Using FDISK /MBR for Troubleshooting Windows NT Boot Problems

This article was previously published under Q166454
This article has been archived. It is offered "as is" and will no longer be updated.
In Microsoft Windows NT, using the MS-DOS FDISK /MBR command is notalways appropriate when you cannot boot a computer. The problem is thatthe command rewrites the master boot record (MBR) only, and not theentire boot record. The FDISK /MBR command rewrites only the first 446bytes of the master boot record, not the partition table. Windows NTdisk signatures used for fault tolerance are also overwritten, and ifthe drive contained an FT member, it may not be recognized by Windows NTas an FT member afterward.

If a drive is infected with a Stealth virus, the partition table andpointers have been offset. The offset pointer is contained in the MBR.Using the FDISK /MBR command on the computer refreshes the MBR--thepointer to the partition table is lost, as is the ability to boot. Theonly possible solution is to reinfect the drive and then try to removethe virus again using Fdisk or anti-virus software.

The only time that the FDISK /MBR command is effective against a virusis if it is a boot-sector-only virus (such as the Stoned virus).

If the sector is infected, recovery cannot be guaranteed. If the FDISK/MBR command is used and a Stealth virus is present, the computer canmost likely not be recovered because the offsets are not constant.

Examples of Stealth viruses include:
  • NY Bomber or NYB
  • Stealth.B
  • Hare
  • Monkey.B
If you receive any of the following messages on a blue screen when youare booting Windows NT, you need to check for a virus:
   0x0000007B  INACCESSIBLE_BOOT_DEVICE   0x0000008F  MBR_CHECKSUM_MISMATCH   (0x4,0,0,0)				

When these symptoms occur, the first step is to run a virus scan.F-Prot, Norton, McAfee, and Dr. Soloman are programs that are commonlyused and all have shareware downloads on the Internet. If one of thesedoes not indicate a virus, try one of the others.

Other symptoms can include the following:
  • The error message "Windows NT could not start because the following file is missing or corrupt: \<WINN ROOT>\COMPUTER32\NTOSKRNL.EXE."
  • A black screen with a cursor blinking in the upper left corner.
TO protect yourself before using the FDISK /MBR command or cleaning thevirus from the disk using an anti-virus inoculation program, you can usethe Windows NT 4.0 Resource Kit tool named Disksave.exe. This is an MS-DOS-based tool that you can use to back up the MBR and save it to afloppy disk. In the event that the inoculation of the virus also deletesthe partition table, you can restore the MBR using Disksave.exe, andthen try a different method of removing the virus.

Another option for protecting yourself is to boot from an MS-DOS diskand run Norton DiskEdit to view the partition table entries. The entriesdisplayed are those from the indexed location from the active virus.Record the values that are displayed. If, after inoculation, thepartition table entries are destroyed, you can manually type therecorded values and restore the partition table values to valid entries(but without the virus).

For additional information, please see the following article in theMicrosoft Knowledge Base:
TITLE : FDISK /MBR Rewrites the Master Boot Record
6.22 5.00 5.00a

Article ID: 166454 - Last Review: 12/04/2015 16:45:42 - Revision: 2.1

Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kb3rdparty kbother KB166454