Windows

Step-By-Step: How to manually rebuild a Windows XP partition table with Acronis DiskEditor

Learn to manually reconstruct a partition table with Acronis DiskEditor to recover data from a damaged drive

When a user's hard disk crashes, it's a good bet that the damaged hard disk contains files that haven't been backed up. In such cases, it's important to try to recover the data rather than simply replacing the dead drive and reinstalling Windows from scratch. While there are a lot of good data recovery programs out there, the fact is that sometimes an automated data recovery just doesn't get the job done. If you have tried to recover a partition using such a program and haven't had any luck, you can manually reconstruct the partition table.

Before you begin
Manually reconstructing a partition table is a technique that should be used only as a last resort. Making a mistake using this technique can cause you to permanently lose your data on the damaged partition and on any other partitions on the drive. You should back up as much of the damaged drive as possible before proceeding. This technique is complex and isn't for the faint of heart. I recommend reading the entire article to make sure that you are comfortable with the technique.

The tools
Before you can manually rebuild a partition table, you must have a disk editor capable of making the necessary modifications. Windows XP and 2000 come with their own disk editor called Disk Probe. You can install Disk Probe by running the Setup program found in the \SUPPORT\TOOLS folder of the Windows installation CD. Once the Support Tools are installed, there won't be an icon or a Start menu option for Disk Probe. Instead, you can access Disk Probe by running the file DSKPROBE.EXE in the \Program Files\Support Tools folder.

Although you can use Disk Probe to get the job done, I have always found Disk Probe to be difficult to use. As an alternative, I prefer a program called Acronis DiskEditor. You can download an evaluation version of DiskEditor or purchase the full version ($44.99). The demo version is fully functional, except that you aren't allowed to apply any modifications that you may make to the disk. In a way though, this is a good thing. Since you are unable to save your changes, using the demo version allows you to learn about partition table modification without the danger of trashing your hard disk in the process.

Assuming that you were rebuilding a real partition table, though, you would want to avoid installing your disk editor (whichever disk editor you use) onto a malfunctioning system. Instead, I suggest installing the disk editor onto a functional system so you can daisy chain the damaged hard disk to it. This will allow you to run a known good copy of Windows and a known good copy of your disk editor on a known good PC while you repair the damaged drive.

Locating the partition table
Depending on which disk editor you use, locating the partition table can be a little tricky. The partition table is located within absolute sector 0. Absolute sector 0 is sometimes expressed as cylinder 0, head 0, sector 1. Depending on your operating system, you will be interested in either the last 64 bytes or the last 66 bytes of the sector. The reason for the discrepancy in byte length is that most operating systems use a 64-byte partition table. Windows XP, on the other hand, uses a 66-byte partition table. In Windows XP, the last two bytes are used as a disk signature. The data range that we are interested in is shown in Figure A.

Figure A
The selected data range makes up the partition table.


If you're going to manually rebuild the partition table, the first two things you must do are to find the partition table and determine whether your system uses the two-byte disk signature.

As I mentioned before, finding the partition table can be a bit tricky. Every disk editor uses a different method of providing you access to this area of the disk. Some disk editors even shield this portion of the hard disk or display the data in text form rather than as hexadecimal data.

If you're using Acronis DiskEditor, you can access the proper area of the hard disk by choosing the Open Command from the Disk menu. When you do, you'll see a screen similar to the one shown in Figure B. This screen allows you to select any partition on the hard disk, or the hard disk itself.

Figure B
Choose the hard disk icon to access the entire hard disk rather than a specific partition.


If you click on the icon of the hard disk, the editor will open the disk as a whole, rather than opening an individual partition. When this occurs, you'll see a screen similar to the one shown in Figure C.

Figure C
This is the disk summary screen.


Figure C shows the disk's summary screen. Earlier I mentioned that some disk editors tend to display the partition table in text view rather than in hexadecimal form. If you look at the bottom of Figure C, you can see what the partition table looks like in text form. If my partition table were damaged and I knew what values to use, I could correct the problem by modifying the values shown in the partition table. However, in the case of serious corruption, it's often more effective to rebuild the partition table by manipulating hexadecimal code. If you pay attention to the techniques that I am about to show you, though, you'll notice that I'm editing codes that directly correspond to data shown on this screen.

To make the switch to hexadecimal data, select the As Hex command from Acronis's View menu. When you do, you'll see the data displayed as shown in Figure A. You must now verify that you're looking at Absolute Sector 0. This is a critically important step and should not be skipped. You will notice that the sector number is displayed just above each block of data.

Once you've verified that you're working with the correct sector, you must find the data that makes up the partition table. You will notice in Figure A that the hexadecimal numbers are all two digits in length. Counting each two-digit number as a single number, start from the last number and count backward toward the beginning of the sector until you have counted 64 numbers. By doing so, you will have determined the start and end points for the last 64 bytes of the sector.

The real question now is whether your sector uses 64 bytes or 66. One easy way to figure this out is to look at the last dozen or so bytes. Notice in Figure A that the bottom line of sector 1 is filled with nothing but zeros until it ends with 55 and AA. Although this is not always accurate, if your last line ends in all zeros, but then has two bytes of data, the chances are really good that the last two bytes are a disk signature.

A more reliable method is to check the partition table's starting byte. This is the byte that is either 64 or 66 numbers from the end of the sector. This number should always be either 00 or 80. You will notice in Figure A that the first highlighted number is 80.

Keep in mind that it is possible that you could have a 66-byte partition table and the third byte could be 00 or 80. Therefore, if you suspect that your partition table is only 64 bytes long, it's a good idea to go back two more bytes just to make sure that you really are looking at the beginning of the partition table. Usually, but not always, the partition table's first few numbers will be 80 01 01 00 07. If you have doubts as to whether or not you are looking at the beginning of the partition table, you could always search for this string of numbers. Just keep in mind that these numbers aren't used in every situation.

The anatomy of the partition table
I have already explained that not counting the disk signature, which may or may not exist, the partition table is 64 bytes in length. What I haven't told you is that these 64 bytes can be used to define up to four different partitions.

Here's how the partition table is structured:
  • The first 16 bytes define the first partition.
  • Bytes 17 through 32 define the second partition.
  • Bytes 33 through 48 define the third partition.
  • Bytes 49 through 64 define the fourth partition.
  • If a partition is undefined, all sixteen bytes that would normally be used to define it are set to 00.

In Figure A, you'll notice that the far left side of the screen contains a series of four-digit hexadecimal numbers. These numbers represent the offset. The offset refers to a byte's exact location within a sector. You can easily use the offset number to calculate the starting byte for any partition. For example, 01BE is the offset for the first partition. The second partition uses 01CE, the third uses 01DE, while the fourth uses 01EE. If you look at Figure A, you'll notice that the line where the partition table begins is flagged with the offset number 01B3. That means that the first number on that line uses 01B3 as the offset. The second number on that line uses 01B4. You would simply need to count (in hexadecimal numbers) until you found 01BE, the first number of the first partition. The chart below shows what the four partition tables would look like if the disk editor's offsets were positioned so that each partition definition were on its own line:

01BE: 80 01 01 00 07 FE FF FF 3F 00 00 00 DB 4D 94 03 (Partition 1)
01CE: 00 00 C1 FF 0F FE FF FF 1A 4E 94 03 1A 4E 94 03 (Partition 2)
01DE: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (Partition 3, undefined)
01EE: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (Partition 4, undefined)
01FE: 55 AA (Disk Signature)
For the remainder of this article, I will be addressing byte positions in the form of first byte, second byte, third byte, and so forth. Please realize that this implies the byte number within a partition. For example, if your second partition was damaged and I told you to alter the third byte, you would go to offset 01CE and count up three bytes.

The boot indicator
The first byte of the partition table is what's known as the boot indicator. The boot indicator consists of a single byte and is always either 00 or 80. The boot indicator tells the system whether or not this partition is bootable (Active). If the code is set to 00, then the partition is not active. If the code is set to 80, the partition is active and is therefore bootable.

Starting head
The second byte in the partition table reflects the starting head number. In almost every case, the partition table will designate the starting head for the first partition as 1. In hexadecimal format this is expressed as 01. The number tends to vary for other partitions on the drive. As you can see in my partition table above, my second partition starts with head 00.

Starting sector and starting cylinders
So far things have been simple. Each two digit hexadecimal number represents a byte of data, and the first two bytes represent two different configuration options. The third and fourth bytes are where things get a little more complex.

The partition table uses a technique known as bit sharing between the third and fourth bytes. As you probably know, eight bits make up a byte. The third character in the partition table designates the starting sector number. The catch is that the starting sector is represented by six bits of data rather than the usual eight. Normally, in such a situation, the computer would just use a full byte and ignore the last two bits. However, this is a special situation.

The fourth character in the partition table represents the starting cylinder number. The starting cylinder number requires ten bits to represent. Since there are only eight bits in a byte, the fourth byte of data must borrow two bits of data from the third byte of data. Therefore, the starting sector ends up consuming six bits of data and the starting cylinder consumes ten bits of data for a total of sixteen bits or two bytes.

The problem is that if you are going to manually reconstruct a partition table, you need to know exactly how bit sharing works. What makes this especially tricky is that it's possible for the starting sector to use a number that's greater than one byte in length, but the number must be expressed in six bits. When this occurs, the system relies on a technique called little endian. Little endian is a technical term for reverse bit ordering format.

For example, suppose that by some cruel twist of fate the starting sector number was 63. An eight bit representation of 63 in hexadecimal format would be 0x0000003F. If you translate this number to little endian format the number would become 0x3F000000.

The starting cylinder uses an entire byte, plus the upper two bits from the third byte in the sequence. These bits are assembled to form a ten bit number that when translated to decimal format must be no greater than 1023.

If all of this sounds a little complex, there is some good news. On a normal IDE hard drive containing one or more partitions, the third byte in the partition table for the first partition is usually 01 and the fourth byte is usually 00. These numbers vary greatly for subsequent partitions. If you are unable to calculate the third and fourth bytes for the first partition and the system has a generic partitioning scheme, using these two values often gets the job done.

System ID
The fifth byte in the partition table is used for the system ID. The system ID defines the volume type. The accepted volume types tend to vary among operating systems, but there is a fairly standard set of volume types used by Windows systems. The list below shows the possible system IDs on a Windows system:
  • 01—FAT-12 primary partition or logical drive (a drive or partition with fewer than 32,680 sectors in the volume)
  • 04—FAT-16 partition or logical drive (up to 33 MB in size)
  • 05—An extended partition
  • 06—A BIGDOS FAT-16 partition (a DOS partition ranging from 33 MB to 4 GB).
  • 07—Installable File System (NTFS)
  • 0B—FAT-32
  • 0C—FAT-32 with BIOS INT 13H extensions
  • 0E—BIGDOS FAT-16 with BIOS INT 13H extensions
  • 0F—Extended partition using BIOS 13H extensions
  • 12—EISA or OEM partition
  • 42—Dynamic partition
  • 84—partition used for hibernation initiated by power management
  • 86—Windows NT 4.0 style multi-disk FAT 16 partition
  • 87—Windows NT 4.0 style NTFS volume spanning multiple disks
  • A0—laptop hibernation partition
  • DE—OEM partition used by Dell Computers
  • FE—OEM partition used by IBM computers
  • EE—GPT partition
  • EF—EFI partition on an MBR disk

Ending head
The sixth byte defines the last head used by the partition. This is a one-byte hexadecimal number. In the case of my sample partition table above, my first partition ends at FE, which translated into a decimal number equals 254.

While it might be a little off of the subject, here's a handy tip. As you can see, there are a lot of cases in which you have to convert back and fourth between hexadecimal and decimal numbers. You can make the conversion much easier by using the Calculator applet that comes with Windows. If you choose the Scientific option from the Calculator's View menu, you can do the conversions. To do so, click the HEX button, enter a hexadecimal number, and then click the Dec button. The calculator will instantly convert the number.

Ending sector and ending cylinder
The next two bytes are used to designate the ending sector and ending cylinder. This works identically to the way that the starting sector and starting cylinder did. The ending sector requires six bits and the ending cylinder requires ten bits, so bit sharing is used. The end result is that sixteen bits or two bytes of data are used.

Relative sectors and total sectors
The ninth through twelfth bytes are used to define the relative sectors. The relative sectors define the total offset from the beginning of the disk to the beginning of the volume or partition, by simply counting sectors. The thirteenth through sixteenth bytes hold a 32-bit (four-byte) hexadecimal number representing the total number of sectors in the volume.

Since these are 32-bit numbers, you can define up to 2^32 sectors (4,294,967,296 sectors). Given a standard sector size of 512 bytes, this provides a theoretical limit of 2 terabytes per partition.

Making repairs
When a partition table becomes corrupted, the problem can often be traced to a couple of bytes of bad data. Now that know how to read the partition table and how to use a disk editor, you can use that knowledge to calculate what the bytes were supposed to have been, edit the table to match that information, and thus recover your corrupted partition.

For example, if you notice the first byte of your failed drive's partition contains any value other then 00 or 80, you'll know that the partition's boot indicator setting is incorrect. You'll now need to change this setting to either 00 or 80 depending on whether the partition should be bootable (Active) or not—use 80 for bootable, 00 for not bootable. Likewise, if the partition table's fifth byte, the System ID, contains the value A0 and the hard drive is being used in a desktop, you know that the volume type is set incorrectly. Again you will need to change this value to match the correct setting, such as 07 for an Installable File System (NTFS).
1 comments
rlaf2000
rlaf2000

Hi! Is to recover data from a deleted volume?