copyright (C)
Microsoft Corp. 1981-1999”
The MBR code is found between offsets 12fe8h and 131e7h.
The normal copy of the Windows™ 2000/XP Boot Record's First Sector is found between offsets 10810h and 10a0fh (with its NTLDR Section being found between offsets 10a10h and 1280fh); that's a total of 16 sectors, over half of which (the last 9 sectors) is nothing but zero bytes.
In all of the files listed here, it's fairly easy to tell the difference between what we are calling the Normal copy of the NTFS Boot code and a second copy whose purpose is as of yet still unidentified: The Normal copy will always begin with the Hex bytes: “EB 52 90” followed by “NTFS” and four space bytes, whereas the abnormal (for lack of anything better to call it at this time) copy will have a zero byte (00) in place of the 90 byte like this: “EB 52 00”. Most often, this abnormal code will be located further down inside the file, but for spcmdcon.sys that isn't the case.
Beginning at offset d010h, you'll find a FAT12 Boot Record followed by a FAT32 Boot Record (offset d210h; all three sectors), and then at offsets d810h through f80fh, you'll find a copy of the NTFS Boot sector and NTLDR Section that's not the same as the normal one! This is followed by an interesting bit of code for booting from a CD (between offsets f810h and 1000fh). Then there's another copy of both the FAT32 and FAT12 Boot Records (in that order) before we finally arrive at the location of the normal NTFS Boot Code listed above. Note that even the FAT boot records differ from each other in this file!
diskpart.exe
For our original version of Windows™ XP:
Thursday, August
23, 2001, 5:00:00 AM 145,920 bytes
“File
Version: 1.0.3.1”
“Description: Diskpart Application”
“Copyright: Copyright © 2000” (as odd as it may seem,
that's all that was listed here... you must assume a "by Microsoft"
follows it I guess).
It also says that the Original Filename was "diskpart.rc" which
seems a bit odd too for an executable.
The MBR code is found between offsets 1b818h and 1ba17h.
For an SP2 version
of Windows™
XP:
Wednesday,
August 4, 2004, 4:00:00 AM 163,840 bytes
“File
Version: 5.1.3565.0”
“Description: Diskpart Application”
“Copyright: Copyright © 2000”
Original Filename: "diskpart.rc" (see note above).
The MBR code is found between offsets 1fc58h and 1fe57h.
There isn't much else of interest to us in these files; they do mention mirroring and dynamic disks though.
setupdd.sys
From the
SP3 download for Windows™ 2000 (directly from Microsoft's
Update web site):
Monday, July
22, 2002, 12:05:04 PM 382,032 bytes
The SP3 version details
are:
“File
Version: 5.0.2195.5399”
“Description: Windows NT Setup (kernel mode portion of character-based
phase)”
“Copyright: Copyright (C)
Microsoft Corp. 1981-1999”
The MBR code is found between offsets 49b60h
and 49d5fh.
The Normal Copy [see discussion under spcmdcon.sys above] of the Windows™ 2000/XP Boot Record's First Sector is found between offsets 44d98h and 44f97h (immediately following it are the 15 sectors of its NTLDR Section; being found between offsets 44f98h and 44d97h).
Between offsets 44598h and 44797h, you'll find a FAT12 Boot Record. This is immediately followed by a FAT32 Boot Record (offset 44798h; with all three sectors), after which comes the Boot Sector and NTLDR Section listed above (at offsets 44d98h and following). Then that's followed by a second (and rather strange) copy of the FAT12 Boot Record between offsets 46d98h and 46f97h; which is immediately followed by the abnormal (second) copy of the NTFS Boot sector and NTLDR Section at offsets 46f98h through 48f97h (this is the one that begins with “EB 52 00” rather than having a 90h byte after the jump code). Lastly, between offsets 48f98h and 49597h you'll find yet another copy of both the FAT32 Boot Records.
As noted above, I'm still trying to figure out what the second (and different) sets of FAT12 and FAT32 boot sectors are for! If you know what the strange (compared to the others) boot sectors are for, please send me an email about it.
Between offsets 49d60h and 49f5fh, is the code for some kind of boot sector that has the label “IPL1” in its header: The IPL1 Boot Record.
autochk.exe
(Windows™ XP SP2)
From a Windows™
XP Professional, Service Pack 2, Installation:
File Properties for autochk.exe
in this version of Windows™ XP are:
Wednesday, August 04, 2004, 4:00:00 AM 588,800
bytes
“File
Version: 5.1.2600.2180”
“Description: Auto Check
Utility”
“Copyright: © Microsoft Corporation. All rights reserved.”
The correct code (agrees with bcupdate2.exe) for an NTFS Volume Boot
Record is found in this program as follows: The first
sector is between offsets 5cc40h
and 5ce3fh. Immediately
following is the full NTLDR Section code (all 15 sectors; including
those with only zero bytes); from offset
5cc40h through 5ce3fh.
Note: There appears to be a second instance of the NTFS boot code between offsets 5ce40h and 60c3fh. But this "unknown" code is very different from that above, and we still have no idea why!
For those who are interested, the FAT12 and FAT32 boot records are found at these offsets:
5bc40 - 5be3f: FAT12
Boot Record; correct code, same code as found in bcupdate2.exe.
5be40 - 5c43f: FAT32 VBR
(3 sectors); correct code.
5c440 - 5c63f: FAT12 Boot Record;
unknown code.
5c640 - 5cc3f: FAT32 VBR (3 sectors);
unknown code.
autochk.exe
(original code)
From both
our original and SP3 versions of Windows™ 2000:
Tuesday, December
07, 1999, 5:00:00 AM 558,864 bytes
Monday, July 22, 2002, 12:05:04 PM 559,888
bytes
The SP3 version details
are:
“File
Version: 5.0.2195.3649”
“Description: Auto Check Utility”
“Copyright: Copyright (C)
Microsoft Corp. 1981-1999”
The code for the Boot Record's first sector is found between
offsets 4d628h
and 4d827h (for
the original version, they are between offsets 4d220h
and 4d41fh).
Immediately following this you will find the full NTLDR Section of code
(for all 15 sectors; including those with only zero bytes).
The code is exactly the same for both versions.
For the autochk.exe
in our original version of Windows™ XP:
Thursday, August 23, 2001, 5:00:00 AM 565,760
bytes
“File
Version: 5.1.2600.0”
“Description: Auto Check
Utility”
“Copyright: ©
Microsoft Corporation. All rights reserved.”
The code for the Boot Record's first sector is found between
offsets 57220h
and 5741fh. Immediately
following this you will find the full NTLDR Section code (for all 15
sectors; including those with only zero bytes). The code for
this version of Windows™ XP is exactly the same as that for both
versions of Windows™ 2000 above!
For those who are interested, the FAT12 and FAT32 boot records are found at these offsets:
56220h - 5641fh: FAT12
Boot Record; normal code.
56420h - 56a1fh: FAT32
VBR (3 sectors); normal code.
And here's where the UNKNOWN sets of code are located within this program:
56a20h - 56c1fh: FAT12 Boot
Record; unknown code.
56c20h - 5721fh: FAT32 VBR (3
sectors); unknown code.
59220h - 5b21fh: NTFS
VBR (16 sectors); unknown code.
This page is still under construction!
Updated:
1 September 2003. (2003.9.1)
Last Update: 25 January 2009. (2009.1.25)
You can write to me using this: online
reply form. (It opens in a new window.)
The Starman's FREE TOOLS
Page
MBR
and Boot Records Index
The Starman's Realm Index Page