Disk and File System Structures / Upgrading and Repairing PCs

To manage files on a disk and enable all applications to see a consistent interface to the file system no matter what type of storage hardware is being used, the operating system creates several structures on the disk. These structures are the same for any OS that supports the FAT file system, including Windows 9x, Windows Me, Windows NT, Windows 2000, and Windows XP. The following list shows all the structures and areas FAT uses to manage a disk, in roughly the same order in which they appear on the media:

All these structures are detailed later in this section. A hard disk has all these disk-management structures, and a floppy disk has all but the master and extended partition boot records and diagnostic cylinder. The volume boot record through data area structures are repeated for each partition or volume on a drive. These structures are created on hard disk drives or other high-capacity media by the disk partitioning program included with all operating systems. You can't use a disk partitioning program such as FDISK (MS-DOS/Windows 9x/Me) or DISKPART or Disk Management (Windows NT/2000/XP) on a floppy disk because floppy disks can't be partitioned. Figure 24.1 is a simple diagram showing the relative locations of these FAT disk-management structures on an 8.4GB hard disk.

Note

Some removable cartridge drives, such as the SuperDisk (LS-120 and LS-240) and Iomega Zip drive, function like high-capacity floppy disk drives. They lack a master boot record (MBR) and diagnostic cylinder and can't be partitioned like hard disk drives. Other higher-capacity removable drives, such as the legacy Iomega Jaz or Castlewood Orb, can be partitioned like a hard disk drive.

Each disk area has a purpose and function. If one of these special areas is damaged, serious consequences can result. Damage to one of these sensitive structures usually causes a domino effect, limiting access to other areas of the disk or causing further problems in using the disk. For example, the OS normally can't access a drive at all if the MBR is corrupted. Therefore, you should understand these data structures well enough to be able to repair them when necessary. Rebuilding these special tables and areas of the disk is essential to the art of data recovery.

Master Boot Record

The first PC OS to support hard disks, DOS 2.0 (released on March 8, 1983), was also the first to introduce the capability to partition a drive. Partitioning is basically dividing the drive into multiple volumes. One concept easily misunderstood is that all drives that can be partitioned must be partitioned; that is, you have to partition the drive even if you are going to set it up with only one partition. Another name for a partition is a logical volume because the partition shows up as an additional drive letter or volume to the OS.

Although the primary use for partitioning today is to divide a single drive into multiple volumes for use by the same OS, originally it was intended to allow multiple different OSes, each with different file systems, to coexist on a single drive. This multi-OS capability still exists today; however, additional aftermarket utilities often are required to manage and boot from multiple OSes on a single machine.

Tip

If you want to dual-boot Windows 9x/Me with Windows 2000/XP without purchasing aftermarket boot managers, install Windows 9x or Me first and then install Windows 2000 or XP either on the unused space on the first hard disk or in a primary partition on an additional hard disk. Windows 2000 or XP will set up a boot manager for you.

To use a hard disk with different operating systems, you can create partitions to logically divide the disk. You can, for example, create one or more FAT or NTFS partitions for use with Windows and leave the rest of the disk storage area for use by another OS's file system, such as Linux. Each of the FAT or NTFS partitions appear to an OS that supports it as a separate drive letter. For example, Windows 9x/Me ignores the unused or non-FAT partitions, whereas Windows 2000/XP sees both FAT and NTFS partitions but ignores others such as Linux and OS/2 HPFS.

Even though Windows NT, 2000, and XP have a command-line disk partitioning program called DISKPART, disk partitions are usually prepared with the GUI-based Disk Management tool (2000/XP) or Disk Administrator (NT).

For more information about creating and formatting partitions with any of these operating systems, see Chapter 14, "Physical Drive Installation and Configuration," p. 797.

Information about each of the partitions on the disk is stored in a partition (or volume) boot record at the beginning of each partition. Additionally, a main table lists the partitions embedded in the master boot record.

The MBR, which is also sometimes called the master boot sector, is always located in the first physical sector of a disk (cylinder 0, head 0, sector 1) and consists of the following structures:

Primary and Extended FAT Partitions

Most OSes are designed to support up to 24 volumes on a single hard disk drive (represented by the drive letters C:–Z:), but the partition table in the master boot record (MBR) can have a maximum of only four entries. This is handled by using a single primary partition, which is seen as the first logical drive (C:), and an extended partition, which is then further partitioned into additional logical drives (D:, E:, F:, and so on).

Note

Although Windows NT uses Disk Administrator and Windows 2000 and XP use Disk Management to create disk partitions instead of FDISK, the following discussion refers to FDISK for simplicity's sake. A FAT partition up to 2GiB is the same with any of these operating systems.

An extended partition is listed in the master partition table the same as a primary partition, but it differs in that you can use its disk space to create multiple logical partitions, or volumes. You can create only one extended partition on a single drive, meaning that typically there will never be more than two entries in the master partition table, one primary and one extended.

The logical volumes you create in the extended partition appear as separate drive letters to the operating system, but they are not listed in the master partition table. Volumes in the extended partition are not bootable. You can create up to 23 volumes out of a single extended partition (assuming that you have already created a primary partition, which brings the total number of volumes to 24).

Each of the subpartitions in an extended partition includes an extended partition table located in the first sector of the subpartition. The first sector of the extended partition contains an extended partition table that points to the first subpartition and, optionally, another extended partition. The first sector of that extended partition has another extended partition table that can reference another volume as well as an additional extended partition. This chain of references continues, linking all the volumes in the extended partition to the master partition table. It is important to note that, if the entry for the extended partition in the MBR is lost or damaged, the chain will be broken at the start and all volumes contained within will be inaccessible—essentially meaning that they will dissapear.

Few people have any reason to create 24 partitions on a single disk drive, but the extended partition can create a chain of linked partitions on the disk that makes it possible to exceed the four-entry limitation of the master partition table.

Because the master boot record contains the first program loaded from disk that the system executes when you boot a PC, it is frequently a target for creators of computer viruses. A virus that infects or destroys the MBR can make it impossible for the BIOS to find the active partition, thus preventing the operating system from loading. Because the MBR contains the first program executed by the system, a virus stored there loads before any antivirus code can be loaded to detect it. To remove an MBR virus, you must first boot the system from a clean, uninfected disk, such as a floppy, bootable CD/DVD, or USB drive, and then run an antivirus program to test and possibly repair or restore the MBR.

Each partition on a disk contains a volume boot record starting in the first sector. With the FDISK or DISKPART utilities, you can designate a primary partition as active (or bootable). The master boot record bootstrap code causes the VBR from the active primary partition to receive control whenever the system is started.

Although FAT12, FAT16, FAT32, or NTFS partitions are mainly used when running Windows, you can also create additional disk partitions for Linux, Novell NetWare, OS/2's HPFS, AIX (Unix), XENIX, or other file systems or operating systems, using disk utilities provided with the alternative OS or in some cases a third-party disk partitioning tool such as PowerQuest's Partition Magic. A partition that is not recognized by a particular operating system is simply ignored. If you install multiple operating systems on a single drive, a boot manager program (which might be included with the operating systems or installed separately) can be used to allow you to select which partition to make active each time you boot the system. As another alternative, you could install different operating systems in different primary partitions and then use FDISK, DISKPART, or some other partitioning program to change the one you want to boot as active.

Table 24.9 shows the format of the master boot record and its partition tables. The table lists the fields in each of the master partition table's four entries, the location on the disk where each field begins (the offset), and its length.

Table 24.9. Master Boot Record Format
Offset (Hex)	Offset (Dec)	Name	Length	Description
000h	0	Boot Code	446	Bootstrap code; loads the VBR from the active partition.
Partition Table Entry #1
Offset (Hex)	Offset (Dec)	Name	Length	Description
1BEh	446	Boot Indicator	1 byte	Boot status; 80h = active (bootable). Otherwise, it's 00h.
1BFh	447	Starting Head	1 byte	Starting head (or side) of partition in CHS mode.
1C0h	448	Starting Cylinder/Sector	16 bits	Starting cylinder (10 bits) and sector (6 bits) in CHS mode.
1C2h	450	System Indicator	1 byte	Partition type/file system.
1C3h	451	Ending Head	1 byte	Ending head (or side) of partition in CHS mode.
1C4h	452	Ending Cylinder/Sector	16 bits	Ending cylinder (10 bits) and sector (6 bits) in CHS mode.
1C6h	454	Relative Sector	4 bytes	Count of sectors before partition, which is the starting sector of partition in LBA mode.
1CAh	458	Total Sectors	1 bytes	Total number of sectors in partition in LBA mode.
Partition Table Entry #2
Offset (Hex)	Offset (Dec)	Description	Length	Description
1CEh	462	Boot Indicator	1 byte	Boot status; 80h = active (bootable). Otherwise, it's 00h.
1CFh	463	Starting Head	1 byte	Starting head (or side) of partition in CHS mode.
1D0h	464	Starting Cylinder/Sector	16 bits	Starting cylinder (10 bits) and sector (6 bits) in CHS mode.
1D2h	466	System Indicator	1 byte	Partition type/file system.
1D3h	467	Ending Head	1 byte	Ending head (or side) of partition in CHS mode.
1D4h	468	Ending Cylinder/Sector	16 bits	Ending cylinder (10 bits) and sector (6 bits) in CHS mode.
1D6h	470	Relative Sector	4 bytes	Count of sectors before partition, which is the starting sector of the partition in LBA mode.
1DAh	474	Total Sectors	4 bytes	Total number of sectors in the partition in LBA mode.
Partition Table Entry #3
Offset (Hex)	Offset (Dec)	Description	Length	Description
1DEh	478	Boot Indicator	1 byte	Boot status; 80h = active (bootable). Otherwise, it's 00h.
1DFh	479	Starting Head	1 byte	Starting head (or side) of partition in CHS mode.
1E0h	480	Starting Cylinder/Sector	16 bits	Starting cylinder (10 bits) and sector (6 bits) in CHS mode.
1E2h	482	System Indicator	1 byte	Partition type/file system.
1E3h	483	Ending Head	1 byte	Ending head (or side) of partition in CHS mode.
1E4h	484	Ending Cylinder/Sector	16 bits	Ending cylinder (10 bits) and sector (6 bits) in CHS mode.
1E6h	486	Relative Sector	4 bytes	Count of sectors before partition, which is the starting sector of partition in LBA mode.
1EAh	490	Total Sectors	4 bytes	Total number of sectors in partition in LBA mode.
Partition Table Entry #4
Offset (Hex)	Offset (Dec)	Description	Length	Description
1EEh	494	Boot Indicator	1 byte	Boot status; 80h = active (bootable). Otherwise, it's 00h.
1EFh	495	Starting Head	1 byte	Starting head (or side) of partition in CHS mode.
1F0h	496	Starting Cylinder/Sector	16 bits	Starting cylinder (10 bits) and sector (6 bits) in CHS mode.
1F2h	498	System Indicator	1 byte	Partition type/file system.
1F3h	499	Ending Head	1 byte	Ending head (or side) of partition in CHS mode.
1F4h	500	Ending Cylinder/Sector	16 bits	Ending cylinder (10 bits) and sector (6 bits) in CHS mode.
1F6h	502	Relative Sector	4 bytes	Count of sectors before partition, which is the starting sector of partition in LBA mode.
1FAh	506	Total Sectors	4 bytes	Total number of sectors in partition in LBA mode.
Signature Bytes
Offset (Hex)	Offset (Dec)	Description	Length	Description
1FEh	510	Signature	2 bytes	Boot sector signature; it should be 55AAh.
CHS = Cylinder head sector LBA = Logical block address

The data in the partition table entries tells the system where each partition starts and ends on the drive, how big it is, whether it is bootable, and which type of file system is contained in the partition. The starting cylinder, head, and sector values are used only by systems running in CHS mode, which is standard for all drives of 8.4GB or less. CHS values do not work past 8.4GB and therefore cannot represent partitions on drives larger than that. Drives larger than 8.4GB can be fully addressed only in LBA mode. In that case, the starting cylinder, head, and sector values in the table are ignored, and only the Relative Sector and Total Sectors fields are used. The Relative Sector field indicates the precise LBA where the partition begins, and the Total Sectors field indicates the length, which is always contiguous. Thus, from those two values the system can know exactly where a partition is physically located on a disk.

Note

The processors on which the PC is based have a design characteristic that is important to know for anybody editing or interpreting boot sectors. Numbers larger than 1 byte are actually read backward! This is called little endian format (as in reading the number from the little end first) or reverse-byte ordering. People typically read numbers in big endian format, which means from left to right, from the big end first. However, because PC processors read in little endian format, most numeric values larger than 1 byte are stored so that the least significant byte appears first and the most significant byte appears last. For example, the value for the Relative Sector field in the MBR for the first partition is usually 63, which is 3Fh in hex, or 0000003Fh (4 bytes long) in standard big endian hexadecimal format. However, the same number stored in little endian format would appear as 3F000000h. As another example, if a partition had 23,567,292 total sectors (about 12GB), which is 01679BBCh in hexadecimal, the number would be stored in the MBR partition table Total Sectors field in reverse-byte/little endian format as BC9B6701h.

As an aside, the use of reverse-byte order numbers stems from the way processors evolved from 8-bit (1 byte) designs to 16-bit (2 byte), 32-bit (4 byte) designs and beyond. The way the internal registers are organized and implemented dictates how a processor deals with numbers. Many processors, such as the Motorola PowerPC chips used in Macintosh systems, read numbers in big endian format. PC processors, on the other hand, are all based on Intel designs dating back to the original Intel 8088 processor used in the first IBM PC. Of course, how a particular processor reads numbers doesn't make any difference to those using a system. In the PC, the only people who have to deal with reverse-byte order or little endian numbers directly are machine or assembly language programmers—and those who want to edit or interpret raw boot sectors!

Each partition table entry contains a system indicator byte that identifies the type of partition and file system used in the partition referenced by that entry. Table 24.10 shows the standard values and meanings of the system indicator bytes, and Table 24.11 lists the nonstandard values.

Table 24.10. Standard System Indicator Byte Values
Value	Partition Type	Address Mode	Partition Size
00h	None	—	—
01h	Primary FAT12	CHS	0–16MiB
04h	Primary FAT16	CHS	16MiB–32MiB
05h	Extended	CHS	0–2GiB
06h	Primary FAT16	CHS	32MiB–2GiB
07h	NTFS/HPFS	All	All
0Bh	Primary FAT32	CHS	512MiB–2TiB
0Ch	Primary FAT32	LBA	512MiB–2TiB
0Eh	Primary FAT16	LBA	32MiB–2GiB
0Fh	Extended	LBA	2GiB–2TiB
CHS = Cylinder head sector LBA = Logical block address

Table 24.11. Nonstandard System Indicator Byte Values
Value	Partition Type
02h	MS-XENIX Root
03h	MS-XENIX usr
08h	AIX File System Boot
09h	AIX Data
0Ah	OS/2 Bootmanager
12h	Compaq diagnostics
40h	ENIX 80286
50h	Ontrack Disk Manager read-only DOS
51h	Ontrack Disk Manager read/write DOS
52h	CP/M or Microport System V/386
54h	Ontrack Disk Manager non-DOS
55h	Micro House EZ-Drive non-DOS
56h	Golden Bow Vfeature Deluxe
61h	Storage Dimensions SpeedStor
63h	IBM 386/ix or Unix System V/386
64h	Novell NetWare 286
65h	Novell NetWare 386
75h	IBM PC/IX
80h	Minix v.1.1–v1.4a
81h	Minix v1.4b-up or Linux
82h	Linux swap file
83h	Linux native file system
93h	Amoeba file system
94h	Amoeba bad block table
B7h	BSDI file system (secondary swap)
B8h	BSDI file system (secondary file system)
DBh	DR Concurrent DOS/CPM-86/CTOS
E1h	SpeedStor 12-bit FAT extended
E4h	SpeedStor 16-bit FAT extended
F2h	DOS 3.3+secondary
F4h	SpeedStor primary
FEh	LANstep
FFh	Unix/Xenix Bad Block Table Partition

These values can be useful for somebody trying to manually repair a partition table using a disk editor such as the Disk Edit program included with Norton Utilities (now part of Norton SystemWorks).

Undocumented FDISK

FDISK is a very powerful program. In DOS 5 and later versions, including Windows 9x/Me, it gained some additional capabilities (Windows NT uses Disk Administrator, whereas Windows 2000/XP use Disk Management or the DISKPART program to perform the functions of FDISK). Unfortunately, these capabilities were never documented in any of the Microsoft documentation for Windows or DOS. The most important undocumented parameter in FDISK is the /MBR (master boot record) parameter, which causes FDISK to rewrite the master boot record code area, leaving the partition table area intact.

The /MBR parameter is tailor-made for eliminating boot sector virus programs that infect the master boot record (located at cylinder 0, head 0, sector 1) of a hard disk. To use this feature, enter the following:

FDISK then rewrites the boot record code, leaving the partition tables intact. This should not cause any problems on a normally functioning system, but just in case, I recommend backing up the partition table information to floppy disk before trying it. You can do this by using a third-party product such as Norton Utilities.

Be aware that using FDISK with the /MBR switch overwrites the partition tables if the two signature bytes at the end of the sector (55AAh) are damaged. This situation is highly unlikely, however. In fact, if these signature bytes were damaged, you would know—the system would not boot and would act as though there were no partitions at all. If you are unable to access your hard disk after booting from a clean floppy or removable-media drive, your system might be infected with a boot sector virus. You should scan for viruses with an up-to-date antivirus program and use it to guide repair.

Caution

Also note that FDISK /MBR should be used only on systems using the normal master boot record structure. If a disk-management program such as Disk Manager, Disc Wizard, EZ-Drive, MaxBlast, Data Lifeguard Tools, or similar is being used to allow your system to access the drive's full capacity, do not use FDISK /MBR because these programs use a modified MBR for disk access. Using FDISK /MBR will wipe out the changes they made to your drive and could make your data inaccessible.

The equivalent Windows NT/2000/XP Recovery Console feature to DOS/Windows 9x/Me's FDISK /MBR is called FIXMBR. The Recovery Console equivalent to FDISK is DISKPART. For details on the use of these commands, type HELP after loading the Recovery Console.

Volume Boot Records

The volume boot record is the first sector on any area of a drive addressed as a volume, including primary partitions or logical volumes inside an extended partition. On a floppy disk or removable cartridge (such as a Zip disk), for example, the volume boot record starts at the physical beginning of the disk because the disk is recognized as a volume without the need for partitioning. On a hard disk, the volume boot record is located as the first sectors within any disk area allocated as a primary partition, or as a logical drive (volume) inside an extended partition. Refer to Figure 24.1 for an idea of the physical relationship between this volume boot record and the other data structures on a disk. The volume boot record resembles the master boot record in that it contains the following elements:

Either the motherboard ROM or the master boot record on a hard disk loads the volume boot record of the active partition on a disk. The program code in the volume boot record is given control of the system; it performs some tests and then attempts to load the first operating system file (in DOS/Windows 9x/Me the file is IO.SYS and in Windows NT/2000/XP the file is NTLDR). The volume boot record, similar to the master boot record, is transparent to the running system; it is outside the data area of the disk on which files are stored.

Note

Many of today's systems are capable of booting from drives other than standard floppy disk and hard disk drives. In these cases, the system BIOS must specifically support the boot drive. For example, some BIOS products enable you to select an ATAPI CD-ROM (or DVD) as a boot device, in addition to the floppy and hard disk drives. Many can also boot from drives connected to USB ports, adding even more flexibility to the system.

Other types of removable media, such as Zip cartridges and LS-120 disks, can also be made bootable. When the BIOS properly supports it, an LS-120 drive can replace the existing floppy disk drive as drive A:. Check the setup screens in your system BIOS to determine which types of drives can be used to start your system.

The VBR is typically created on a volume when the volume is high-level formatted. This can be done with the FORMAT command included with DOS and Windows, or you can also use Windows NT's Disk Administrator and Windows 2000/XP's Disk Management programs to perform this task after partitioning the disk. All volumes have a VBR starting in the first sector of the volume.

The VBR contains both program code and data. The single data table in this sector is called the media parameter block or disk parameter block. The operating system needs the information this table contains to verify the capacity of the disk volume as well as the location of important structures, such as the FATs on FAT volumes or the Master File Table on NTFS volumes. The format of this data is very specific.

Although all VBRs contain boot code in addition to the BIOS parameter block (BPB) and other structures, only the boot code from the VBR in the bootable volume is executed. The others are read by the operating system during startup to determine the volume parameters.

The VBR on FAT12 and FAT16 volumes is 1 sector long and contains the jump instruction, the main BPB, bootstrap code, and signature bytes. Table 24.12 shows the format and layout of the FAT12/16 VBR.

Table 24.12. FAT12/16 Volume Boot Record Format
Offset (Hex)	Offset (Dec)	Name	Length (Bytes)	Description
000h	0	BS_jmpBoot	3	Jump instruction to boot code, usually EB3C90h.
003h	3	BS_OEMName	8	OEM ID. Indicates which system formatted the volume. Typically, it's `MSWIN4.1`. Not used by the OS after formatting.
00Bh	11	BPB_BytsPerSec	2	Bytes per sector; normally 512.
00Dh	13	BPB_SecPerClus	1	Sectors per cluster. It must be a power of 2 greater than 0; typically 1, 2, 4, 8, 16, 32, or 64.
00Eh	14	BPB_RsvdSecCnt	2	Number of sectors reserved for the boot record(s); it should be 1 on FAT12/16 volumes.
010h	16	BPB_NumFATs	1	Count of FAT structures on the volume; usually 2.
011h	17	BPB_RootEntCnt	2	Count of 32-byte directory entries in the root directory of FAT12 and FAT16 volumes; it should be 512 on FAT12/16 volumes.
013h	19	BPB_TotSec16	2	16-bit total count of sectors on volumes with less than 65,536 sectors. If 0, then BPB_TotSec32 contains the count.
015h	21	BPB_Media	1	Media descriptor byte; normally F8h on all nonremovable media, and F0h on most removable media.
016h	22	BPB_FATSz16	2	FAT12/16 16-bit count of sectors occupied by one FAT.
018h	24	BPB_SecPerTrk	2	Sectors per track geometry value for interrupt 13h; it's usually 63 on hard disks.
01Ah	26	BPB_NumHeads	2	Number of heads for interrupt 13h; it's usually 255 on hard disks.
01Ch	28	BPB_HiddSec	4	Count of hidden sectors preceding the partition that contains this volume; it's usually 63 for the first volume.
020h	32	BPB_TotSec32	4	32-bit total count of sectors on volumes with 65,536 or more sectors. If 0, then BPB_TotSec16 contains the count.
024h	36	BS_DrvNum	1	Int 13h drive number; it's usually 00h for floppy disks or 80h for hard disks.
025h	37	BS_Reserved1	1	Reserved (used by Windows NT); it should be 0.
026h	38	BS_BootSig	1	Extended boot signature; it should be 29h if the following three fields are present. Otherwise, it's 00h.
027h	39	BS_VolID	4	Volume serial number; used with BS_VolLab to support volume tracking on removable media. Normally generated using the date and time as a seed when the volume is formatted.
02Bh	43	BS_VolLab	11	Volume label. Matches the 11-byte volume label recorded in the root directory; it should be set to `NO NAME` if there is no volume label.
036h	54	BS_FilSysType	8	Should be `FAT12`, `FAT16`, or `FAT`. Not used by the OS after formatting.
03Eh	62	BS_BootCode	448	Bootstrap program code.
1FEh	510	BS_Signature	2	Signature bytes; should be 55AAh.

The VBR on a FAT32 volume is 3 sectors long, although 32 sectors are reserved at the beginning of the volume for the default and backup VBRs. The default VBR is in sectors 0, 1, and 2, and the backup VBR is in sectors 6, 7, and 8. These are all created at the time the volume is formatted and do not change during normal use. The first sector contains a jump instruction, the BPB, initial bootstrap code, and signature bytes. The second sector is called the FSInfo (file system information) sector and contains signature bytes and information used to assist the file system software; the third sector contains only additional bootstrap code and signature bytes. Table 24.13 shows the format and layout of the first sector of the 3-sector long FAT32 VBR.

Table 24.13. FAT32 VBR Format, BPB Sector 0
Offset (Hex)	Offset (Dec)	Name	Length (Bytes)	Description
000h	0	BS_jmpBoot	3	Jump instruction to boot code; it's usually EB5890h.
003h	3	BS_OEMName	8	OEM ID; indicates which system formatted the volume. It's typically `MSWIN4.1`. Not used by the OS after formatting.
00Bh	11	BPB_BytsPerSec	2	Bytes per sector; normally 512.
00Dh	13	BPB_SecPerClus	1	Sectors per cluster; it must be a power of 2 greater than 0. It's normally 1, 2, 4, 8, 16, 32, or 64.
00Eh	14	BPB_RsvdSecCnt	2	Number of sectors reserved for the boot record(s); it should be 32 on FAT32 volumes.
010h	16	BPB_NumFATs	1	Count of FAT structures on the volume; usually 2.
011h	17	BPB_RootEntCnt	2	Count of 32-byte directory entries in the root directory of FAT12 and FAT16 volumes; should be 0 on FAT32 volumes.
013h	19	BPB_TotSec16	2	16-bit total count of sectors on volumes with less than 65,536 sectors. If 0, then BPB_TotSec32 contains the count. Must be 0 for FAT32 volumes.
015h	21	BPB_Media	1	Media descriptor byte, normally F8h on all non-removable media, F0h on most removable media.
016h	22	BPB_FATSz16	2	FAT12/16 16-bit count of sectors occupied by one FAT; it should be 0 on FAT32 volumes, and BPB_FATSz32 contains the FAT size count.
018h	24	BPB_SecPerTrk	2	Sectors per track geometry value for interrupt 13h; usually 63 on hard disks.
01Ah	26	BPB_NumHeads	2	Number of heads for interrupt 13h; usually 255 on hard disks.
01Ch	28	BPB_HiddSec	4	Count of hidden sectors preceding the partition that contains this volume; usually 63 for the first volume.
020h	32	BPB_TotSec32	4	32-bit total count of sectors on volumes with 65,536 or more sectors. If 0, then BPB_TotSec16 contains the count. Must be non-zero on FAT32 volumes.
024h	36	BPB_FATSz32	4	FAT32 32-bit count of sectors occupied by one FAT. BPB_FATSz16 must be 0.
028h	40	BPB_ExtFlags	2	FAT32 only: Bits 0–3. Zero-based number of active FAT. Valid only if mirroring is disabled (bit 7 = 1). Bits 4–6. Reserved. Bit 7. 0 indicates FAT is mirrored; 1 indicates only the FAT referenced in bits 0–3 is active. Bits 8–15. Reserved.
02Ah	42	BPB_FSVer	2	Version number of the FAT32 volume. A high byte is a major revision number; a low byte is a minor revision number. It should be 00h:00h.
02Ch	44	BPB_RootClus	4	Cluster number of the first cluster of the root directory; usually 2.
030h	48	BPB_FSInfo	2	Sector number of extended FSInfo boot sector structure in the reserved area of the FAT32 volume; usually 1.
032h	50	BPB_BkBootSec	2	Sector number of the backup copy of the boot record; it's usually 6.
034h	52	BPB_Reserved	12	Reserved; should be 0.
040h	64	BS_DrvNum	1	Int 13h drive number; it's usually 00h for floppy disks or 80h for hard disks.
041h	65	BS_Reserved1	1	Reserved (used by Windows NT); it should be 0.
042h	66	BS_BootSig	1	Extended boot signature; it should be 29h if the following three fields are present. Otherwise, it's 00h.
043h	67	BS_VolID	4	Volume serial number; used with BS_VolLab to support volume tracking on removable media. Normally generated using the date and time as a seed when the volume is formatted.
047h	71	BS_VolLab	11	Volume label. Matches the 11-byte volume label recorded in the root directory, should be `NO NAME` if there is no volume label.
052h	82	BS_FilSysType	8	Should be `FAT32`. Not used by the OS after formatting.
05Ah	90	BS_BootCode	420	Bootstrap program code.
1FEh	510	BS_Signature	2	Signature bytes; it should be 55Aah.

Table 24.14 shows the format and layout of the FAT32 FSInfo sector, which is the second sector of the 3-sector-long FAT32 volume boot record.

Table 24.14. FAT32 VBR Format, FSInfo Sector 1
Offset (Hex)	Offset (Dec)	Name	Length (Bytes)	Description
000h	0	FSI_LeadSig	4	Lead signature, validates sector; it should be 52526141h.
004h	4	FSI_Reserved1	480	Reserved; it should be 0.
1E4h	484	FSI_StrucSig	4	Structure signature; it validates sector and should be 72724161h.
1E8h	488	FSI_Free_Count	4	Last known free cluster count on the volume. If FFFFFFFFh, the free count is unknown and must be recalculated by the OS.
1ECh	492	FSI_Nxt_Free	4	Next free cluster; it indicates where the system should start looking for free clusters. Usually set to the last cluster number allocated. If the value is FFFFFFFFh, the system should start looking at cluster 2.
1F0h	496	FSI_Reserved2	12	Reserved; it should be 0.
1FCh	508	FSI_TrailSig	4	Trailing signature; it should be 000055AAh.

Table 24.15 shows the format and layout of the FAT32 Boot Code sector, which is the third and final sector of the 3-sector-long FAT32 volume boot record.

Table 24.15. FAT32 VBR Format, Boot Code Sector 2
Offset (Hex)	Offset (Dec)	Name	Length (Bytes)	Description
000h	0	BS_BootCode	510	Boot program code
1FEh	510	BS_Signature	2	Signature bytes; should be 55AAh

It is interesting to note that this third sector has no system-specific information in it, which means the contents are the same from system to system. Thus, if this sector (and its backup at LBA 8) were damaged on one system, you could obtain a copy of this sector from any other FAT32 volume and use it to restore the damaged sector.

The VBR on NTFS volumes is 7 sectors long, although 16 sectors are reserved at the beginning of the disk for the VBR. A backup of the 16 sector VBR area is reserved at the end of the volume, which contains a backup VBR. The first sector of the 7 is the BPB sector, and it contains a jump instruction, the BPB, and signature bytes. Sectors 2–7 contain only additional boot code, with no signature bytes or any other structures. Because the boot code is not system specific, all but the first VBR sector should be the same on any NTFS volume. Table 24.16 shows the format and layout of the first sector of the 7-sector-long NTFS VBR.

Table 24.16. NTFS VBR Format, BPB Sector 0
Offset (Hex)	Offset (Dec)	Name	Length (Bytes)	Description
000h	0	BS_jmpBoot	3	Jump instruction to boot code; it's usually EB5290h.
003h	3	BS_OEMName	8	OEM ID; indicates which system formatted the volume. Typically, it's `NTFS`. Not used by the OS after formatting.
00Bh	11	BPB_BytsPerSec	2	Bytes per sector; it's usually 512.
00Dh	13	BPB_SecPerClus	1	Sectors per cluster; must be a power of 2 greater than 0. It's normally 1, 2, 4, or 8.
00Eh	14	BPB_RsvdSecCnt	2	Reserved sectors before the VBR; the value must be 0 or NTFS fails to mount the volume.
010h	16	BPB_Reserved	3	Value must be 0 or NTFS fails to mount the volume.
013h	19	BPB_Reserved	2	Value must be 0 or NTFS fails to mount the volume.
015h	21	BPB_Media	1	Media descriptor byte; it's normally F8h on all nonremovable media and F0h on most removable media.
016h	22	BPB_Reserved	2	Value must be 0 or NTFS fails to mount the volume.
018h	24	BPB_SecPerTrk	2	Sectors per track geometry value for interrupt 13h; usually 63 on hard disks.
01Ah	26	BPB_NumHeads	2	Number of heads for interrupt 13h; usually 255 on hard disks.
01Ch	28	BPB_HiddSec	4	Count of hidden sectors preceding the partition that contains this volume; normally 63 for the first volume.
020h	32	BPB_Reserved	4	Value must be 0 or NTFS fails to mount the volume.
024h	36	Reserved	4	Not used or checked by NTFS; it's normally 80008000h.
028h	40	BPB_TotSec64	8	Total count of sectors on the volume.
030h	48	BPB_MftClus	8	Logical cluster number for the start of the `$MFT` file.
038h	56	BPB_MirClus	8	Logical cluster number for the start of the `$MFTMirr` file.
040h	64	BPB_ClusPerMft	1	Clusters per MFT file/folder record. If this number is positive (00h–7Fh), it represents clusters per MFT record. If the number is negative (80h–FFh), the size of the record is 2 raised to the absolute value of this number.
041h	65	Reserved	3	Not used by NTFS.
044h	68	BPB_ClusPerIndx	1	Clusters per index buffer; it's used to allocate space for directories. If this number is positive (00h–7Fh), it represents clusters per MFT record. If the number is negative (80h–FFh), the size of the record is 2 raised to the absolute value of this number.
045h	69	Reserved	3	Not used by NTFS.
048h	72	BS_VolID	8	Volume serial number; used to support volume tracking on removable media. Normally generated using the date and time as a seed when the volume is formatted.
050h	80	Reserved	4	Not used by NTFS.
054h	84	BS_BootCode	426	Bootstrap program code.
1FEh	510	BS_Signature	2	Signature bytes; should be 55AAh.

Root Directory

A directory is a simple database containing information about the files stored on a FAT partition. Each record in this database is 32 bytes long, with no delimiters or separating characters between the fields or records. A directory stores almost all the information that the operating system knows about a file, including the following:

Other information exists that a directory does not contain about a file. This includes where the rest of its clusters in the partition are located and whether the file is contiguous or fragmented. This information is contained in the FAT.

Two basic types of directories exist: the root directory (also called the root folder) and subdirectories (also called folders). Any given volume can have only one root directory. The root directory is always stored on a disk in a fixed location immediately following the two copies of the FAT. Root directories vary in size because of the different types and capacities of disks, but the root directory of a given disk is fixed. Using the FORMAT command creates a root directory that has a fixed length and can't be extended to hold more entries. The root directory entry limits are shown in Table 24.17. Subdirectories are stored as files in the data area of the disk and can grow in size dynamically; therefore, they have no fixed length limits.

Table 24.17. Root Directory Entry Limits
Drive Type	Maximum Root Directory Entries
Hard disk	512
1.44MB floppy disk	224
2.88MB floppy disk	448
Jaz and Zip	512
LS-120 and LS-240	512

Note

Two advantages of the FAT32 file system are that the root directory can be located anywhere on the disk and it can have an unlimited number of entries. FAT32 is discussed in more detail later in this chapter.

Every directory, whether it is the root directory or a subdirectory, is organized in the same way. Entries in the directory database store important information about individual files and how files are named on the disk. The directory information is linked to the FAT by the starting cluster entry. In fact, if no file on a disk were longer than one single cluster, the FAT would be unnecessary. The directory stores all the information needed by DOS to manage the file, with the exception of the list of clusters the file occupies other than the first one. The FAT stores the remaining information about the other clusters the file occupies.

To trace a file on a disk, use a disk editor, such as the Disk Edit program that comes with the Norton Utilities. Start by looking up the directory entry to get the information about the starting cluster of the file and its size. Then, using the appropriate editor commands, go to the FAT where you can follow the chain of clusters the file occupies until you reach the end of the file. By using the directory and FAT in this manner, you can visit all the clusters on the disk that are occupied by the file. This type of technique can be useful when these entries are corrupted and when you are trying to find missing parts of a file. FAT directory entries are 32 bytes long and are in the format shown in Table 24.18, which shows the location (or offset) of each field within the entry (in both hexadecimal and decimal form) and the length of each field.

Table 24.18. FAT Directory Format
Offset (Hex)	Offset (Dec)	Field Length	Description
00h	0	8 bytes	Filename
08h	8	3 bytes	File extension
0Bh	11	1 byte	File attributes
0Ch	12	10 bytes	Reserved (00h)
16h	22	1 word	Time of creation
18h	24	1 word	Date of creation
1Ah	26	1 word	Starting cluster
1Ch	28	1 dword	Size in bytes

Filenames and extensions are left justified and padded with spaces, (which are represented as ASCII 32h bytes). In other words, if your filename is "AL", it is really stored as "AL------", where the hyphens are spaces. The first byte of the filename indicates the file status for that directory entry, shown in Table 24.19.

Table 24.19. Directory Entry Status Byte (First Byte)
Hex	File Status
00h	Entry never used; entries past this point not searched.
05h	Indicates that the first character of the filename is actually E5h.
E5h	s (lowercase sigma). Indicates that the file has been erased.
2Eh	. (period). Indicates that this entry is a directory. If the second byte is also 2Eh, the cluster field contains the cluster number of the parent directory (0000h, if the parent is the root).
A word is 2 bytes read in reverse order, and a dword is two words read in reverse order.

Table 24.20 describes the FAT directory file attribute byte. Attributes are 1-bit flags that control specific properties of a file, such as whether it is hidden or designated as read-only. Each flag is individually activated (1) or deactivated (0) by changing the bit value. The combination of the eight bit values can be expressed as a single hexadecimal byte value; for example, 07h translates to 00000111, and the 1 bits in positions 3, 2, and 1 indicate the file is system, hidden, and read-only.

Table 24.20. FAT Directory File Attribute Byte
Bit Positions
7	6	5	4	3	2	1	0	Hex Value	Description
0	0	0	0	0	0	0	1	01h	Read-only file
0	0	0	0	0	0	1	0	02h	Hidden file
0	0	0	0	0	1	0	0	04h	System file
0	0	0	0	1	0	0	0	08h	Volume label
0	0	0	1	0	0	0	0	10h	Subdirectory
0	0	1	0	0	0	0	0	20h	Archive (updated since backup)
0	1	0	0	0	0	0	0	40h	Reserved
1	0	0	0	0	0	0	0	80h	Rese

Upgrading and Repairing PCs