A Disk Editor View   of   the
MSWIN4.1 OS Boot Record

Web Presentation and Text are Copyright © 2004 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !



Like all previous MS Boot Records (all the way back to MS-DOS V.2 and Floppy Disk Boot Sectors too), the first three bytes are still called the Jump Instruction. Only the first two bytes have ever been used* to form the actual JMP instruction itself to the rest of the executable code; the third byte (90h) is just a NOP instruction ('No Op' do nothing). The next 8 bytes are the System Name (MSWIN4.1; sometimes called the "OEM ID") which is followed by the BIOS Parameter Block (or BPB). The MSWIN 4.1 BPB (shown as: _ BPB _ in the display below) has a number of additional fields compared to a FAT16 partition (used by the original Windows 95, MSWIN4.0 Boot Record). But the Volume Label (example: "MY_C_DRIVE") and File System ID ("FAT32   ") are still found in the last two fields even though this BPB is longer than that of a FAT16 partition.

                                                    BPB  
 Absolute Sector 63 (Cylinder 0, Head 1, Sector 1)   |     System Name
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E |F         |
 0000:  EB 58 90 4D 53 57 49 4E 34 2E 31 00 02 08 20 00  .X.MSWIN4.1... .
 0010:  02 00 00 00 00 F8 00 00 3F 00 80 00 3F 00 00 00  ........?...?...
 0020:  C1 40 5E 00 88 17 00 00 00 00 00 00 02 00 00 00  .@^.............
 0030:  01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0040:  80 00 29 20 20 10 00 4D 59 5F 43 5F 44 52 49 56  ..)  ..MY_C_DRIV
 0050:  45 20 46 41 54 33 32 20 20 20 FA 33 C9 8E D1 BC  E FAT32   .3....
 0060:  F8 7B 8E C1 BD 78 00 C5 76 00 1E 56 16 55 BF 22  .{...x..v..V.U."
 0070:  05 89 7E 00 89 4E 02 B1 0B FC F3 A4 8E D9 BD 00  ..~..N..........
 0080:  7C C6 45 FE 0F 8B 46 18 88 45 F9 38 4E 40 7D 25  |.E...F..E.8N@}%
 0090:  8B C1 99 BB 00 07 E8 97 00 72 1A 83 EB 3A 66 A1  .........r...:f.
 00A0:  1C 7C 66 3B 07 8A 57 FC 75 06 80 CA 02 88 56 02  .|f;..W.u.....V.
 00B0:  80 C3 10 73 ED BF 02 00 83 7E 16 00 75 45 8B 46  ...s.....~..uE.F
 00C0:  1C 8B 56 1E B9 03 00 49 40 75 01 42 BB 00 7E E8  ..V....I@u.B..~.
 00D0:  5F 00 73 26 B0 F8 4F 74 1D 8B 46 32 33 D2 B9 03  _.s&..Ot..F23...
 00E0:  00 3B C8 77 1E 8B 76 0E 3B CE 73 17 2B F1 03 46  .;.w..v.;.s.+..F
 00F0:  1C 13 56 1E EB D1 73 0B EB 27 83 7E 2A 00 77 03  ..V...s..'.~*.w.
 0100:  E9 FD 02 BE 7E 7D AC 98 03 F0 AC 84 C0 74 17 3C  ....~}.......t.<
 0110:  FF 74 09 B4 0E BB 07 00 CD 10 EB EE BE 81 7D EB  .t............}.
 0120:  E5 BE 7F 7D EB E0 98 CD 16 5E 1F 66 8F 04 CD 19  ...}.....^.f....
 0130:  41 56 66 6A 00 52 50 06 53 6A 01 6A 10 8B F4 60  AVfj.RP.Sj.j...`
 0140:  80 7E 02 0E 75 04 B4 42 EB 1D 91 92 33 D2 F7 76  .~..u..B....3..v
 0150:  18 91 F7 76 18 42 87 CA F7 76 1A 8A F2 8A E8 C0  ...v.B...v......
 0160:  CC 02 0A CC B8 01 02 8A 56 40 CD 13 61 8D 64 10  ........V@..a.d.
 0170:  5E 72 0A 40 75 01 42 03 5E 0B 49 75 B4 C3 03 18  ^r.@u.B.^.Iu....
 0180:  01 27 0D 0A 49 6E 76 61 6C 69 64 20 73 79 73 74  .'..Invalid syst
 0190:  65 6D 20 64 69 73 6B FF 0D 0A 44 69 73 6B 20 49  em disk...Disk I
 01A0:  2F 4F 20 65 72 72 6F 72 FF 0D 0A 52 65 70 6C 61  /O error...Repla
 01B0:  63 65 20 74 68 65 20 64 69 73 6B 2C 20 61 6E 64  ce the disk, and
 01C0:  20 74 68 65 6E 20 70 72 65 73 73 20 61 6E 79 20   then press any 
 01D0:  6B 65 79 0D 0A 00 00 00 49 4F 20 20 20 20 20 20  key.....IO      
 01E0:  53 59 53 4D 53 44 4F 53 20 20 20 53 59 53 7E 01  SYSMSDOS   SYS~.
 01F0:  00 57 49 4E 42 4F 4F 54 20 53 59 53 00 00 55 AA  .WINBOOT SYS..U.
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

The last 130 bytes of the Boot Record's first sector contain a few data locations (03 18 01 27), error messages, three system filenames (beginning with IO.SYS ) and finally the Word-sized signature ID (or Magic number) of AA55h; remember hex Words (any non-text data requiring more than a single byte) for Intel x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last!

The RRaA at the beginning of the second sector marks it as the beginning of an MSWIN4.1 Extended Boot Record. A similar ID (rrAa; the same letters as above, but with the case of the letters inverted) marks the start of this Record's "Total Free Clusters" and "Next Available Cluster" data within the sector. There are only 8 bytes of data in the whole sector! 

 Absolute Sector 64 (Cylinder 0, Head 1, Sector 2)
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
 0000:  52 52 61 41 00 00 00 00 00 00 00 00 00 00 00 00  RRaA............
 0010:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0020:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0030:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0050:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0060:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0070:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0080:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0090:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 00F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0100:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0110:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0120:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0130:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0140:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0150:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0160:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0170:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0180:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 0190:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01E0:  00 00 00 00 72 72 41 61 EF 87 04 00 05 1C 09 00  ....rrAa....T...
 01F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

The third and last sector of this Boot Record contains the remainder of the executable code and the same Word-sized signature ID (AA55 h) which appears at the end of each sector in the Boot Record:

 Absolute Sector 65 (Cylinder 0, Head 1, Sector 3)
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F
 0000:  FA 66 0F B6 46 10 66 8B 4E 24 66 F7 E1 66 03 46  .f..F.f.N$f..f.F
 0010:  1C 66 0F B7 56 0E 66 03 C2 33 C9 66 89 46 FC 66  .f..V.f..3.f.F.f
 0020:  C7 46 F8 FF FF FF FF FA 66 8B 46 2C 66 83 F8 02  .F......f.F,f...
 0030:  0F 82 CF FC 66 3D F8 FF FF 0F 0F 83 C5 FC 66 0F  ....f=........f.
 0040:  A4 C2 10 FB 52 50 FA 66 C1 E0 10 66 0F AC D0 10  ....RP.f...f....
 0050:  66 83 E8 02 66 0F B6 5E 0D 8B F3 66 F7 E3 66 03  f...f..^...f..f.
 0060:  46 FC 66 0F A4 C2 10 FB BB 00 07 8B FB B9 01 00  F.f.............
 0070:  E8 BE FC 0F 82 AA FC 38 2D 74 1E B1 0B 56 BE D8  .......8-t...V..
 0080:  7D F3 A6 5E 74 19 03 F9 83 C7 15 3B FB 72 E8 4E  }..^t......;.r.N
 0090:  75 D6 58 5A E8 66 00 72 AB 83 C4 04 E9 64 FC 83  u.XZ.f.r.....d..
 00A0:  C4 04 8B 75 09 8B 7D 0F 8B C6 FA 66 C1 E0 10 8B  ...u..}....f....
 00B0:  C7 66 83 F8 02 72 3B 66 3D F8 FF FF 0F 73 33 66  .f...r;f=....s3f
 00C0:  48 66 48 66 0F B6 4E 0D 66 F7 E1 66 03 46 FC 66  HfHf..N.f..f.F.f
 00D0:  0F A4 C2 10 FB BB 00 07 53 B9 04 00 E8 52 FC 5B  ........S....R.[
 00E0:  0F 82 3D FC 81 3F 4D 5A 75 08 81 BF 00 02 42 4A  ..=..?MZu.....BJ
 00F0:  74 06 BE 80 7D E9 0E FC EA 00 02 70 00 03 C0 13  t...}......p....
 0100:  D2 03 C0 13 D2 E8 18 00 FA 26 66 8B 01 66 25 FF  .........&f..f%.
 0110:  FF FF 0F 66 0F A4 C2 10 66 3D F8 FF FF 0F FB C3  ...f....f=......
 0120:  BF 00 7E FA 66 C1 E0 10 66 0F AC D0 10 66 0F B7  ..~.f...f....f..
 0130:  4E 0B 66 33 D2 66 F7 F1 66 3B 46 F8 74 44 66 89  N.f3.f..f;F.tDf.
 0140:  46 F8 66 03 46 1C 66 0F B7 4E 0E 66 03 C1 66 0F  F.f.F.f..N.f..f.
 0150:  B7 5E 28 83 E3 0F 74 16 3A 5E 10 0F 83 A4 FB 52  .^(...t.:^.....R
 0160:  66 8B C8 66 8B 46 24 66 F7 E3 66 03 C1 5A 52 66  f..f.F$f..f..ZRf
 0170:  0F A4 C2 10 FB 8B DF B9 01 00 E8 B4 FB 5A 0F 82  .............Z..
 0180:  9F FB FB 8B DA C3 00 00 00 00 00 00 00 00 00 00  ................
 0190:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01A0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01B0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01C0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01D0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01E0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 01F0:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA  ..............U.
         0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F

Reminder: Don't forget that each FAT32 Boot Record has a Backup Copy just a few sectors beyond the original. In the case of a single FAT32 partition (or the first partition of many) on a drive, the Backup is found in Absolute Sectors 69 through 71. These correspond to Relative (or Logical) Sectors 0 through 2 and then 6 through 8 (for the Backup copy) of any FAT32 partition on your drive.



*Note on JMP Instruction: Although Microsoft has always used two-byte SHORT (Relative) Jumps (which begin with the byte EB) in their Boot Records, one could also use a NEAR (but still Relative) form which begins with the byte E9 and requires two more bytes for the relative displacement. For example, the EB 58 90 (a two-byte SHORT jump and the 'Do Nothing' byte 90h) in our present MSWIN4.1 Boot Record could just as easily have been replaced by the three bytes: E9 57 00 (which are all part of that Near JMP Instruction). For more info on Relative Jumps, see: Two-byte Jumps.
[Back to Top]


Last Update: July 2, 2005.  [02.07.2005]

You can write to me using this: online reply form. (It opens in a new window.)

BACK TO: The MSWIN 4.1 Boot Record Revealed

MBR and Boot Records Index Page

The Starman's Realm Index Page

 

 

Hosted by uCoz