MBR corruption can occur for various reasons, such as malware or virus infections, disk errors, power outages or improper shutdowns, dual-boot configurations, corruption of critical boot files, and MBR modification using third-party tools. MBR corruption can potentially lead to data loss, but it doesn't typically result in the deletion of the data. Instead, it can make the data inaccessible by preventing the operating system from booting correctly, which can be very distressing. Microsoft provides "bootrec" command line tool to repair corruptions of MBR. This research will take you on a technical dive into how "bootrec" performs on different levels of MBR corruption.
Knowing what MBR is
MBR stands for Master Boot Record, a critical data structure used in computer storage to manage the operating system's boot process. The MBR is located in the first sector of a storage device, such as a hard drive or solid-state drive, and it contains essential information and code necessary for the system to start up.
Importance of MBR
- Boot Process Initiation: The MBR contains the master boot code, a small program that starts the boot process. When we turn on the computer, the BIOS (or UEFI) firmware locates the MBR on the storage device and executes the code stored within it. This code, in turn, loads the bootloader of the operating system. Without a properly functioning Master Boot Record (MBR), the computer could not boot up.
- Operating System Selection: If multiple operating systems are installed on the computer (e.g., Windows and Linux), the MBR can be configured to choose which operating system to boot. This is done through the bootloader, which the MBR loads.
- Partition Management: The MBR contains the partition table, which provides information about the layout and structure of the partitions on the storage device. It specifies the location, size, and type of each partition. This information is essential for the operating system to access and manage the data stored in different partitions.
Structure of MBR
The initial sector of a hard disk, Sector 0, is called the MBR (Master Boot Record). When we start the computer, the first set of executed instructions come from the BIOS (Basic Input Output System). Following this, control is transferred to the MBR sector, which the BIOS loads into memory. The code within the MBR is responsible for parsing and verifying the partitions before transferring control to the Bootloader code.
The Master Boot Record (MBR) has a simple structure consisting of three main components:
- Master Boot Code (Bootstrap Code)
- Partition Table
- Boot Signature
1. Master Boot Code (Bootstrap Code):
The master boot code is the first 446 bytes of the MBR and contains machine code instructions written in assembly language. It is responsible for the initial bootstrapping process and finding the active partition. The master boot code locates and loads the bootloader from the active partition. The specific code in the master boot code may vary depending on the operating system or boot manager being used.
2. Partition Table:
The partition table is located in the next 64 bytes of the MBR, following the master boot code. It is divided into four entries, each of which is 16 bytes in size. These entries describe the characteristics of individual partitions on the storage device. Each entry contains information such as the starting and ending CHS (Cylinder-Head-Sector) values, the partition type, and the partition’s starting sector in LBA (Logical Block Addressing) format. The partition table can support up to four primary or three primary and one extended partition. An extended partition can contain multiple logical partitions in it.
3. Boot Signature:
The last 2 bytes of the MBR (bytes 510 and 511) contain a special value known as the boot signature or the magic number. This value is set to 0x55AA (hexadecimal) and serves as a marker indicating that the MBR is valid and bootable. When the BIOS or UEFI firmware reads the MBR, it checks for this magic number to confirm the bootability of the storage device. If the magic number is not found, the BIOS or UEFI will not consider the device bootable.
Interpretation of the above table:
0x0 -0x1B7 -> MBR code area (440 bytes)
0x1B8-0x1BB -> 32-bit disk signature (optional 4 bytes)
0x1BC-0X1BD -> 0x0000 or 0x5A5A (2 bytes)
0x1BE-0x1FD -> Partition entries (64 bytes)
0x1FE-0x1FF -> MBR signature 0X55AA (2 bytes)
Different types of MBR:
Typically, there are three types of MBR
- Standard MBR: The traditional MBR format used on most legacy systems. It is limited to supporting up to four or three primary or one extended partition.
- Extended MBR: Some systems, particularly older ones, use an extended MBR format that can be used to define more than four partitions. It allows for an extended partition, which can contain multiple logical partitions. This is a workaround to the four-partition limit of the standard MBR.
- Protective MBR: GPT (GUID Partition Table) disks, a more modern partitioning scheme, use a protective MBR to maintain compatibility with older systems that may not support GPT. The MBR contains a single protective partition covering the entire disk and preventing older systems from misinterpreting the GPT partition table.
Performance of the "bootrec" command line tool on different corruptions:
1. Corrupting Master Boot Code of MBR:
Out of 512 bytes of MBR, the first 446 bytes is Master Boot Code, which contains machine code instructions written in assembly language. Let’s corrupt it partially and see how the "bootrec" command line tool performs.
The above image shows the healthy MBR of the Hard Drive; we have corrupted 0x80 bytes in the Master Boot Code from the offset 0x00 to the offset 0x80, which is shown in the image below.
When the Master Boot Code is corrupted, on boot, the system will show the message, “Reboot and Select proper Boot device or Insert Boot Media in selected Boot device and press a key”.
Now let’s run the "bootrec" command, to do so we need to start the PC with Windows installation CD / DVD or a recovery USB flash drive. Select Comment Prompt option under Troubleshoot from Repair your computer.
Type the command “Bootrec/fixmbr” in the command prompt window and click enter. Once the repair process is complete “The operation completed successfully" message is displayed and on reboot the operating system loaded without any issue. “Bootrec/fixmbr” command successfully fixed the Master Boot Code partial corruption issue.
Interesting Read: How To Recover Lost Data After GPT To MBR Conversion
2. Corrupting Boot Signature of MBR:
The last 2 bytes of the MBR (bytes 510 and 511) contain Boot Signature. Now let’s corrupt the Boot Signature and run “Bootrec/fixmbr”.
The above image shows the corrupted Boot Signature by changing 510 and 511 bytes to 00.
On boot the PC will show the message, “Reboot and Select proper Boot device or Insert Boot Media in selected Boot device and press a key” when Boot Signature is corrupted.
We ran the command “Bootrec/fixmbr” in the command prompt window opened from Windows installation CD / DVD and “The operation completed successfully" message is displayed. By restarting the machine Operating System loaded without any issue.
3. Corrupting Partition Table of MBR:
Now let’s corrupt the Partition Table , which is 64 bytes and is from the offset 0x1BE to 0x1FD; below is the image with the corrupted Partition Table.
On boot, the PC displays the message “Reboot and Select proper Boot device or Insert Boot Media in selected Boot device and press a key” after corrupting the Partition Table.
We started fixing the PC using the Windows installation CD/DVD. After choosing "Repair your computer" and then "Command Prompt" under Troubleshoot, we ran the command "Bootrec/fixmbr." The command seemed successful, showing "The operation completed successfully." However, when we tried to reboot the PC, it displayed an error message: "Reboot and Select proper Boot device or Insert Boot Media in selected Boot device and press a key." Unfortunately, the "Bootrec/fixmbr" command didn't resolve the corruption issue in this instance.
Our efforts continued with the command “Bootrec/FixBoot,” but it hit a roadblock with an “Element not found” message. Following commands like “Bootrec/ScanOS” and “Bootrec/RebuildBcd” proved equally futile, stating, “Total identified Windows installations: 0." The looming threat of complete data loss intensified.
Based on my experience, conventional command-line methods often fall short in such scenarios. Recognizing the severity of a corrupted partition table, I decided to put Remo Recover to the test to recover data from a case where a partition table is corrupted.
We have designed Remo Recover to discover lost data with two key stages: Data Collection and Hierarchy Creation. It begins the recovery process by scanning the corrupted drive and employing low-level disk scanning techniques to locate existing partitions. The application identifies the precise sector numbers where each partition begins and ends on the drive. This information is crucial for accurately defining the boundaries of each partition. It determines the type of file system used on each partition, which can vary from FAT16, FAT32, exFAT, to NTFS.
Recognizing the correct file system type is vital for successful data recovery. Remo Recover organizes the collected partition data, which includes files and folders, into a structured hierarchy. This hierarchy mirrors the familiar organization in Windows Explorer, making it easy for users to navigate and identify their recovered data.
When Remo Recover started scanning the drive with partition table corruption, this is what we noticed:
The application displayed the lost partitions with the filesystem, and it dynamically added the files and folders as and when the file entries were recovered; we were able to preview the recovered files while the scan was in progress, and the recovered files were healthy. Remo Recover successfully recovered the data from the drive with the same file and folder hierarchy.
To summarize, the "bootrec" command line tool is a good option in case of minor corruption of MBR. When it comes to major corruption in the partition table of MBR or complete MBR corruption, the "bootrec" command line tool fails. Remo Recover is developed to handle complex corruption in Master Boot Record and recover complete data in the original file folder hierarchy without affecting the drive.