Determine the NTFS Boot Sector backup location

Source: Internet
Author: User
Last clue about the NTFS Boot Sector backup position Blog from the basin Abstract:This article is excerpted from the technical Q & A of Microsoft's Chinese news group (the participants are the author and another netizen). It mainly discusses the factors that determine the storage location of NTFS Boot Sector backup, knowledge Base Article kb153973 seems to be related to the NTFS version information, and the experiment results of netizens indicate that it seems to be related to the storage path of MFT ...... Which one is correct? Authentication record

(Floor 1) netizens:In the NTFS system, the bootsector will have a backup saved in the middle or end of the partition, which is determined based on the NTFS version. I would like to ask:
(1) how to determine the NTFS version? I don't mean fsutil fsinfo ntfsinfo C: How does this mean how to judge from the data on the hard disk?
(2) Why do I have an NTFS 3.1 version without a bootsector backup? After chkdsk is run, the backup will be written in the middle of partition?
Here is the information I found on Microsoft.
Http://support.microsoft.com/default.aspx? SCID = KB; en-US; q153973 (2 Floor) basin:First, in the NTFS Metadata File $ volume, the $ volume_information attribute stores the NTFS version and the dirty bit of the file system.
In NTFS, There is a famous saying "everything on the disk is a file", including the Boot Sector ($ boot) and MFT itself ($ MFT), which are all files, of course, it is a special file-Metadata File ).
The second question: how do you use to determine whether the problem can be copied. (Third Floor:(2) I used the windows "fsutil fsinfo ntfsinfo drive letter" to determine. My question is: since Windows XP has determined this partition to be NTFS 3.1, should it copy the bootsector to the end of partition instead of the middle of the chkdsk fix? Or is the NTFS version used by the command chkdks and fsutil fsinfo nftsinfo determined
Different?
In addition, I would like to ask, it seems that the bootsector backup is not saved in the form of cluster, but is a separate 512 byte, in addition, the data run of all records in $ MFT cannot be linked to the 512 byte (maybe something is wrong )!
Is there anything that specifies where the 512 bytes are stored? Does it seem that $ volume's volume_information alone cannot be obtained?
If the data run of $ MFT record cannot obtain the backup of the boot sector? Isn't it the same as the original design of NTFS: Does everything on the disk is a file violate?

(4th floor:The following is my $ volume $ volume_information data:
70 00 00 00 28 00 00 00 00 00 18 00 00 05 00
0C 00 00 00 18 00 00 00 00 00 00 00 00 00 00
03 01 00 00 00 00 00 00
Remove attribute header, and the rest is:
00 00 00 00 00 00 00
03 01 00 00 00 00 00 00
Major version number: 3
Minor version number: 1
That is NTFS of Version 3.1, but after chkdsk is run, the bootsector is backed up in the middle of the partition. It is strange. Is there anything else that indicates where the bootsector will be stored?(5th Floor) basin:After testing, no chkdsk/F is required. When formatting or creating a partition, Windows adds a boot sector backup at the end of volume.
With the disk probe tool, you can see the Boot Sector backup at the end of volume, but the backup cannot be seen in the middle of volume. What tools do you use to view the backup?
Is it contrary to the "everything on the disk is a file" principle?
I understand it as follows: it may be determined by the backup location. Since the backup is only 512 bytes, if it is a file, it can be fully accommodated into MFT as a record (the size of each record of MFT is 1 kb ). However, in order to save the backup to the end of volume, the backup can only be revoked as a file (otherwise, it must be resident in MFT ).
In this case, there is no major impact. For example, if a file is deleted, its physical structure will still be stored on the disk, but its MFT record will not, this residual physical structure is not a file.

(6 Floor:(1) I would like to ask which files can be indexed to the backup of bootsector in partition? It does not seem very accurate to identify the version in the $ volume $ volume_informationversion of NTFS.
(2) which cluster of partition will be written to $ MFT when format is converted into NTFS partition? What is this rule?

(7 floor) basin:Here are my understanding of your two questions.
1. For this question, refer to my previous reply. Perhaps we should avoid viewing the backup of boot sector as a file, because its storage location determines that if it is a file, it must be non-resident, and its size (B) it must be resident ...... Therefore, do not regard it as a file.
You can use tools such as diskprobe to locate the backup of boot sector because it is not a file and cannot be indexed in MFT.
2. This issue cannot be generalized. The following three cases are entitled:
(1) Win2k and earlier versions: Put MFT at the beginning of the volume
(2) After WINXP and win2k3:
For large volumes, put MFT after 3 GB (when cluster factor = 4 kb, MFT's starting cluster = 786432 = 3 × 1024 × 1024 limit 4 ).
For small volumes (such as smaller than 3 GB), the placement rules are not clear.
(3) For the volumes converted by fat, it depends on the specific situation, such as whether to use the/cvtarea parameter.
Windows reads Boot Sector (offset: 0x30, 8 bytes) to learn the specific location of MFT.(8 floor:I did a test. It seems that the position of the boot sector backup written by Windows XP is determined by the location of $ MFT, rather than the information in $ volume.
Test 1: Write $ MFT at the beginning of the volume without the Boot Sector backup. The chkdsk of Windows XP considers the NTFS version as the old version, and then writes the Boot Sector backup to the middle of the partition.
Test 2: Write $ MFT somewhere in the middle of the volume (refer to the location where ghost writes $ MFT) without a boot sector backup, the chkdsk of Windows XP writes the backup of Boot Sector to the end of partition.
The only difference between test 1 and Test 2 is the position of $ MFT in partition. Kb153973 said that the backup of the boot sector is determined based on the NTFS version, but it is not very accurate to determine the NTFS version to write the Boot Sector backup location based on the version information in $ volume, for example, the location of the $ MFT file is not written according to the NTFS version rules. For example, in volume, it indicates whether it is NTFS of Version 3.1 or $ MFT is written at the beginning of the volume.
Because there is no specific document, we can only guess that the position of $ MFT in partition is determined by the version of $ volume_information in NTFS volumne. boot
The backup of sector is determined by the position of $ MFT in partition.
What you want to know is the rules written by $ MFT in NTFS:
You mentioned:
(2) After WINXP and win2k3:
For large volumes, put MFT after 3 GB (when cluster factor = 4 kb, MFT's starting cluster = 786432 = 3 × 1024 × 1024 limit 4 ).
For small volumes (such as smaller than 3 GB), the placement rules are not clear.
For volume> 3G, the $ MFT position is 3 × 1024 × 1024/(cluster per sector * 2 )?

(9 Floor) basin:Whether we can provide detailed steps for two tests, we should carefully design the experiment for full verification.
Based on one or two experiments, it is difficult to determine that the position of the boot sector backup depends on the conclusion of the $ MFT position. At least the following possibilities should be obtained:
(1) The chkdsk may adopt another mechanism, which is different from the mechanism of Windows itself (during formatting, Windows will create a boot sector backup by default ).
(2) If a third-party tool or software is involved in the experiment, the experiment results are inadequate.
Therefore, strict and reliable hand-on Lab must be designed to obtain credible results.
Microsoft's open official documentation does not mention the determining factors related to the location of $ MFT, but the following document, the formatting program for Windows XP uses the location after 3 GB as $ MFT storage by default:
Http://www.microsoft.com/whdc/system/winpreinst/ntfs-preinstall.mspx
The original article is as follows:
In Windows 2000 and earlier versions of Windows NT, the MFT was typically placed at the start of the disk space available to the file system. in Windows XP, the NTFS format utilities place the MFT 3 GB further into the disk space.(10 floor:The test procedure is as follows:
(1) find two partitions, both of which are 500 mb, and then fill them with 00. This can be achieved using winhex.
(2) use NTFS to format a partition A (in a Windows XP environment), and copy all the data in it (excluding the backup of boot sector ), you can write a small program or use winhex to search for each file and copy the relevant data. There are not many files.
(3) then write all the data copied in (2) to partition B (this can only be called copy, but it has not reached the write level ),
At the same time, the data position on the partition is re-ordered, which is equivalent to defragment,
Test 1: Write $ MFT in the left and right locations of the partition (refer to the location of ghost restoration and take the same location as Ghost restoration)
Test 2: Write $ MFT at the beginning of partition, for example, 0x4000.
Other files, such as $ mftmirr and $ logfile, are all written after $ MFT in sequence.
Neither Test 1 nor Test 2 has a boot sector backup, and then run chkdsk to check whether the NTFS partition written back is correct. The result is:
Test 1: No error was found in chkdsk, but the Boot Sector was written to the end of partition (no boot
No error will be reported when sector backs up chkdsk)
Test 2: chkdsk has not found any error. Boot Sector is written to the center of partition. (Of course, if a file occupies the cluster in the center, chkdsk will report an error;
And write the Boot Sector backup to the middle, modify the file occupying the cluster in the middle, and move the cluster of the file to another location)
The only difference between test 1 and Test 2 is that the positions of all files starting with $ MFT are different, and the rest are the same.
This is a simple lab step.
Since there is no Microsoft public document, we can only guess some conclusions, and it is not certain.
Test 1 and Test 2 Write $ MFT location is not very standard, because there is no public documentation, you can only guess to find the location to write partition.
Therefore, I want to find some definite information or make a definite conclusion to ensure that there will be no errors (at least chkdsk will not have errors) When copying NTFS partitions )...... Well, write it here first. In the subsequent sections of this article, I will provide the corresponding principle analysis and appropriate experimental design to approach the real answer to the question as much as possible. Readers are also asked to take the trouble to pay attention to the updates in this article. I will post the updates as soon as I have time. If you have your own opinions on this issue, please contact me via email (please forgive me for failing to reply one by one ).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.