Windows 7 MBR 영문 분석자료 File Control


Windows 7 MBR 영문 분석자료
출처 : http://thestarman.pcministry.com/asm/mbr/W7MBR.htm#DC

---------------------------------------------------------------------------------------------

Introduction

Like Vista, if you install Windows 7 on a hard disk with no existing partitions, the first partition will start at Absolute Sector 2048 (counting from zero; Sector 0 is where the MBR is located). This is an offset of exactly 1 Binary Megabyte (2048 * 512 = 1,048,576 bytes) into the disk. In hexadecimal, this is an offset of 100,000 hex (100000h = 1 MiB). The main reason Microsoft gave for doing this is found in their article, KB-923332; with the number of sectors given only in hex: 0x800 = 2048 and 0x3F = 63. 
[Basically, since the starting offset for many disks, including the majority of Windows XP OS installs, was 63 (an odd number), they chose a starting offset that should give an even number of sectors for any large-sector drive manufacturers produce. It would cause performance issues on large-sector drives if there were a "misalignment" between the size of a physical sector and the partition(s). Western Digital and other drive manufacturers have been producing such hard disks for over a year now; calling them Advanced Format drives, with physical sectors 8 times the size of a 512-byte sector (8 * 512 = 4096 bytes). But even with new disks using 4 KiB-sized sectors, the Win7 offset of 1 MiB still gives an equivalent offset of 256 such sectors (1048576/4096 or 2048/8). If Microsoft had picked an offset of any even number of sectors divisible by the size of a new large-sector, wouldn't that have solved any "misalignment" issue? So why not simply pick an offset of 32, 64 or even 128 KiB? Did Microsoft really want to be sure you could continue to use your Win7 OS on drives with even much larger sector sizes? Whatever their thoughts on the issue may have been, technicians working with Win7 OS disks (on either current or future models) now have a much larger sized reserved space (1,048,576 bytes vs. 32,256 bytes) they must deal with. (Note: Do not confuse this generally unused reserved space with the new Windows 7 "System Reserved" partition described below.)]

However, unlike Vista, Microsoft added a further complication for those who must deal with software designed to make image copies of Windows 7 hard disks: For each standard install of Windows 7, the install DVD defaults to creating two partitions! (NOTE: This is not true if you use an Upgrade DVD where Win 7 must be installed onto a disk with an existing Windows partition; whether you choose to keep your data or overwrite the whole partition, its files will only be installed into that partition. One should also note some computer manufacturers insist on adding their own partitions either before the main OS, after it, or both!) Note again, for a standard Windows 7 install to a disk that has no existing partitions, the first partition will always be set to a size of only 100 MiB and labeled as "System Reserved". Users may also be confused by the fact that although this partition is made the PC's Active (bootable) partition, it's usually assigned the drive letter E: (the DVD drive often being assigned the letter D:). So here's a case where, under Microsoft Windows, a simple clean OS install has the drive letter C: assigned to the second partition on the disk; not the first one.

So be aware of this when examining the MBR of a Win7 OS disk. The typical (default) Windows 7 OS partition table (with its 100 MiB boot partition as the first entry) will appear similar to this:

===========================================================================
| B | FS TYPE |      START     |        END      |           |            |
| F |  (hex)  |  C     H     S |   C     H     S |  RELATIVE |    TOTAL   |
===========================================================================
| * |   07    |  0     32   33 |  12   223    19 |      2048 |     204800 |
|   |   07    | 12    223   20 |1023   254    63 |    206848 |   nnnnnnnn |
|   |   00    |  0     0     0 |   0     0     0 |         0 |          0 |
|   |   00    |  0     0     0 |   0     0     0 |         0 |          0 |
===========================================================================
                                 Figure 1.
where "nnnnnnnn" simply represents the disk's actual capacity in sectors for the main OS partition. The "RELATIVE" offset of the first partition is 2048 sectors; instead of the usual 63. For technicians, it may take some time getting used to seeing both a Starting CHS triple of 0,32,33 (instead 0,1,1) and an Ending CHS triple of 12,223,19 (for disks with 255 heads) rather than the 1023,254,63 we had become so familiar with seeing on many user's computers. The whole first entry above will appear as follows in a disk editor (with the hex equivalents of the decimal partition table values shown above): "80 20 21 00 07 DF 13 0C 00 08 00 00 00 20 03 00" (see below), where the Head and Sector values are 20h and 21h for the Starting Sector and DFh, 13h and 0Ch for the Head, Sector and Cylinder values of the Ending Sector.

Note: If you own a Laptop, your BIOS may use a different pseudo-CHS geometry translation for the head value. For example, if your Win 7 PC's BIOS decides the hard disk should have only 240 heads (instead of 255), the values you might see in your Partition Table's first entry could be: "80 20 21 00 07 A3 13 0D 00 08 00 00 00 20 03 00" for an Ending CHS Triple of 13,163,19 which still results in a total of 204800 (32,000 hex) sectors or a capacity of 100 MiB for the first partition.

 

Windows 7 has the same useful feature related to boot records and booting which first appeared under Vista: Its Disk Management utility has the ability to both shrink and expand partitions; similar to what Partition Magic could do for previous Windows versions. We may present a detailed page about this in the future.

 

This page examines the MBR code most likely to be found in a Microsoft® Windows 7 OS installation. Win7's various editions, such as Home Premium or Ultimate, all contain the same exact MBR code. When partitioning a disk without an MBR sector, this code will be written to Cylinder 0, Head 0, Sector 1 of the Hard Drive by various OS routines, such as Win7's Disk Management utility. But even in the case of a drive that already has a functioning Windows MBR, the Win7 install DVD will overwrite the existing MBR code of the boot disk as part of the process. [As with XP and Vista, Win7 itself will write data to an existing MBR sector (e.g., of a slave drive connected to the system), when necessary (compare Disk Signature comments for the Windows XP MBR).]

For our Windows 7 install, all the bytes of Win7's MBR code were also contained inside the following files (listed by location, alphabetically; with offset to first byte of the code). In each case, there will be a full 512 bytes that comprise the MBR code (the location for the NT Disk Signature and the 64-byte Partition Table are all zero-filled, the last two bytes being 55h followed by AAh):

1. C:\Windows\System32\RelPost.exe [Offset: 12CD0h]
("Windows Diagnosis and Recovery"; File version: "6.1.7600.16385 (win7_rtm.090713-1255)"; 182,784 bytes; Modification Date: "07/14/2009 1:14 AM"). There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-reliability-postboot_31bf3856ad364e35_6.1.7600.16385_none_4d97265566a66f7e\RelPost.exe.
2. C:\Windows\System32\vdsutil.dll [Offset: 22CA8h]
("Virtual Disk Service Utility Library"; File version: "6.1.7600.16385 (win7_rtm.090713-1255)"; 151,040 bytes; Modification Date: "07/14/2009 1:16 AM"). There's also a second copy here: C:\Windows\winsxs\Backup\x86_microsoft-windows-virtualdiskservice_
31bf3856ad364e35_6.1.7600.16385_none_6ac128c35c0231aa_vdsutil.dll_f2ef43cf.
3. C:\Windows\System32\vssapi.dll [Offset: E20D0h]
("Volume Shadow Copy Requestor/Writer Services API DLL"; File version: "6.1.7600.16385 (win7_rtm.090713-1255)"; 1,123,328 bytes; Modification Date: "07/14/2009 1:16 AM").
There's also a second copy here: C:\Windows\winsxs\Backup\x86_microsoft-windows-vssapi_31bf3856ad364e35_6.1.7600.16385_none_d4bd3473e31540bf_vssapi.dll_51f72c64.
4. C:\Windows\System32\VSSVC.exe [Offset: E1BA8h]
("Volume Shadow Copy Service"; File version: "6.1.7600.16385 (win7_rtm.090713-1255)"; 1,025,536 bytes; Modification Date: "07/14/2009 1:15 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-vssservice_31bf3856ad364e35_6.1.7600.16385_none_5aa3249a792b0938\VSSVC.exe
5. C:\Windows\System32\oobe\winsetup.dll [Offset: 184220h]
("Windows System Setup"; File version: "6.1.7600.16385 (win7_rtm.090713-1255)"; 1,794,048 bytes; Modification Date: "07/14/2009 1:16 AM").
There's also a second copy here: C:\Windows\winsxs\x86_microsoft-windows-setup-component_31bf3856ad364e35_6.1.7600.16385_none_3202d4720e95de08\winsetup.dll.

 

Using the file "C:\Windows\System32\vdsutil.dll" of "151,040 bytes" with a Modification Date of "Tuesday, July 14, 2009 01:16:17 AM" as an example, the MBR in this file was found at offsets 22CA8h through 22EA7h (of which only 80 of its 512 bytes are shown here):



Figure 2.   Showing the bytes "63 7B 9A"which are part of the Win7 MBR's code.

 
The following is a disk editor view of how the bytes of this MBR are stored on a hard disk's first sector; that's Absolute (or Physical) Sector 0, or CHS 0,0,1. (See Examination of the Code below to find out where this data ends up in Memory when it's executed.)

The first 355 bytes (000h through 162h) of this 512-byte sector are executable code and the next 80 bytes (163h through 1B2h) contain error messages. The last 66 bytes of the sector contain the 64-byte Partition Table (1BEh through 1FDh); data in the Table will depend upon the size, structure and file systems on the hard disk. [See our pages on Partition Tables, for notes on how to interpret the data in a particular disk's partition table.] The sector ends with the Word-sized signature ID of AA55h (sometimes called the MBR's Magic number). Note: On PCs using an Intel (or x86 compatible) CPU, hex Words are stored with the Low-byte first and the High-byte last.

The programmers of this MBR had to use almost every bit of space available, because all 110 bytes of the code shown between brackets in Figure 3 (offsets C6h through 126h and offsets 156h through 162h) are either related to, or directly involved in, determining if the hardware supports TPM (Trusted Platform Module) version 1.2; which can then be used to provide extra functionality for Win7's BitLocker™ Drive Encryption. The letters "TCPA" at offsets EFh through F2h are not coincidental; they stand for "Trusted Computing Platform Alliance" and are part of the code which tests for the existence of a TPM chip (see comments below).

The remaining 11 bytes (between the Error Messages and the Partition Table; 1B3h through 1BDh) begin with only two zero-bytes as padding; followed by the three bytes (63 7B 9A) at 1B5h through 1B7h for a Win7 install with English messages (see below for all the details about this). If you stop the installation before any NT-type Operating Systems starts to boot-up, the next four bytes may remain as they were; usually zero-bytes. But once Windows has begun running, it will write a Disk Signature in the MBR. These four bytes from offsets 1B8h through 1BBh are called the Windows Disk Signature or NT Drive Serial Number. See here for details on Disk Signature use in the Windows Registry!

The three bytes at offsets 1B5h through 1B7h ("63 7B 9A") are used by Microsoft Windows for a very specific purpose; for English versions of Windows 7, you'll always see these same Hex values ("63 7B 9A") in the MBR. They're used by the MBR code to display Error Messages on your screen. But for those using Windows 7 in a different language, their MBRs may have different values in the second and third bytes depending upon how many characters are in each of the three messages. If you look in the code section below, starting at offset 0731h (instruction: "MOV AL,[07B7]"), you'll see these three bytes are used to reference the offset in Memory of the first byte of each Error Message that can be displayed on screen at boot up: 0763h, 077Bh and 079Ah. Since the code portion above the messages will always be the same, the first offset (0763h) will never change no matter what languages (and string lengths) are used.

Now that you know what the bytes at offsets 1B5h through 1B7h are used for, you could change these error messages to display whatever you wish (as long as they all fit into the space between offsets 163h and 1B4h) by counting their character lengths and using a disk editor on the MBR sector to make the appropriate changes.

 

After executing the POST (Power-On Self Test), the BIOS loads this sector into memory at 0000:7C00 (as it does any MBR) then transfers control to this code.

But this code must first copy itself into another area of Memory. This is necessary because the code must also load the Boot Sector of the Active Partition into the same area of Memory that it occupies just after being loaded! Unlike the Windows 2000/XP MBR, this code copies all 512 of its bytes to the new location, starting at: 0000:0600. Only the first three instructions are the same as the Windows 2000/XP MBR, so keep your eyes sharp if you're comparing the two.

덧글

댓글 입력 영역


통계 위젯 (블랙)

08
98
411790