Recovery Concepts: MBR problems

Master Boot Record (MBR) is Damaged

The Master Boot Record (MBR) is created automatically when the disk has been initialized or the first partition on the hard disk is created. It is an important data structure on the disk.

The Master Boot Record contains a small amount of executable code for the boot start and the Partition Table for the disk. The location is always the first sector on the disk.

The first 446 (0x1BE) bytes belong to the MBR itself, the next 64 bytes are the Partition Table, the last two bytes in the sector are a signature word for the sector and are always 0x55AA.

The disk layout for the MBR is displayed below:

	Physical Sector: Sector #1
	000000000   33 C0 8E D0 BC 00 7C FB  50 07 50 1F FC BE 1B 7C   3AZ??.|uP.P.u?.|
	000000010   BF 1B 06 50 57 B9 E5 01  F3 A4 CB BE BE 07 B1 04   ?..PW?a.o¤E??.±.
	000000020   38 2C 7C 09 75 15 83 C6  10 E2 F5 CD 18 8B 14 8B   8,|.u.??.aoI.<.<
	000000030   EE 83 C6 10 49 74 16 38  2C 74 F6 BE 10 07 4E AC   i??.It.8,to?..N¬
	000000040   3C 00 74 FA BB 07 00 B4  0E CD 10 EB F2 89 46 25   <.tu»..?.I.eo?F%
	000000050   96 8A 46 04 B4 06 3C 0E  74 11 B4 0B 3C 0C 74 05   -SF.?.<.t.?.<.t.
	000000060   3A C4 75 2B 40 C6 46 25  06 75 24 BB AA 55 50 B4   :Au+@?F%.u$»?UP?
	000000070   41 CD 13 58 72 16 81 FB  55 AA 75 10 F6 C1 01 74   AI.Xr.?uU?u.oA.t
	000000080   0B 8A E0 88 56 24 C7 06  A1 06 EB 1E 88 66 04 BF   .Sa?V$C.?.e.?f.?
	000000090   0A 00 B8 01 02 8B DC 33  C9 83 FF 05 7F 03 8B 4E   ..?..?}U
	0000000B0   AA 74 5A 83 EF 05 7F DA  85 F6 75 83 BE 27 07 EB   ?tZ?i.U.ou??'.e
	0000000C0   8A 98 91 52 99 03 46 08  13 56 0A E8 12 00 5A EB   S?'RT.F..V.e..Ze
	0000000D0   D5 4F 74 E4 33 C0 CD 13  EB B8 00 00 00 00 00 00   OOta3AI.e?......
	0000000E0   56 33 F6 56 56 52 50 06  53 51 BE 10 00 56 8B F4   V3oVVRP.SQ?..V.o
	0000000F0   50 52 B8 00 42 8A 56 24  CD 13 5A 58 8D 64 10 72   PR?.BSV$I.ZX?d.r
	000000100   0A 40 75 01 42 80 C7 02  E2 F7 F8 5E C3 EB 74 49   .@u.B?C.a?o^AetI
	000000110   6E 76 61 6C 69 64 20 70  61 72 74 69 74 69 6F 6E   nvalid partition
	000000120   20 74 61 62 6C 65 00 45  72 72 6F 72 20 6C 6F 61    table.Error loa
	000000130   64 69 6E 67 20 6F 70 65  72 61 74 69 6E 67 20 73   ding operating s
	000000140   79 73 74 65 6D 00 4D 69  73 73 69 6E 67 20 6F 70   ystem.Missing op
	000000150   65 72 61 74 69 6E 67 20  73 79 73 74 65 6D 00 00   erating system..
	000000160   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
	000000170   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
	000000180   00 00 00 8B FC 1E 57 8B  F5 CB 00 00 00 00 00 00   ...?...@2N...
	0000001D0   41 3F 06 FE 7F 64 7F 32  4E 00 A6 50 09 00 00 00   A?.?d2N.¦P....
	0000001E0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
	0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 55 AA   ..............U?
    
	Offset       0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

What will happen if the first sector has been damaged (physically or by a virus)? In our demonstration example, to simulate a damaged MBR, we will overwrite precisely the first 16 bytes with zeros.


	000000000   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................
	000000010   BF 1B 06 50 57 B9 E5 01  F3 A4 CB BE BE 07 B1 04   ?..PW?a.o¤E??.±.
 

When we try to boot after making this change, we encounter a blank screen without any messages. This indicates the piece of code at the beginning of the MBR could not be executed properly. Error messages (usually located inside MBR) cannot be displayed because the MBR has not been recognized.

If we boot this machine from a floppy, USB or CD/DVD-ROM drive in DOS or Windows mode, we can see a FAT partition with files on it and we are able to perform standard operations like copying files and executing programs. This is possible because in our precise over-writing laboratory environment, it is only the MBR that has been damaged. This damage does not allow the system to boot properly on its own. If we find another way to boot the system, we can see that the partition table is safe and we can access our drives and files.

What will happen if first sector signature (last bytes 0x55AA) has been removed or damaged? Back at the laboratory, we write zeros to the precise location of the sector signature, as below:

	Physical Sector: Sector #1

	0000001E0   41 65 0F FE BF 4A 25 83  57 00 66 61 38 00 00 00   Ae.??J%?W.fa8...
	0000001F0   00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ................

This time, when we perform the boot sequence, we see an error message like "Operating System not found".

This tells us that if the computer does not boot successfully, the first thing we need to do is to boot from a boot disk and run Disk Viewer and check the first physical sector on the drive to see whether or not it looks like valid Master Boot Record. Here are the things to check:

See whether the first sector is filled up with zeros or any other single character See if conditions for error messages are present or not (like Operating System not found, Invalid partition table...) See whether the disk signature (0x55AA) is present or not

The simplest way to repair or re-create MBR is to run Microsoft's standard DOS utility called FDISK with a parameter /MBR, as in the syntax below:

	A:\> FDISK.EXE  /MBR

FDISK is a standard utility included in MS-DOS, Windows 95, 98, ME.

If you have Windows NT / 2000 / XP / 2003 / Vista / 7 / 8 / 10 / 11, you can boot from startup floppy disks, USB or CD-ROM, choose the Repair option during setup, and run Recovery Console. When you are logged on, you can run the FIXMBR command to fix the MBR, for example:

 C:\> FIXMBR \Device\HardDisk0

Also you can use third party MBR recovery software. If you have created an MBR backup, just restore it (using a utility such as Active@ Partition Recovery ).

What will happen if the first sector is "bad" (unreadable)?

If the first sector is unreadable, you will likely get the blank screen environment as described when we overwrote the first 16 bytes with zeros. If you try to read the first sector using Disk Viewer/Editor you will probably get an error message saying that sector is unreadable.

In this case recovery software is unable to help you to bring drive back to working condition. Physical recovery of the partition back to the operational state is not possible.

The data might be recoverable with a utility that can scan and search to perform virtual partition recovery. If something is found, the data can be displayed and the user has an opportunity to save important data to another location. Data recovery software, like Active@ File Recovery , will help you in this case.