The Starman's FREE TOOLS Page
MBR and
Boot Records Index The Starman's Realm Index Page[ Embedded in untfs.dll,
winsetup.dll or various other
System files; see Introduction ]
Web Presentation and
Text are Copyright©2009 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !
Caution: This is a rough draft of a new page and may contain errors.
This data is for those who really want to see the
Vista VBR (even without
any code or comments).
|
This page examines Windows™ Vista's Volume Boot Record (VBR); which we consider to be only the first sector of the system area at the beginning of a Vista OS volume. The BOOTMGR Loader code immediately following the VBR, spans across the boundaries of eight more sectors; for a total of seven full 512-byte sectors, plus 40 bytes at the beginning of the eighth. This is quite similar in structure to the layout of the Windows XP VBR and its NTLDR Loader code. |
| Just as we urged readers of our Vista MBR page to make a copy of their MBR sector, you might wish to also create copies of your Vista VBR. Though more difficult to work with; considering all the details stored in this sector, there may come a time when you need/want to edit or replace this and other system sectors manually. Some advice: Save all the data from the BIOS Parameter Block (BPB) area of the sector somewhere apart from your main hard disk or write it down on paper(!); it does no good to have data you might need to access your OS on the un-accessible HD itself! There are many ways you can do this... See our MBR Tools Page. Any good Disk Editor will allow you to manually enter data you've written down, or you can use a number of utility programs to save the binary data to a file on say a thumb drive, and later on restore the VBR and other sectors from that saved file. |
This page examines the Windows™ Vista OS Volume Boot Record code; the code which actually tests and begins to load a Windows™ Vista operating system from within the OS volume.
For our Windows™ Vista install, all the code bytes of Vista's Volume Boot Record sector were also found inside the following files (listed by location, alphabetically; with offset to first byte of the code).
In each case, there will be a full 512 bytes that comprise the VBR sector; even though locations for the Volume Serial Number and other vital data are all zero-filled, the last two bytes will always be a 55h followed by an AAh:
1. C:\Windows\System32\autochk.exe [Offset: 616B0h]; immediately followed by all 3,624 bytes of the BOOTMGR Loader code beginning at offset 618B0h.
("Auto Check Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 640,000 bytes; Modification Date: "11/02/2006 2:44 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe
2. C:\Windows\System32\autoconv.exe [Offset: 64AC8h]; immediately followed by the BOOTMGR Loader code beginning at offset 64CC8h.
("Auto File System Conversion Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 653,312 bytes; Modification Date: "11/02/2006 2:44 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.0.6000.16386_none_9a9e88bfab67232b\autoconv.exe
3. C:\Windows\System32\autofmt.exe [Offset: 5F890h]; immediately followed by the BOOTMGR Loader code beginning at offset 5FA90h.
("Auto File System Format Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 632,320 bytes; Modification Date: "11/02/2006 2:44 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.0.6000.16386_none_e3bd7ae1c2430704\autofmt.exe
4. C:\Windows\System32\untfs.dll [Offset: 49E00h]; immediately followed by the BOOTMGR Loader code beginning at offset 4A000h.
("NTFS Utility DLL"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 321,536 bytes; Modification Date: "11/02/2006 2:46 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-f..mutilityntfslibrary_31bf3856ad364e35_6.0.6000.16386_none_fc8cf5d0f7021a0d\untfs.dll
5. C:\Windows\System32\oobe\winsetup.dll [Twice. Offsets: 12DAB8h and 130CE0h]; which are both immediately followed by the BOOTMGR Loader code (at offsets 12DCB8h and 130EE0h).
("Windows System Setup"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 1,374,208 bytes; Modification Date: "11/02/2006 2:46 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-setup-component_31bf3856ad364e35_6.0.6000.16386_none_2ff5bc52b05737c3\winsetup.dll.
Like all previous MS Boot Records, the first three bytes are often called the Jump Instruction. But only the first two bytes (EB 52 in this case) are actually used to form the actual JMP (Jump) code to the rest of the executable x86 (PC) Assembly code; the third byte (90h) is just a NOP ('No Op' or do nothing) instruction. The next 8 bytes are the "OEM ID" or System Name ("NTFS" and four blank spaces) for an NTFS volume; followed by the BPB (BIOS Parameter Block).
Just like the
All the elements of a Vista VBR's _ BPB _ area are the same as those for earlier NTFS boot records (for details on the NTFS BPB, see our NTFS Boot Record page). About the only thing a technician might want to brush up on is the fact a fresh Vista OS install will have 2,048 reserved sectors at the beginning of the disk ("00 08 00 00" between brackets at offsets 1Ch-1Fh below; 0x800 = 2048).
The following is a disk editor view of how the bytes of this VBR are stored on a hard disk in the first sector of a Windows Vista OS volume:
Relative Sector 0 (within the Volume)
NTFS BPB "OEM ID"
| |
0 1 2 3 4 5 6 7 8 9 A B C| D E F |
0000: EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS .....
0010: 00 00 00 00 00 F8 00 00 3F 00 FF 00[00 08 00 00] ........?.......
0020: 00 00 00 00 80 00 80 00 FF EF 3F 01 00 00 00 00 ..........?.....
0030: 04 00 00 00 00 00 00 00 FF FE 13 00 00 00 00 00 ................
0040: F6 00 00 00 01 00 00 00 6B E5 F9 78 1A FA 78 EA ........k..x..x.
0050: 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07 .....3.....|.h..
0060: 1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00 4E ..hf......f.>..N
0070: 54 46 53 75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB TFSu..A..U..r...
0080: 55 AA 75 06 F7 C1 01 00 75 03 E9 D2 00 1E 83 EC U.u.....u.......
0090: 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13 .h...H..........
00A0: 9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3 .....X.r.;...u..
00B0: 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8 ........Z3... +.
00C0: 66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8 f...............
00D0: 40 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D @.+.w......f#.u-
00E0: 66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16 f..TCPAu$....r..
00F0: 68 07 BB 16 68 70 0E 16 68 09 00 66 53 66 53 66 h...hp..h..fSfSf
0100: 55 16 16 16 68 B8 01 66 61 0E 07 CD 1A E9 6A 01 U...h..fa.....j.
0110: 90 90 66 60 1E 06 66 A1 11 00 66 03 06 1C 00 1E ..f`..f...f.....
0120: 66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00 fh....fP.Sh..h..
0130: B4 42 8A 16 0E 00 16 1F 8B F4 CD 13 66 59 5B 5A .B..........fY[Z
0140: 66 59 66 59 1F 0F 82 16 00 66 FF 06 11 00 03 16 fYfY.....f......
0150: 0F 00 8E C2 FF 0E 16 00 75 BC 07 1F 66 61 C3 A0 ........u...fa..
0160: F8 01 E8 08 00 A0 FB 01 E8 02 00 EB FE B4 01 8B ................
0170: F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 ..<.t...........
0180: 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 ..A disk read er
0190: 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 42 ror occurred...B
01A0: 4F 4F 54 4D 47 52 20 69 73 20 6D 69 73 73 69 6E OOTMGR is missin
01B0: 67 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 63 g...BOOTMGR is c
01C0: 6F 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 ompressed...Pres
01D0: 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 s Ctrl+Alt+Del t
01E0: 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 o restart.......
01F0: 00 00 00 00 00 00 00 00 80 9D B2 CA 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
The last 128 bytes of this Boot Record contain Error Messages, Message Offset bytes and the Word-sized signature ID (or Magic number) of AA55h. Remember that hex Words (numerical data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last to make CPU processing quicker.
Each Error Message begins with the Hex bytes 0Dh and 0Ah; a Carriage Return and Line Feed, and ends with a 00h byte which makes these what's commonly known in various programming languages as zero-terminated or 'sz' strings (a character string followed by a single zero byte). The error messages are exactly the same as those under Windows XP, except 'NTLDR' has been replaced by "BOOTMGR".
Note that the string of letters ("TCPA") at offsets E3h through E6h are not coincidental; they stand for "Trusted Computing Platform Alliance" and are actually part of the code; which tests for the existence of a TPM chip. If the hardware supports TPM (Trusted Platform Module) version 1.2, then it can be used to provide extra functionality for Vista's BitLocker™ Drive Encryption.
The eight physical sectors directly following a Windows™ Vista NTFS Boot Sector, contain code which can interface with both the older NTLDR file (in order to boot up Windows™ NT, 2000, XP, 2003 OS partitions) plus code to interact with the new BOOTMGR (boot manager) program introduced with the Vista OS. This code is still necessary when booting up a Windows™ OS (even though the bootmgr or NTLDR files may not exist in the OS partition you start booting up from; as would be the case if, for example, you installed Windows™ Vista on a disk already containing a bootable Win 98 OS in the first partition followed by Vista's partition).
The four bytes at offsets 1F8h through 1FBh ("80 9D B2 CA") are used by the Microsoft Windows™ Vista VBR for a very specific purpose; for English versions of Windows Vista, you'll always see these same Hex values ("80 9D B2 CA") in your VBR sectors. They're used by the code to display Error Messages on your screen. But for those using Windows™ Vista in a different language, their VBRs may have different values in the second, third and fourth bytes depending upon how many characters are in each of the four messages. When we disassemble the code, we'll point out where these values show up. In any case, since the code portion above the messages will always be the same, the first offset (0780h) will never change no matter what languages (and string lengths) are used.
Now that you know what the bytes at offsets 1F8h through 1FBh are used for, you could change these error messages to display whatever you wish (as long as they all fit into the space between offsets 180h and 1F7h) by counting their character lengths and using a disk editor on the VBR sector to make the appropriate changes.
After the code in your hard disk's MBR sector transfers control to this Volume Boot Record code, it will test critical aspects of the Vista operating system, then load and run the BOOTMGR "bootstrap" code which will eventually run the actual "bootmgr.exe" program that finally attempts to load an operating system!
You can learn a great deal about the instructions used here by obtaining the x86 Opcode Windows Help file and Ralf Brown's Interrupt List from our Intro to Assembly page.
Here's a Listing of the disassembled code (; with comments) after first being loaded into Memory at 0000:7C00 by the Windows Vista MBR code (all Memory locations listed below are in Segment 0000:). If you see an asterisk (*) next to an instruction, it means that MS-DEBUG can not disassemble that code.
First Draft:
August 16, 2009. (16.08.09)
You can write to me using this:
online reply form.
(It opens in a new window.)
The Starman's FREE TOOLS Page
MBR and
Boot Records Index
The Starman's Realm Index Page