BootRecord

http://www.geocities.com/thestarman3/asm/mbr/MSWin41BRinHexEd.htm

A Disk Editor View   of   the
MSWIN4.1 OS Boot Record

Web Presentation and Text are Copyright © 2004 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !


Like all previous MS Boot Records (all the way back to MS-DOS V.2 and Floppy Disk Boot Sectors too), the first three bytes are still called the Jump Instruction. Only the first two bytes have ever been used* to form the actual JMP instruction itself to the rest of the executable code; the third byte (90h) is just a NOP instruction ('No Op' do nothing). The next 8 bytes are the System Name (MSWIN4.1; sometimes called the "OEM ID") which is followed by the BIOS Parameter Block (or BPB). The MSWIN 4.1 BPB (shown as: _ BPB _ in the display below) has a number of additional fields compared to a FAT16 partition (used by the original Windows 95, MSWIN4.0 Boot Record). But the Volume Label (example: "MY_C_DRIVE") and File System ID ("FAT32   ") are still found in the last two fields even though this BPB is longer than that of a FAT16 partition.

                                                    BPB 
The last 130 bytes of the Boot Record's first sector contain a few data locations (03 18 01 27),  error messages, three system filenames (beginning with IO.SYS ) and finally the Word-sized signature ID (or Magic number) of AA55h; remember hex Words (any non-text data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last!

The RRaA at the beginning of the second sector marks it as the beginning of an MSWIN4.1 Extended Boot Record. A similar ID (rrAa; the same letters as above, but with the case of the letters inverted) marks the start of this Record's "Total Free Clusters" and "Next Available Cluster" data within the sector. There are only 8 bytes of data in the whole sector!


Reminder: Don't forget that each FAT32 Boot Record has a Backup Copy just a few sectors beyond the original. In the case of a single FAT32 partition (or the first partition of many) on a drive, the Backup is found in Absolute Sectors 69 through 71. These correspond to Relative (or Logical) Sectors 0 through 2 and then 6 through 8 (for the Backup copy) of any FAT32 partition on your drive.


The last 130 bytes of the Boot Record's first sector contain a few data locations (03 18 01 27),  error messages, three system filenames (beginning with IO.SYS ) and finally the Word-sized signature ID (or Magic number) of AA55h; remember hex Words (any non-text data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last!

The RRaA at the beginning of the second sector marks it as the beginning of an MSWIN4.1 Extended Boot Record. A similar ID (rrAa; the same letters as above, but with the case of the letters inverted) marks the start of this Record's "Total Free Clusters" and "Next Available Cluster" data within the sector. There are only 8 bytes of data in the whole sector!


The third and last sector of this Boot Record contains the remainder of  the executable code and the same Word-sized signature ID (AA55 h) which appears at the end of each sector in the Boot Record:


The third and last sector of this Boot Record contains the remainder of  the executable code and the same Word-sized signature ID (AA55 h) which appears at the end of each sector in the Boot Record:

*Note on JMP Instruction: Although Microsoft has always used two-byte SHORT (Relative) Jumps (which begin with the byte EB) in their Boot Records, one could also use a NEAR (but still Relative) form which begins with the byte E9 and requires two more bytes for the relative displacement. For example, the EB 58 90 (a two-byte SHORT jump and the 'Do Nothing' byte 90h) in our present MSWIN4.1 Boot Record could just as easily have been replaced by the three bytes: E9 57 00 (which are all part of that Near JMP Instruction). For more info on Relative Jumps, see: Two-byte Jumps.
[Back to Top]


Last Update: July 2, 2005.  [02.07.2005]