[CharlotteTheHarlot]

herbalist, on Sep 30 2008, 01:38 AM, said:

Does anyone know of a utility that can save and restore a copy of the MBR, preferably one that works in DOS or Windows?

Fortunately in Win9x critical maintenance is easy to do. I usually run a compiled INNO exe that performs a complete data collection: CMOS dump, MBR/MBS/VBR and more, Registry export, Registry DATs, complete Filelist, and critical OS and log files. Winrar is nicely suited for most of this, CMOSSAVE, REGEDIT, and FINDPART are other useful tools.

There are many ways to save/restore the Master Boot Sector (the first 512 bytes of disk 0 which contains the MBR). In my experience it is better to grab more than the first sector's 512 bytes, and since it takes no more time or effort why not just grab the first 95 sectors (absolute sectors 0 to 94). This is everything up to but NOT including the first FAT. The output is a mere 48,640 bytes and contains lots of important information needed to reconstruct a HDD. Sometimes I do grab at least one of the two FATs also.

FINDPART is one of those great uber-hacker utilities and it is free. Last seen on this page (I highly recommend that technically skilled users download everything on those webpages). The FINDPART utility combines in one EXE many other tools, I quote the author:

The Findpart Windows version includes the functionality of the utilities FindNTFS, GB32, Chsdir, Editpart, EditGUID, Findfat, Getsect, Putsect, Cyldir, Finddir, Findext2, Findbad, Pqrp, FindJPG, FindDoc, Readext2 and Readfat.

Using the GetSect component of FindPart returns this information:

 
Getsect, version FP 4.91.
Copyright Svend Olaf Mikkelsen, 2007.

Usage: Findpart Getsect <disknumber> <cylinder> <head> <sector>
               <no of sectors> [+]<filename> [noheader] [backwards]
               [bad00 | badf6]

Writes the sectors to <filename>. Use +<filename> for append.

Returns 0 if the sectors are read without errors.

Option 'bad00' or 'badf6' writes ascii 0 or hex F6 for sectors 
that cannot be read.

The output file can be viewed with the Windows 95/98
'edit /64 <filename>' command. Disks are numbered from 1. 

For my example, this command saves the aforementioned 48,640 bytes:

 
FindPart.exe GetSect 1 0 0 1 95 MBRPLUS.BIN noheader
                     | | | |  |
                     | | | |  +-----> total of 95 sectors
                     | | | +------> sector 1
                     | | +------> head 0
                     | +------> cylinder 0
                     +------> 1st disk (disk 0 aka C:) 

All the bytes contained in the first 95 sectors are saved into into a file called MBRPLUS.BIN. Note that there is a corresponding PutSect component to add such saved data back into the HDD. The NOHEADER means that only data is written to the file lending itself to be restored back to a HDD. Of course the following will give you just the 512 byte MBS that you originally asked for:

FindPart.exe GetSect 1 0 0 1 1 MBR.BIN noheader

EDIT: please see post#24 for an update. In short, FindPart PutSect apparently can only restore a single sector to a HDD. To restore multiple saved sectors something else must be used.

This post has been edited by CharlotteTheHarlot: 01 October 2008 - 04:32 PM

[cannie]

CharlotteTheHarlot, on Oct 1 2008, 12:18 AM, said:

FindPart.exe GetSect 1 0 0 1 95 MBRPLUS.BIN noheader

I have created this way MBRPLUS.BIN from Windows 98. I use double boot XP/Win98.

Are the double boot main partition bootsector and mbr totally included in that size, to avoid using the fixboot and fixmbr commands?

To avoid doing things wrong and destroying anything: I think the command line to restore bootsector and mbr using MBRPLUS.BIN must be: FindPart.exe PutSect 1 0 0 1 95 MBRPLUS.BIN noheader. Is this correct?

Thank you very much.

This post has been edited by cannie: 01 October 2008 - 06:06 AM

[herbalist]

Thanks
Both of those sites will be helpful. I'm not as familiar with MBRs, boot sectors, file tables, etc as I need to be. Never needed to do much with any of it. Learning as I go. I'm gradually assembling all the pieces to build a DOS/Windows replacement for the Acronis CD that doesn't use proprietary formats. I've got a DOS CD that works well with my external drive. Working on LFN support for it. Still need to test command line versions of the archiving tools.

I can't complain about the performance of the Acronis CD. It's always worked for me, but there's a couple of limitations I've wanted to get away from. I don't know of anything else that can open one of their .tib archives. I'd much rather use a format that can be accessed and edited with standard archiving tools from within Windows or DOS. I've gotten into a bad habit, downloading and saving files to my desktop and cleaning it up later. On the desktop of my primary unit, it just makes a big mess (there's an image under all those icons somewhere), but on my test units, it's files I can't get to without installing that image on a test drive. Shut down Windows, reboot with the CD, back up the existing drive, pick an archive, choose a hard drive, wait for the process to finish, remove CD, reboot, it's not on this image, repeat process, As much as I get sidetracked when doing something, anything could end up being anywhere.

I'm also disappointed in its compression after seeing what 7Zip and WinRar can do. Free space is becoming scarce on my external drive and a bigger one is just not in the budget right now. If 7Zip or WinRar does as well with the other images as they did the first one, converting the backup images would gain me about 12GB of disk space and buy me some time. It's either that or cleaning out the download folder, which is a scary looking job.
Rick

[CharlotteTheHarlot]

cannie, on Oct 1 2008, 05:47 AM, said:

I have created this way MBRPLUS.BIN from Windows 98. I use double boot XP/Win98.

Are the double boot main partition bootsector and mbr totally included in that size, to avoid using the fixboot and fixmbr commands?

To avoid doing things wrong and destroying anything: I think the command line to restore bootsector and mbr using MBRPLUS.BIN must be: FindPart.exe PutSect 1 0 0 1 95 MBRPLUS.BIN noheader. Is this correct?

Firstly, I just noticed that FindPart PutSect fails to return the commandline options that FindPart GetSect does. You need to first do this: set findpart=edit. The presence of that environment string 'unlocks' the more dangerous features of FindPart. Having done that, here is the commandline usage for the PutSect component of FindPart:

 
Putsect, version FP 4.91.
Copyright Svend Olaf Mikkelsen, 2007.

Usage: Findpart Putsect <disknumber> <cylinder> <head> <sector> <filename>
               <cylinders> <hash> [checkfile <checkfilename>] [force]

Writes the content of the file <filename> to the sector.
Returns 0 if the sector is written. The file must be 512 bytes
long. <cylinders> is the number of cylinders on the disk.

If the ascii value of byte no. n is called a(n), the hash value used
is 1 * a(1) + 2 * a(2) + ... + 512 * a(512). The result is written
as an 8 digit hexadecimal number. The hash value of a 512 bytes file
can be printed with the command: Findpart Putsect gethash <filename>

If checkfile is used, hash can be entered as 00000000
and the current sector content must match <checkfilename>.
If force is used, hash can be entered as 00000000.

Special <filename> values: !zero for ascii 0 characters, !f6 for ascii
246, !ff for ascii 255. Other keywords: 'loop' puts infinite loop code
in the first 2 bytes. 'signature' puts hex 55, AA in the last 2 bytes. 

IMPORTANT CORRECTION!: this command appears to only support single sector insertion. My bad! That MBRPLUS.BIN containing 95 sectors (48,640 bytes) cannot, I repeat CANNOT be restored by this command. I will research this further but in order to place data onto your HDD, you must first save a single sector, in your case the Master Boot Sector (absolute sector 0 aka CHS 0,0,1) as previously noted:

FindPart.exe GetSect 1 0 0 1 1 MBR.BIN noheader

That gives you a 512 byte file called MBR.BIN that contains the Master Boot Sector (within that is the actual MBR and MPT Partition Tables). Once you have that file, and you set findpart=edit, the corresponding command to restore the same saved file back to the HDD is:

FindPart.exe PutSect 1 0 0 1 MBR.BIN ??? 00000000 force

That ??? will need to be filled in. It will be the number of cylinders on the HDD you are writing to. To find out how to determine this see Post #31 from TheStarman. Alternatively, see: Post #28 for another possibility for writing this data to the Hard Disk (by using SrcMbr from SRCTOOLS).

NB: I believe it is possible for BIOS or Windows based AntiVirus Boot Sector protection to interfere with this operation. But lets not cross this bridge unless we have to.

Cannie, remember to stash away that MBRPLUS.BIN for reference only. The new file MBR.BIN is what you will be using now. Sorry about any mixup! I need to wash my brain and then try to remember what utility I used to insert multiple saved sectors onto a HDD. It could have been another of Svend's tools, or maybe one from Terabyte. Possibly even Norton DiskEdit. Once I have this squared away I will start a thread specific to this subject.

EDIT: i'll be back soon to answer the 2nd part of that question.
EDIT: fixed the FindPart PutSect commandline per Daniel in Post #31.

This post has been edited by CharlotteTheHarlot: 05 October 2008 - 07:25 PM

[CharlotteTheHarlot]

cannie, on Oct 1 2008, 05:47 AM, said:

Are the double boot main partition bootsector and mbr totally included in that size, to avoid using the fixboot and fixmbr commands?

First, to give credit where credit is due. Everyone should take the time to see the magnificent effort at explaining MBR's by Daniel B. Sedory aka TheStarman. I am perfectly safe in saying that his is the most extensive examination of this subject anywhere. Microsoft and Wikipedia will likely use him for reference, I am not kidding at all. Daniel, we're not worthy! The table of contents is here: MBR and OS Boot Records (INDEX PAGE). In that list is the MBR we are presently concerned with: An Examination of the MBR (WIN9X).

I just took a snapshot of a Seagate 120GB C: boot drive. Then I dropped the bytes into a formatted spreadsheet. Its too bad the forum software does not allow CSS-style background colors. Using foreground colors is limiting. Here are the main descriptions but do visit the linked website for expert level information. This is all 512 bytes of the Master Boot Sector (Absolute Sector 0) formatted into lines of 16 bytes ...

 
[font="Courier New"][size=3][color="#008800"]33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C
BF 1B 06 50 57 B9 E5 01 F3 A4 CB BE BE 07 B1 04
38 2C 7C 09 75 15 83 C6 10 E2 F5 CD 18 8B 14 8B
EE 83 C6 10 49 74 16 38 2C 74 F6 BE 10 07 4E AC  ; this entire green area
3C 00 74 FA BB 07 00 B4 0E CD 10 EB F2 89 46 25  ; is executable code
96 8A 46 04 B4 06 3C 0E 74 11 B4 0B 3C 0C 74 05  ; except the 6 bytes in black
3A C4 75 2B 40 C6 46 25 06 75 24 BB AA 55 50 B4
41 CD 13 58 72 16 81 FB 55 AA 75 10 F6 C1 01 74
0B 8A E0 88 56 24 C7 06 A1 06 EB 1E 88 66 04 BF
0A 00 B8 01 02 8B DC 33 C9 83 FF 05 7F 03 8B 4E
25 03 4E 02 CD 13 72 29 BE 46 07 81 3E FE 7D 55
AA 74 5A 83 EF 05 7F DA 85 F6 75 83 BE 27 07 EB
8A 98 91 52 99 03 46 08 13 56 0A E8 12 00 5A EB
D5 4F 74 E4 33 C0 CD 13 EB B8 [b][color="#000000"]00 00 80 11 11 11  ; Drive/Timestamp Mystery Bytes[/color][/b]
56 33 F6 56 56 52 50 06 53 51 BE 10 00 56 8B F4  [b][color="#000000"]; Important! see link![/color][/b]
50 52 B8 00 42 8A 56 24 CD 13 5A 58 8D 64 10 72  ; [size=2][url="http://thestarman.pcministry.com/asm/mbr/mystery.htm#COPY"]Don't make exact copies of Win9x HDDs![/url][/size]
0A 40 75 01 42 80 C7 02 E2 F7 F8 5E C3 EB 74[/color] [color="#FF00FF"]49
6E 76 61 6C 69 64 20 70 61 72 74 69 74 69 6F 6E
20 74 61 62 6C 65 00 45 72 72 6F 72 20 6C 6F 61  ; this section contains error
64 69 6E 67 20 6F 70 65 72 61 74 69 6E 67 20 73  ; message strings such as: 
79 73 74 65 6D 00 4D 69 73 73 69 6E 67 20 6F 70  ; 'Missing operating system'
65 72 61 74 69 6E 67 20 73 79 73 74 65 6D 00[/color] 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 [color="#880088"][b]8B FC 1E 57 8B F5 CB[/b][/color] 00 00 00 00 00 00  [color="#880088"][b]; MSWIN4.1 FDISK mark[/b][/color]
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 [color="#000088"][b]00 78 01 78[/b][/color] 01 00 [color="#FF0000"][b]80 01[/b][/color]  [color="#000088"][b]; NT Drive Serial Number[/b][/color]
[color="#FF0000"][b]01 00 0C FE 7F 00 3F 00 00 00 82 37 F9 0D 00 00[/b][/color]
[color="#FF0000"][b]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ; Partition Table[/b][/color]
[color="#FF0000"][b]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[/b][/color]
[color="#FF0000"][b]00 00 00 00 00 00 00 00 00 00 00 00 00 00[/b][/color] [b][color="#880000"]55 AA  ; signature ID Magic Number[/color][/b][/size][/font] 

Now if you focus on the Partition Table, it is actually 4x16 byte arrays ...

 
[font="Courier New"][size=3][color="#FF0000"][b]                                          80 01
01 00 0C FE 7F 00 3F 00 00 00 82 37 F9 0D [color="#880088"]00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00[/color] 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 [color="#880088"]00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00[/color][/b][/color][/size][/font]

Same data spread out linearly ...

[font="Courier New"][size=3][color="#FF0000"][b]80 01 01 00 0C FE 7F 00 3F 00 00 00 82 37 F9 0D  ; Entry-1
[color="#880088"]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ; Entry-2[/color]
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ; Entry-3
[color="#880088"]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ; Entry-4[/color][/b][/color][/size][/font] 

This HDD has one partition, the other three entries are blank. Deciphering Entry-1 gives this information ...

 
80 ............ Bootable? 80h = yes
01 ............ Start Head: 1     ; these three establish CHS:0,1,1
01 ............ Start Sector: 1   ; (absolute sector 63) as the 1st
00 ............ Start Cylinder: 0 ; partition VBR beginning
0C ............ Type 0Ch = WIN95 OSR2 FAT32, LBA-mapped
FE ............ End Head: 254 dec
7F ............ End Sector: 63 dec
00 ............ End Cylinder: 256 dec
3F 00 00 00 ... Relative Sectors (offset to partition): 0000003F = 63 dec
82 37 F9 0D ... Total Sectors (in partition): 0DF93782 = 234,436,482 dec 

Now to try to answer that question. What is the dual-boot software mechanism (System Commander etc)? More importantly what is the structure of the HDD? How many partitions? Extended partitions? Is either Windows version on another disk? The example I showed above is a simple single partition and all of the critical structural data lies in front of the first FAT within the 95 sectors I mentioned previously. Saving everything is simple.

However I think it is possible that certain multi-boot arrangements can leave some of the Partition Table or Volume Boot Record information scattered about. You will need to do some homework to understand the bootstrap steps for each OS you have. Don't worry though, you'll learn a lot.

Now for saving the critical structural information, do both. Save the single MBR/MBS 512 first sector. And also save a copy of the 95 sector MBRPLUS for reference. I do this for all attached hard drives anyway (one reason explained in that link above is that the drive/timestamp/mystery bytes for all attached Win9x HDD's should be different from each other and may need to be hand edited). Definitely save that structural information BEFORE you ever run a fixboot, fixmbr, or any version of FDISK, System/Partition/Boot Magic/Commander/Manager, LILO/Grub, Ranish or any other low level application.

EDIT: changed Starman to TheStarman. Corrected the links. See Post #31 for more links and information from Daniel.

This post has been edited by CharlotteTheHarlot: 05 October 2008 - 07:07 PM

[Dude111]

An interesting thread!

[cannie]

CharlotteTheHarlot, on Oct 1 2008, 10:16 PM, said:

I will start a thread specific to this subject.

It is a very useful program. I didn't even know its existence and I would never have reached to use it properly without your help.

When you clone Windows 98 to any unit on the extended partition you don't have any problem at all because it keeps booting from C drive or from a floppy. You may restore the drive C boot sector by simply running fdisk/mbr and sys a: c:

But if you doubleboot you can't fix a failure this way. You need a backup of the MBR and FAT to restore the bootsector and the files allocation table. And in this point I think this program is an excellent solution.

In this moment the remaining users of Windows 98 are not simpleminded newbies lured by anything new only because it is in, but in many cases prepared people who know what they do and had to fight against commercial interests to keep finding compatible hardware and drivers. As a doubleboot install means to have all possibilities in your hand most of them try it.

I think it is very interesting your idea of starting a thread specific to this subject.

Thank you very much!

[CharlotteTheHarlot]

Took a peek into my virtual toolbox and found some more freeware that are very useful for the purposes of this subject. There is a package of three utilities called SRCTOOLS, the author is someone called [The W0rm] and was originally found at this url: http://dos.li5.org (now gone). Google located an exisiting webpage called TechW0rm located here where you can download a 1.1 MB file called TECHW0RM.ZIP that contains a file called Techw0rm.img which holds an impressive collection of DOS utilities ...

 
The following list quickly describes each program on the disk. If you don't understand it,
don't use it.  Quite a few weren't necessary but were put on to be ready for any situation.
Use /? to learn command line options for most

50.COM       - Sets the screen to 50-line mode (convenient).
AEFDISK.EXE  - FDisk replacement.
ATTRIB.EXE   - Change file attributes.
AUTOEXEC.BAT - Automatically executed batch file for boot-up.
BCOPY.COM    - Copy a file in the background.
BOOTSECT.BAK - The backed up boot sector - compared to original.
CHKMEM.COM   - Checks for suspicious memory usage; stealth virii.
CLEAR.COM    - Clears the screen (good for messed up modes/colors).
CLOAKING.EXE - Stores drivers in EMS/XMS to lower low memory usage.
CMOSPWD.EXE  - Can reset the bios/get cmos password
COMMAND.COM  - Command interpreter.
CONFIG.SYS   - Startup device driver loader.
CTMOUSE.COM  - Universal mouse driver.
D.EXE        - You still use "dir"?
DEBUG.EXE    - Microsoft's DEBUG.EXE.
DELTREE.EXE  - Delete a directory and all sub-directories.
DEVICE.COM   - Load a specified device driver on command line.
DZ.COM       - Divide overflow error corrector.
EDIT.EXE     - MS-Dos file editor.
EMM386.EXE   - EMS memory manager by Microsoft.
ESCAPE.EXE   - Abort from crashes/programs with F12.
FCSH.COM     - Doskey replacement.
FIX27.COM    - Quite often saves memory for tsrs loaded.
FORMAT.COM   - Formats a disk for DOS use.
FP.SYS       - Scans for lost partitions/assigns drive letters.
HIMEM.SYS    - Himem XMS device driver.
IO.SYS       - The heart of ms-dos7; the kernel.
KEYBUF.COM   - Expands keyboard buffer size.
KEYRATE.COM  - Sets the key-speeds.
KILLER.EXE   - Abort to dos on invalid opcodes. (less freezing)
LCOPY.EXE    - XCOPY replacement with LFN support in DOS.
MD5SUM.EXE   - Calculates the MD5 hashes.
MD5_FIC1.BAK - Stored MD5 hashes for all required boot-up files.
MD5_FIC2.BAK - MD5 hashes for checking on ramdisk.
MEM.EXE      - MS-DOS's mem reporting tool.
MSCDEX.EXE   - Mscdex.exe replacement, saves mem.
MSDOS.SYS    - Dos "registry".
NO.COM       - Exclude files for a particular command.
NTFSDOS.EXE  - Driver to "see" NTFS drives.
PART.EXE     - Partition Manager
PERUSE.COM   - Lets you scroll back with the scroll lock key.
PRESIZER.EXE - Resize/Move partitions.
PROTECT.COM  - Write/Read Warn/Protect any drive.
PROVIEW.EXE  - Edit your physical disks and memory.
QEMM386.SYS  - A memory manager.
QVIEW.EXE    - A good hex editor.
REALDEAL.COM - Secure deletion TSR.
RECOVER.EXE  - Recovers physical sectors.
SCANDISK.EXE - Microsoft drive "repair" utility.
SCOUR.COM    - Security; overwrites past file eof's and free space.
SEARCH.COM   - Search for a text string in file(s)/subdir(s).
SETVER.EXE   - Make older/newer programs compatible.
SHSUCDX.EXE  - Mscdex.exe replacement, saves mem.
SMARTDRV.EXE - Smartdrive; caching utility.
SRCBOOT.COM  - Save/Restore/Check the boot record.
SRCFAT.COM   - Save/Restore/Check the Fat Table(s).
SRCMBR.COM   - Save/Restore/Check the MBR.
SWEEP.COM    - Runs a specified command in all subdirectories.
SYS.COM      - Copy system files/boot record for booting.
TOUCH.COM    - Sets file date/time.
UMBPCI.SYS   - Hardware UMB provider.
UNDELETE.COM - UnErases files from FAT partitions.
UNIVBE.EXE   - Universal display driver.
VIDE-CDD.SYS - Universal cd-rom driver.
VIDRAM.COM   - Increase conventional memory. (but lose VGA)
VPAGE.COM    - Saves/Restores video ram into file/page.
WIPE.COM     - Overwrites a drive.
XMSDSK.EXE   - Loads an XMS ramdisk.
XTLINK.COM   - Access drives over a serial/parallel cable.
ZENO.EXE     - Speeds up text display. 

The SRCTOOLS, which work under the DOS commandline within Windows are these ...

SrcMbr.com .... save/restore/compare the 512 byte Master Boot Sector
SrcBoot.com ... save/restore/compare the 512 byte Volume Boot Record
SrcFat.com .... save/restore/compare the FAT

Here are the returned commandline options ...

 
[color="#9932CC"] ==> Srcmbr.com /?[/color]

SRCMBR V1.8©2001 - The W0rm -
Usage: SRCMBR {drive} {filename} {switch}

Switches:
   /S - Save MBR to file
   /R - Restore MBR from file
   /C - Compare MBR to file

[color="#9932CC"] ==> Srcboot.com /?[/color]

SRCBoot V1.7©2001 - The W0rm -
Usage: SRCBoot {drive:} {filename} {switch}

Switches:
   /S - Save boot sector to file
   /R - Restore boot sector from file
   /C - Compare boot sector to file

[color="#9932CC"] ==> Srcfat.com /?[/color]

SRCFat V1.3©2001 - The W0rm -
Usage: SRCFat {drive:} {filename} {switch}

Switches:
   /S - Save fat table to file
   /R - Restore fat table from file
   /C - Compare fat table to file
   /2 - Use the second fat copy 

Since these three utilities are useable from batch files they lend themselves nicely to the purpose of automated data collection or critical backup (e.g., in a compiled INNO script). I tested the save function for all three utilities on Win9x on the C: boot drive which is a Seagate 120 GB single partition. These are the exact commands executed within a DOS window with their results ...

SrcMbr.com 0 SRCMBR.BIN /s

... outputs a file called SRCMBR.BIN. It is 512 bytes and is the exact contents of the Master Boot Sector (MBS aka MBR). I verified that it is the data found at offset 0000h. This is called Absolute Sector 0 or CHS:0,0,1. See the above post #25 for details of what is stored in this sector.

SrcBoot.com C: SRCBOOT.BIN /s

... outputs a file called SRCBOOT.BIN. It is 512 bytes and is the exact contents of the Volume Boot Record (VBR) beginning. I verified that it is the data found at offset 7e00h. This is called Absolute Sector 63 or CHS:0,1,1. Note that this single sector is the first of three consecutive sectors that make up the VBR (FAT32 VBR is 3 sectors: Absolute #63-65). There is a Second Copy at Absolute #69-71.

SrcFat.com C: SRCFAT.BIN /s /2

... outputs a file called SRCFAT.BIN. For this 120 GB FAT32 drive the saved FAT is a whopping 14,650,880 bytes. This particular HDD contains 498,433 files and 33,230 folders using up 84.5 GB of the available 111 GB. Note that I used the second FAT copy which is an arbitrary decision since both FAT copies should be identical.

IMHO, these FAT details illustrate the potential for problems under Win9x. This particular system presently has 3 of these Seagate 120 GB drives attached so one could surmise that nearly 45 MB of FAT entries are mapped into RAM by VFAT.VXD (i'm no expert here so go easy!). The numbers could easily greatly increase with modern gigantic drives. I am unclear as to how USB and SATA drives are mapped but I suspect they also increase the RAM burden. I would really love to hear from experts on these matters though.

EDIT: corrected FAT size issue (its size is related to the size of the drive, not the contents of the drive) thanks Ed999.

EDIT: 2009-10-05. Hat tip to Jaclaz way down this thread in Post #148 for a working link at web.archive.org that contains stuff from the old dos.li5.org. On this page here you can directly download SrcTools (and other stuff) from the archive.

This post has been edited by CharlotteTheHarlot: 05 October 2009 - 01:17 AM

[cannie]

I'll try it.
CharlotteTheHarlot, thank you very much for your detailed post.

[cannie]

cannie, on Oct 3 2008, 09:09 AM, said:

I'll try it.

It works perfect.
Not recommended for newbies!
Thank you again.

This post has been edited by cannie: 04 October 2008 - 01:29 AM

[TheStarman]

First, I'm glad to see some users are still benefiting from my work on the MSWIN4.1 Boot Record, etc., which BTW, you can find at these mirror sites:

http://thestarman.narod.ru/asm/mbr/
http://vertcomp.com/starman/asm/mbr/
http://mirror.href.com/asm/mbr/
http://thestarman.pc...ry.com/asm/mbr/ [may soon go offline permanently]

I dumped my own personal site at dan123.com long ago. My original site at GEOCITIES is still there, but is often blocked due to overuse (its highest in many Google searches); not to mention all the ads there as well.

(NOTE: I reserve the right to use any of this post in my own copyrighted works, and only give MSFN.COM the right to display my words on this web site; Daniel B. Sedory, 6 OCT 2008.)

Someone asked me to stop by here, and I've decided to say a few words about this topic.

I'll discuss the use of FINDPART's Getsect and Putsect programs in this post. Charlotte was quite correct in stating that Putsect, unfortunately, can only write 1 (one) sector to a disk at a time; I'll have more to say about that later on.

Although the following is an important step in using Svend Mikkelsen's FINDPART program to write a sector to disk:

CharlotteTheHarlot, on Oct 1 2008, 01:16 PM, said:

Firstly, I just noticed that FindPart PutSect fails to return the commandline options that FindPart GetSect does. You need to first do this: set findpart=edit. The presence of that environment string 'unlocks' the more dangerous features of FindPart.

You still need to provide all of the information between the "<" and ">" markers shown below, or else Putsect will not write anything to your hard disk(s)! The only optional switches are those between the brackets ("[" and "]"):

Usage: Findpart Putsect <disknumber> <cylinder> <head> <sector> <filename>
<cylinders> <hash> [checkfile <checkfilename>] [force]

This means that even the easiest way to use Putsect; i.e., using the "force" switch, you must still include the total number of cylinders in your disk and even a dummy hash value! Here's an example of the only way you can save a copy of your Master Boot Record (MBR) sector, and then restore it using Putsect:

1. Save the MBR contents using:

findpart getsect 1 0 0 1 1 mbr.bin noheader

2. Use any other utility, or Svend's FINDPART itself, to determine the number of cylinders in your disk. For example, I used Svend's FPART495.BIN file (from inside his "fp495dos.zip" download) as a floppy boot diskette (it uses FREEDOS and HXLdr32 V1.9.1) on a 299 MiB disk running DOS 5.0 (under BOCHS; http://bochs.sourceforge.net/ ) and this command:

findpart tables

Returned the following:

 
A:\>findpart tables

Findpart, version 4.95 - for Windows 95/98/ME/NT/2000/XP.
Copyright Svend Olaf Mikkelsen, 1999-2008.

OS:  Windows 92.2337203685478.0.2222        Partition tables:

Disk: 1   Cylinders: 609   Heads: 16   Sectors: 63   MB: 299

-PCyl N ID -----Rel -----Num ---MB -Start CHS- --End CHS-- BS  CHS
    0 1*06       63   306369   149    0   1  1  303  15 63 OK   OK
    0 2 05   306432   306432   149  304   0  1  607  15 63      OK

  304 1 06       63   306369   149  304   1  1  607  15 63 OK   OK  

The only piece of data you need to focus on above is the "Cylinders: 609" which tells you the total number of cylinders for this particular disk.

2. b. Don't forget to enter: "set findpart=edit"

3. Now in order to write the file "mbr.bin" (which must also be exactly 512 bytes) to the first sector of your first hard disk (which, in this case, has 609 cylinders), you must enter:

findpart putsect 1 0 0 1 mbr.bin 609 00000000 force

Note: The 'dummy hash' value is eight (8) zeros in length; it must be 8 digits.

From all of the above, you can see that Svend takes writing to a disk as something VERY serious; only for experts! One of the reasons he did this is to ensure that when he sent a repaired sector to a client, he could know absolutely for sure that the data would only be written to the correct disk exactly as he intended; thus the reason for the hashing of the file and a predetermined cylinder value. So, putsect is far from being user friendly.

This is all very unfortunate, since it would have been a great complement to what many have found a very useful program; that is Getsect. By giving someone a Getsect command, or even putting it inside a Batch file for them and telling them to just run it, I can get any reasonable number of sectors from anywhere on a hard disk sent back to me in an email, knowing I'll usually be able to see their raw disk sectors as if I were there with a disk editor myself.

One other item Charlotte mentioned may be very important to some users:

CharlotteTheHarlot, on Oct 1 2008, 01:16 PM, said:

NB: I believe it is possible for BIOS or Windows based AntiVirus Boot Sector protection to interfere with this operation. But lets not cross this bridge unless we have to.

If you do have an AV program or enabled control over your hard disks' MBR sector via the BIOS, you need to remember that after you allow findpart to write to the MBR sector, those AV programs must be updated with a copy of the newly written MBR -- if you purposely changed its contents! Anytime you add or delete partitions to or from a hard disk, you need to update that data. Countless users of Norton AV have messed up their brand new install of a second OS by forgetting this, and when they reboot their computer, NAV complained about a possible virus in the MBR sector and without thinking, they allowed NAV to overwrite their new MBR with an old copy, then found out they could no longer boot into the new OS next time!!!

PS: If you ever accidentally delete one of your disk's partitions, you can easily get it back by using TESTDISK ( http://www.cgsecurit...g/wiki/TestDisk )


La8r, Daniel (TheStarman).

[CharlotteTheHarlot]

Daniel, thanks for stopping by and welcome to MSFN. I really appreciate those MBR details on your site! That is some collection of information. Must be a labor of love.

TheStarman, on Oct 5 2008, 01:09 PM, said:

3. Now in order to write the file "mbr.bin" (which must also be exactly 512 bytes) to the first sector of your first hard disk (which, in this case, has 609 cylinders), you must enter:

findpart putsect 1 0 0 1 mbr.bin 609 00000000 force

Note: The 'dummy hash' value is eight (8) zeros in length; it must be 8 digits.

Thanks for this. My bad on the original incorrect commandline. I will edit that earlier post from myself ASAP. Alzheimers must be setting in! I cannot for the life of me remember what I used to write multiple saved sectors back to a FAT32 HDD. Maybe it was DISKEDIT, does that have a facility to import a block of sectors and write them out to disk?

P.S. please feel free to correct anything else. For example, back in Post #25 where I diagrammed the MBS for my Seagate 120 it looks like the 'NT Drive Serial Number' may be misaligned by one byte. The listed bytes are correct from the actual Absolute Sector 0. Just wondering if it looks strange.

[cannie]

After your excellent explanation, if you allow me it, I suggest it would be very good to summarize in a few lines the sequence of the command lines, first to save the mbr and afterwards to restore it.

I think it would help a lot.

Thank you very much.

[Ed999]

Although the PUTSECT command can only write a 512 byte file -

(a) the program MBRutilD.exe can save and restore the entire TRACK 0 (CHS 0-0-1 to 0-0-63), but ONLY for Disk 1, and

(b) the program SRCFAT.COM can (as pointed out) save and restore an entire FAT.

More details are given in my posts at Routine to BACKUP and RESTORE key sectors of a FAT32 Hard Disk

That post outlines a strategy (a BATCH file strategy) for making effective use of PUTSECT to create the necessary backups of the key sectors in a FAT32 partition, bearing in mind that usually only a handful of sectors are involved (as most of the 63 sectors in Track 0 are blank in a standard FDISK partition structure).

As for the FAT, for a given size of partition the size of the FAT and of the backup FAT will always be constant. The FAT is allocated a fixed size on the creation of the partition, and does not vary in size as files or directories are added or deleted.

Backing up the first FAT or second FAT for a particular partition will therefore always give a file of the same size, regardless of whether the files on that partition occupy 80 KB or 80 GB, making it straightforward to identify which sectors are used by the FAT.

In practice this is fairly unimportant, as SRCFAT.COM determines the sector values for itself and does not need any user input to save the FAT (and/or the backup FAT) successfully.

This post has been edited by Ed999: 07 October 2008 - 09:51 AM

[cannie]

Ed999, on Oct 7 2008, 05:47 PM, said:

More details are given in my posts at Routine to BACKUP and RESTORE key sectors of a FAT32 Hard Disk

Very good link.

Thank you very much

This post has been edited by cannie: 07 October 2008 - 03:56 PM

[cannie]

From all the programs which I have known thanks to mentions made in the precedent posts, many of which are excellent, I would do an special mention of MBRUTILD.EXE.

I have downloaded it from here:

http://mirror.href.c...otToolsRefs.htm

It is an authentic jewel!

Simple and fast, makes MBR backup and restore extremely easy, even for newbies! I don't know why those excellent works are so much ignored.

HTH

[CharlotteTheHarlot]

Ed999, on Oct 7 2008, 11:47 AM, said:

That post outlines a strategy (a BATCH file strategy) for making effective use of PUTSECT to create the necessary backups of the key sectors in a FAT32 partition, bearing in mind that usually only a handful of sectors are involved (as most of the 63 sectors in Track 0 are blank in a standard FDISK partition structure).

That is a great link with lots of useful information in one place. Excellent implementation as well.

I use a slightly different strategy for a slightly different purpose. Rather than picking only the commonly written areas containing structural information, instead I grab the big continuous chunk from Absolute Sector 0 to the first FAT, 95 sectors in all, the sum total is a tiny file of only 48,640 bytes. This is done in data collection snapshots, which also include registry and system files and log information. Snapshots are compared often, especially after running suspect apps and installers.

Previously I grabbed only those key sectors described in the link. That lasted until I figured out that some programs were writing information outside of the proper file system, into those supposedly empty areas. PowerQuest was one. The infamous C_Dilla protection schemes another. Some burn-in programs and computer makers tattoo information in here. I find it real interesting to track these changes, hence I make these snapshots often and diff the files and then crosscheck logs to nail down the culprit when a change is detected.

I formerly used a batch file myself but switched over to InnoSetup to be able to compile a single portable EXE that includes within itself all necessary files. The EXE executes programs like FindPart and RegEdit, collects the output of these programs and then uses RAR or WinRar to roll them up into a nice dated snapshot package.

Ed999, on Oct 7 2008, 11:47 AM, said:

As for the FAT, for a given size of partition the size of the FAT and of the backup FAT will always be constant. The FAT is allocated a fixed size on the creation of the partition, and does not vary in size as files or directories are added or deleted.

Right you are, I stand corrected! I just verified by comparing the FATs of three Seagate 120 GB drives as dumped by SrcFat. Each were in fact 14,650,880 in size, but were filled to different levels reflecting the different amount of files per disk. So the FAT size is clearly related to the size of the drive, not the contents of the drive. Thanks.

[Ed999]

I would have been happy to save the first 95 sectors as a single backup file, if there was a utility which could restore it. But both FINDPART.EXE and its earlier incarnation PUTSECT.EXE can only write a single sector to disk.

Even MBRutilD.exe will only restore the first track, i.e. the first 63 sectors; and that only for the Primary Master disk. Although it is theoretically possible to swap disks around on the IDE cables in order to use the program to restore the first 63 sectors of any disk (by making each in turn the Primary Master), it is not a convenient solution. And opening the computer's case is not something to be recommended to inexperienced users!

What's needed is a software solution: hence my Batch file, which saves and restores the six key sectors individually (more if the disk has more than a single partition).

You seem to recollect using another program in the past, one that could write a single 95 sector backup file back to disk. However, I've not come across such a program for FAT32. There used to be utilities for old-style FAT12 disks which could save and restore all the first 63 sectors (which was where the FAT was stored) - just as MBRutilD.exe now does for FAT32 disks.

The function of saving the FAT as a single backup file has now become SRCFAT.EXE, which saves and restores millions of sectors at once, but which only starts at sector 96.

Someone who knows what they are doing (i.e. not me!) could probably re-engineer SRCFAT.EXE to save sectors 1 to 95 instead of sectors 96 to 14 million. But even Svend thinks that such a tool is too dangerous, judging by the precautions he has woven around PUTSECT and FINDPART - which limit the PUTSECT function to a single sector - which is presumably why no one has so far created one.

This post has been edited by Ed999: 11 October 2008 - 11:51 PM

[cannie]

Ed999, on Oct 12 2008, 07:46 AM, said:

and that only for the Primary Master disk.

Have you tried switching the active main partition consecutively from one disk to the other using PARTITION MANAGER?

This post has been edited by cannie: 12 October 2008 - 01:42 AM

[Ed999]

You can switch the disks around physically, changing them over on the IDE cables and resetting the jumpers appropriately, but there is no way to fool the program into working on any disk other than the Primary Master.

The program can't be made to believe a disk is the Primary Master by reassigning the active partition to the Primary Slave or Secondary Master.