With the proliferation of large, relatively inexpensive hard drives and the increasing popularity of alternative OSs such as Linux, it is likely that you will become more experienced at partitioning drives whether you want to or not. Ultimately, you will experience a corrupt partition table caused by the faulty manipulation of the Master Boot Record (MBR). A corrupt partition table will often result in loss of data and the inability to boot from a drive or the loss of access to a certain partition. Trying to rebuild the MBR with a command like FDISK /MBR will not help since this command normally has no affect on the partition table itself and, in fact, can cause more harm than good in many instances.

Often, the most convenient method of recovering from a corrupt partition table is to restore the MBR from a backup that was made before any problems occurred. In this Daily Drill Down, I will explain the hard drive boot process, the structures that allow a hard drive to be partitioned, and when to save and restore your MBR. I will also examine a free, but very powerful, utility that can back up and restore your MBR.


This article does not apply to hard drives that use disk overlay programs such as EZ-Drive (MaxBlast) and OnTrack Disk Manager. To back up the MBR of such drives, use the utilities that came with the specific disk overlay program. For example, MaxBlast allows you to back up track 0 in its advanced section. It is easy to tell if a hard drive has an overlay program installed because there will be a message displayed at startup indicating its presence. The Microsoft Knowledge Base details a more comprehensive check in article Q186057.

Boot structures and the disk boot process
When you start up a PC, BIOS code that checks and initializes your system runs. The BIOS then looks for a sector on the boot device (usually a hard drive) that is capable of booting an operating system. This sector, the MBR, is the first physical sector on a hard drive. The MBR contains three main components: the boot loader, the partition table, and the signature bytes. The MBR’s signature bytes are the two final bytes of the first sector, and they are used as a simple validation of the MBR’s contents.

The partition table contains entries (descriptors) that act as pointers to each of the drive’s partitions (volumes) and contain critical information such as the type of partition, whether or not the partition is active (bootable), where the partition starts and ends, and the size of the partition. The partition table can point to a maximum of four partitions. One of these partitions can be extended and further divided into logical volumes. Therefore, even with a limitation of four partitions in the partition table, a drive may be divided into more than four partitions.

The MBR’s boot loader consists of code that the BIOS loads to boot an operating system. The boot loader works by looking for the active partition in the partition table and loading the first sector in that partition. That sector is known as the Partition Boot Record and usually (but not always) is an OS’s boot record. The Partition Boot Record will then start the process of loading the operating system’s kernel.

All primary partitions contain a Partition Boot Record. While the MBR is generally operating system independent, the contents of a Partition Boot Record will depend heavily on the OS installed within that partition. Sometimes the Partition Boot Record contains the code of a boot manager program such as Linux’s LILO or Windows NT/2000’s NTLDR. These programs allow you to choose which partition to boot from—in effect, which boot record to load. There are also many boot manager programs that replace the standard boot loader code within the MBR with their own code. PowerQuest’s BootMagic is an example of such a program.

An extended partition uses an Extended Partition Boot Record (EPBR) instead of a Partition Boot Record. This structure is very similar to the partition table found within the MBR except that it should have a maximum of two descriptors listed. One of the descriptors can point to a boot record in a logical volume within the extended partition, and the other can point to another EPBR. This linking scheme can be continued to provide you with more logical drives than you will likely ever need. Since the EPBR acts as a partition table itself, changes made to logical partitions within an extended partition do not affect the MBR’s partition table. However, on occasions, an EPBR within an extended partition can become corrupt and will need to be fixed. Figure A shows a partition scheme with two primary partitions and one extended partition with two logical volumes. Figure B shows how the partitions in such a scheme would be linked.

Figure A

Figure B
Here, you can see how the partition table and EPBRs point to partitions.

You can learn more about partition tables and disk boot structures at Hale Landis’ site.

Saving and restoring the MBR
It is quite obvious that the MBR is the most important boot structure on a hard drive, and considering that there are many potential causes of MBR sector damage, it is a good idea to do a backup of it. You should perform a backup whenever you are installing a new OS on its own partition, after you initially set up a drive, after any partition is changed, or before adding or removing boot managers. There are many utilities available that will allow you to back up and restore your MBR. Some of these are commercial programs that offer backup and restoring of the MBR as a subset of a much larger group of utilities. Norton Disk Edit is a fine example of one. Microsoft’s Knowledge Base article Q166997 describes how to use Disk Edit to backup and restore an MBR. Other utilities or commands that back up the MBR are included with OSs.

Also available are free third-party utilities that offer greater convenience and many more features than OS-based utilities. A particularly useful, powerful, and free utility, designed specifically for the task of working with the MBR, is MBRtool. It is available from DIY Data Recovery. MBRtool is a small (less than 100 KB) command-line tool that can be run from a DOS or Windows startup floppy disk. Actually, you can run it from within all versions of Windows, but the most important operations will not be allowed within Windows NT/2000 since these OSs do not allow low-level access (INT 13) to hardware by external programs. This is not a problem, however, as running from a floppy is often preferable for this type of utility. MBRtool is a powerful utility that does not query for confirmation of an operation, so you should use it with extreme care. It can support the first four hard drives (0-3) on a system and includes the ability to save, restore, edit, and view an MBR. It supports saving the MBR to a sector or a file and the ability to make automatic backups. To create a backup copy of the MBR in the first hard drive, enter the following command at a prompt:
mbrtool /x:b /d:0 /f:<filename>

To restore it, enter:
mbrtool /x:r /d:0 /f:<filename>

Other features and command-line arguments are just as easy to use. They are described in the included user manual.

When to restore the MBR
How can you determine if a problem is related to a corrupted partition table? As I stated, when a partition table is corrupt, it is quite likely that your PC will not be able to load an OS even though it may try to boot from disk. This situation can also be a result of other problems like a corrupted boot loader within the MBR. The following are indicators that there may be a problem with the MBR or a portion of it:

  • Symptoms—The BIOS detects the hard drive and tries to boot from it, but a DISK BOOT FAILURE error or similar is displayed. FDISK shows no partitions or displays erroneous partition information.

    Problem—If the hard drive had previously been able to boot to an OS, the problem may be a corrupt or wiped partition table. It may also be that the entire MBR is corrupted.

  • Symptoms—After displaying the PCI device listing, the system hangs at a Verifying DMI Pool Data message. FDISK displays the partition information correctly.

    Problem—This is most likely a corrupted or wiped boot loader section within the MBR.

Generally, you should not be wary about restoring your MBR, as doing so is unlikely to cause data loss unless you restore a backup after you have moved or resized a portion of a primary partition that contains system files. However, you should be very careful about restoring only the boot loader section in an MBR with a utility such as FDISK. If a virus moves or encodes the partition table, you could lose access to it by using FDISK /MBR. It is a good idea to boot from floppy and check for viruses if you suspect that the MBR has been infected.

Examining the MBR
If you would like to be certain that your MBR is the root of your problem, you can visually inspect it using either a hexadecimal editor or a utility like MBRtool. If you have a backup MBR and you have not changed the partitions since you saved it, you can compare its contents with the contents of the MBR you are inspecting. There might be obvious changes within the partition table that would indicate that it is corrupt. You might also be able to determine the presence of a virus if the boot loader code has changed without installing a boot manager. To visually inspect the MBR, you should become familiar with its contents. This is also a great way to learn more about how hard drives are set up logically. Figure C shows the contents of an MBR with PowerQuest’s BootMagic code in its boot loader section.

Figure C
The areas that are highlighted are the actual MBR contents.

The MBR is 512 bytes long and is represented here as hexadecimal numbers. To the left of the MBR code, there are decimal offset numbers that programs like MBRtool use to help you keep track of what bytes you are looking at. In this example, the offset numbers are decimal, but in most cases, they are written as hexadecimal numbers. There are 16 bytes in each line shown. Every two hexadecimal digits represent a byte. (In this article, I label hexadecimal numbers with an h.) Each offset indicates the number of the first byte on that line. The first line contains bytes 0 through 15. Therefore, the second line’s offset is 16.

On the right side of the MBR code is the text representation of each byte. While most of this is garbage, occasionally you will be able tell what the boot loader code represents at a certain point. In this example, you can see the BootMagic error messages. Therefore, you know that BootMagic is installed in the boot loader section of the MBR. While the boot loader area (yellow) is always 446 bytes, the number of bytes that are actually used for the boot loader code varies with the program that is installed in this area. An MBR created with DOS’s FDISK uses a smaller program in the boot loader area so you will see more 00h bytes. If you notice a difference in the amount of bytes that are used for actual code between the MBR you are inspecting and your backup MBR, you should become suspicious.

The green highlighted area is the partition table. It starts with a value of 80h that represents the active (bootable) partition. It contains four descriptors that are 16 bytes long each. The descriptors represent the logical information needed to access a partition on the drive, as I described. If you would like a detailed explanation of the descriptor content, see DataRescue’s site or Andries Brouwer’s site. The signature bytes (highlighted in cyan) should always be 55AAh in a valid MBR. It is unlikely that the signature bytes alone will change without other parts of the MBR changing as well. If the signature bytes are not 55AAh, your hard drive will not boot until they are changed to this hexadecimal number.

Fortunately, MBRtool will interpret the values of the partition table for you, so you don’t have to worry about most descriptor values and hexadecimal numbers. It does this whenever you use it to view an MBR, as shown in Figure D. You will still need to look up the partition type values. The partition types in Figure D are 0Bh (FAT 32), 0Fh (LBA Extended Partition), 17h (Hidden NTFS), and 83h (Linux). To avoid possible data loss that may occur when Windows 98 detects more than one primary partition, the third descriptor points to a hidden partition. Using MBRtool’s interpretations makes analyzing a partition table for errors much easier. To view the MBR using MBRtool, enter the following command at a prompt:
mbrtool /x:d /d:0

Of course, you should change the drive number used with the /d argument if you want to view the MBR on another drive.

Figure D
MBRtool interprets the partition table data to simplify analysis.

Backing up your MBR in anticipation of a corrupt partition table is a very simple process when using a good utility like MBRtool. To know when to save and restore your MBR, you need to understand the fundamentals of boot disk structures and the disk boot process. You can also build upon this knowledge to learn more advanced data recovery techniques. A good place to start is at the DIY DataRecovery Web site.