Detailed Explanation of FAT Boot Sector

This article was previously published under Q140418
This article has been archived. It is offered "as is" and will no longer be updated.
Understanding the content and function of a file system "boot sector" canbe helpful when troubleshooting boot failures or disk corruption.

From time to time, usually due to hardware failure or virus infection, aboot sector may become corrupted. If the partition is the active primarypartition, or a partition containing operating system files, this canprevent the system from starting. Otherwise, it may simply prevent accessto data on the drive.

Usually, if you suspect disk corruption, it is best to use commercial anti-virus or disk recovery software. In some cases, however, detailedknowledge of the boot sector can come in handy.

This article explains the various fields of a FAT boot sector. Using thefollowing information, it may be possible to manually repair a damaged FATboot sector. In order to attempt such a repair, disk editing tools capableof editing raw disk sectors are required. This article does notdiscuss specific tools which can be used to perform such a repairoperations.

While every effort has been made to ensure the accuracy of the followinginformation, different operating systems, including future versions ofMicrosoft operating systems, may use different data structures. Thereforeyou should make use of the following information at your own risk.

Background and Terminology

In this document, a "file system boot sector" is the first physical sectoron a logical volume. A logical volume might be a primary partition, alogical drive in an extended partition, or a composite of two or morepartitions, as is the case with mirrors, stripe sets, and volume sets.

On floppy disks, the boot sector is the first sector on the disk. In thecase of hard drives, the first sector is referred to as the "Master BootRecord" or "MBR." This MBR is different from a file system boot sector andcontains a partition table, which describes the layout of logicalpartitions on that hard drive. The file system boot sector would be thefirst sector in one of those partitions.

The Boot Process

The boot process of 80x86-based personal computers (as opposed to RISC-based systems) makes direct use of a file system boot sector for executinginstructions. The initial boot process can be summarized as follows:

  1. Power On Self Test (or POST) initiated by system BIOS and CPU.
  2. BIOS determines which device to use as the "boot device."
  3. BIOS loads the first physical sector from the boot device into memory and transfers CPU execution to the start of that memory address.If the boot device is a hard drive, the sector loaded in step 3 is the MBR,and the boot process proceeds as follows:

  4. MBR code loads the boot sector referenced by the partition table for the "active primary partition" into memory and transfers CPU execution to the start of that memory address.
Up to this point, the boot process is entirely independent of how the diskis formatted and what operating system is being loaded. From this pointon, both the operating and file systems in use play a part.

In the case of FAT volumes which have Windows NT installed, the FAT bootsector is responsible for identifying the location of the file "NTLDR" onthe volume, loading it into memory, and transferring control to it.

Inside the FAT Boot Sector

Because the MBR transfers CPU execution to the boot sector, the first fewbytes of the FAT boot sector must be valid executable instructions for an80x86 CPU. In practice these first instructions constitute a "jump"instruction and occupy the first 3 bytes of the boot sector. This jumpserves to skip over the next several bytes which are not "executable."

Following the jump instruction is an 8 byte "OEM ID". This is typically astring of characters that identifies the operating system that formattedthe volume.

Following the OEM ID is a structure known as the BIOS Parameter Block, or"BPB." Taken as a whole, the BPB provides enough information for theexecutable portion of the boot sector to be able to locate the NTLDR file.Because the BPB always starts at the same offset, standard parameters arealways in a known location. Because the first instruction in the bootsector is a jump, the BPB can be extended in the future, provided newinformation is appended to the end. In such a case, the jump instructionwould only need a minor adjustment. Also, the actual executable code canbe fairly generic. All the variability associated with running on disks ofdifferent sizes and geometries is encapsulated in the BPB.

The BPB is stored in a packed (that is, unaligned) format. The followingtable lists the byte offset of each field in the BPB. A description of eachfield follows the table.
Field               Offset     Length-----               ------     ------Bytes Per Sector      11         2Sectors Per Cluster   13         1Reserved Sectors      14         2FATs                  16         1Root Entries          17         2Small Sectors         19         2Media Descriptor      21         1Sectors Per FAT       22         2Sectors Per Track     24         2Heads                 26         2Hidden Sectors        28         4Large Sectors         32         4				
Bytes Per Sector: This is the size of a hardware sector and for most disksin use in the United States, the value of this field will be 512.

Sectors Per Cluster: Because FAT is limited in the number of clusters (or"allocation units") that it can track, large volumes are supported byincreasing the number of sectors per cluster. The cluster factor for a FATvolume is entirely dependent on the size of the volume. Valid values forthis field are 1, 2, 4, 8, 16, 32, 64, and 128. Query in the MicrosoftKnowledge Base for the term "Default Cluster Size" for more information onthis subject.

Reserved Sectors: This represents the number of sectors preceding the startof the first FAT, including the boot sector itself. It should always havea value of at least 1.

FATs: This is the number of copies of the FAT table stored on the disk.Typically, the value of this field is 2.

Root Entries: This is the total number of file name entries that can bestored in the root directory of the volume. On a typical hard drive, thevalue of this field is 512. Note, however, that one entry is always usedas a Volume Label, and that files with long file names will use up multipleentries per file. This means the largest number of files in the rootdirectory is typically 511, but that you will run out of entries beforethat if long file names are used.

Small Sectors: This field is used to store the number of sectors on thedisk if the size of the volume is small enough. For larger volumes, thisfield has a value of 0, and we refer instead to the "Large Sectors" valuewhich comes later.

Media Descriptor: This byte provides information about the media beingused. The following table lists some of the recognized media descriptorvalues and their associated media. Note that the media descriptor byte maybe associated with more than one disk capacity.
Byte   Capacity   Media Size and TypeF0     2.88 MB    3.5-inch, 2-sided, 36-sectorF0     1.44 MB    3.5-inch, 2-sided, 18-sectorF9     720 KB     3.5-inch, 2-sided, 9-sectorF9     1.2 MB     5.25-inch, 2-sided, 15-sectorFD     360 KB     5.25-inch, 2-sided, 9-sectorFF     320 KB     5.25-inch, 2-sided, 8-sectorFC     180 KB     5.25-inch, 1-sided, 9-sectorFE     160 KB     5.25-inch, 1-sided, 8-sectorF8     -----      Fixed disk				
Sectors Per FAT: This is the number of sectors occupied by each of the FATson the volume. Given this information, together with the number of FATsand reserved sectors listed above, we can compute where the root directorybegins. Given the number of entries in the root directory, we can alsocompute where the user data area of the disk begins.

Sectors Per Track and Heads: These values are a part of the apparent diskgeometry in use when the disk was formatted.

Hidden Sectors: This is the number of sectors on the physical diskpreceding the start of the volume. (that is, before the boot sector itself)It is used during the boot sequence in order to calculate the absoluteoffset to the root directory and data areas.

Large Sectors: If the Small Sectors field is zero, this field contains thetotal number of sectors used by the FAT volume.

Some additional fields follow the standard BIOS Parameter Block andconstitute an "extended BIOS Parameter Block." The next fields are:
Field                  Offset   Length-----                  ------   ------Physical Drive Number    36        1Current Head             37        1Signature                38        1ID                       39        4Volume Label             43       11System ID                54        8				
Physical Drive Number: This is related to the BIOS physical drive number.Floppy drives are numbered starting with 0x00 for the A: drive, whilephysical hard disks are numbered starting with 0x80. Typically, you wouldset this value prior to issuing an INT 13 BIOS call in order to specify thedevice to access. The on-disk value stored in this field is typically0x00 for floppies and 0x80 for hard disks, regardless of how many physicaldisk drives exist, because the value is only relevant if the device is aboot device.

Current Head: This is another field typically used when doing INT13 BIOScalls. The value would originally have been used to store the track onwhich the boot record was located, but the value stored on disk is notcurrently used as such. Therefore, Windows NT uses this field to store twoflags:

  • The low order bit is a "dirty" flag, used to indicate that autochk should run chkdsk against the volume at boot time.
  • The second lowest bit is a flag indicating that a surface scan should also be run.
Signature: The extended boot record signature must be either 0x28 or 0x29in order to be recognized by Windows NT.

ID: The ID is a random serial number assigned at format time in order toaid in distinguishing one disk from another.

Volume Label: This field was used to store the volume label, but the volumelabel is now stored as a special file in the root directory.

System ID: This field is either "FAT12" or "FAT16," depending on the formatof the disk.

On a bootable volume, the area following the Extended BIOS Parameter Blockis typically executable boot code. This code is responsible forperforming whatever actions are necessary to continue the boot-strapprocess. On Windows NT systems, this boot code will identify the locationof the NTLDR file, load it into memory, and transfer execution to thatfile. Even on a non-bootable floppy disk, there is executable code in thisarea. The code necessary to print the familiar message, "Non-system diskor disk error" is found on most standard, MS-DOS formatted floppy disksthat were not formatted with the "system" option.

Finally, the last two bytes in any boot sector always have the hexidecimalvalues: 0x55 0xAA.


If you suspect that a FAT boot sector is corrupt, you can check several ofthe fields listed above to see whether the values listed there make sense.For example, BytesPerSector will be 512 in the vast majority of cases. Youwould also expect to see text strings in the executable code section of theboot sector that are appropriate for the operating system that formattedthe disk.

Typical text strings on FAT volumes formatted by MS-DOS include: "Invalidsystem disk."; "Disk I/O error."; "Replace the disk, and then press anykey"; "Non-System disk or disk error"; "Replace and press any key whenready."; and "Disk Boot failure." Text strings on FAT volumes formatted byWindows NT include: "BOOT: Couldn't find NTLDR."; "I/O error readingdisk."; and "Please insert another disk." You should not regard this listas being all-inclusive. If you find other messages in the boot sector, thisdoes not necessarily indicate that there is a problem with the boot sector.Different versions of MS-DOS and Windows NT will sometimes have slightlydifferent message strings in their boot sectors. On the other hand, if youfind no text whatsoever, or if the text is clearly not related to MS-DOS orWindows NT, you should consider the possibility that your boot sector mayhave been infected by a virus or that some other form of data corruptionmay have taken place.

To recover from a boot sector that has been infected by a virus, it isusually best to use a commercial anti-virus program. Many viruses will domuch more than just write data to the boot sector, so manual repair of theboot sector is not recommended, as it may not completely eliminate thevirus and in some cases, may do more harm than good.

If you suspect that the boot sector was damaged for some other reason, itis usually best to use commercial disk recovery tools. While it may bepossible to recover from boot sector damage without resorting toreformatting the drive by manually modifying the fields described above,manual editing of boot sectors should only be attempted as a last resortand cannot be guaranteed to work in situations where other disk structuresmay also have been damaged.
3.10 prodnt

Article ID: 140418 - Last Review: 12/04/2015 12:30:17 - Revision: 3.0

Microsoft Windows NT Advanced Server 3.1, Microsoft Windows NT Workstation 3.1, Microsoft Windows NT Advanced Server 3.1, Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51

  • kbnosurvey kbarchive KB140418