jaclaz Posted May 6, 2014 Posted May 6, 2014 My interest in the matter was started by the need to restore a corrupted disk (originally running Windows 7) and I initially thought that I could quickly use JFX's nice GetWaikTools program to get the bootsect.exe, but wasn't successful to get the actual one I *wanted*, no actual problem as anyway the filesystem had other issues, so that even if would have managed to get the thingy it would have not solved the actual issue at hand. However, once fixed the problem (using other tools) and having restored the bootsector using a bootsect.exe from a "full" copy of the Windows 7 AIK I had at home, I posted this: http://www.msfn.org/board/topic/156869-get-waik-tools-wo-downloading-the-huge-isos/?p=1076121 And dencorso pointed out: http://www.msfn.org/board/topic/156869-get-waik-tools-wo-downloading-the-huge-isos/?p=1076145 how there are even two versions of the WAIK (actualy ADK along the new naming) "5.x" i.e. correspondent to the Windows 8.1 release. Though irrational, the official numbering of PE's is given here: http://technet.microsoft.com/en-us/library/dn293271.aspx and thus I will use that numbering: XP/2003 -> PE 1.x Vista /2008 -> PE 2.x 7/2008R2 -> PE 3.x 8-> PE 4.x 8.1->PE 5.x (though it should have been logically called 4.1) Anyway, since I am picky I wanted to make sure what the various versions do. I have tested a few versions of the MS bootsect.exe program. Versions tested: A.1 Vista/Waik2/PE2.x->6.0.6000.16386->02/11/2006->87,552 bytes A.2 VistaSP1/Waik2.1/PE2.1->6.0.6001.18000->19/01/2008->102,400 bytes B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytes B.2 7SP1/Waik3/PE3.1->6.1.7601.17514->20/11/2010->97,280 bytes C.1 8/Waik4/PE4.x->6.2.9200.16384->25/07/2012->117,688 bytes D.1 8.1/Waik5/PE5.0->6.3.9431.0->15/06/2013->119.912 bytes D.2 8.1/Waik5/PE5.1->6.3.9600.16384->21/08/2013->100.968 bytes The A.1 version has NOT the /mbr switch, thus it can only change the bootsector of a volume (and NOT the MBR of the disk). Version A.1: The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the Vista one (type NT60). The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16/32 volumes is the Vista one (type NT60). Starting with the A.2 release, the tool has the /mbr switch, thus it can change BOTH the bootsector of the volume AND the MBR of the disk that hosts it. Version A.2: The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the Vista one BUT with 2 bytes different from the A.1 version (type NT60x). The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16/32 volumes is the Vista one (type NT60). The boot code written with the /NT60 /mbr options to the MBR is the Vista one (type NT60). Versions B: The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the 7 one (type NT61). The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16/32 volumes is the Vista one (type NT60). The boot code written with the /NT60 /mbr options to the MBR is the 7 one (type NT61). Versions C: The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the 8 one (type NT62). The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16 volumes is the Vista one (type NT60). The boot code written with the /NT60 option to the bootsector/VBR of FAT32 volumes is the 8 one (type NT62). The boot code written with the /NT60 /mbr options to the MBR is the 7 one (type NT61). Versions D: The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the 8 one (type NT62). The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16 volumes is the Vista one (type NT60). The boot code written with the /NT60 option to the bootsector/VBR of FAT32 volumes is the 8 one (type NT62). The boot code written with the /NT60 /mbr options to the MBR is the 7 one (type NT61). The boot code written with the /NT52 option is the SAME for ALL the above versions, and it is actually the 2K/XP one (type NT52). Each version of the bootcode *should* be fully compatible with previous OS versions (i.e., as an example, you can use bootsect.exe 6.3.9431.0 to fix the MBR or bootsector of a Vista install, BUT you won't have recreated the original bootsector or MBR code). The known tool MBRFIX: http://www.sysint.no/nedlasting/mbrfix.htm can supplement the version A.1 providing a way to write the original Vista (or 7) MBR code. The tool contains the NT52/NT60/NT61 versions of the MBR code and the DOS6 and DOS7/8 VBR code. Attached is the usual half-@§§ed batch, the idea is that you have in the same "root" directory the batch and the needed files, i.e. dsfo (part of the DSFOK toolkit): http://members.ozemail.com.au/~nulifetv/freezip/freeware/ and gsar: http://home.online.no/~tjaberg/ and a number of subdirectories, each with a separate version of bootsector.exe or mbrfix.exe, then you run the batch and it will extract the MBR's and VBR's and will attempt to "classify" them. Also in the attachment is the result of running the batch in my setup. Sources/References: A.1 https://www.microsoft.com/en-us/download/details.aspx?id=10333 vista_6000.16386.061101-2205-LRMAIK_EN.img A.2 http://www.microsoft.com/en-us/download/details.aspx?id=9085 6001.18000.080118-1840-kb3aikl_en.iso B.1 http://www.microsoft.com/en-us/download/details.aspx?id=5753 KB3AIK_EN.iso B.2 http://www.microsoft.com/en-us/download/details.aspx?id=5188 waik_supplement_en-us.iso C.1 Not available as .iso, use the "current" version of GetWAIKtools D.1 Not available as .iso, use the "old" version of GetWAIKtools 150 in dencorso's post D.2 Not available as .iso, use the "current" version of GetWAIKtools bootsect_test.zip
dencorso Posted May 7, 2014 Posted May 7, 2014 Thank you for this very interesting thread, jaclaz!Just for the sake of completeness, I'll add some other versions of bootsect.exe I know, and have a sample of:A.1 Vista/Waik2/PE2.x->6.0.6000.16386->02/11/2006->87,552 bytesA.2 VistaSP1/Waik2.1/PE2.1->6.0.6001.18000->19/01/2008->102,400 bytesB.0 7RC/Waik3RC/PE3.x->6.1.7100.0->103,312 bytes (Released April 30, 2009)B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytesB.2 7SP1/Waik3/PE3.1->6.1.7601.17514->20/11/2010->97,280 bytesC.§ 8DP/ADK4DP/PE4.x->6.2.8102.0->110,408 bytes (Released September 13, 2011)C.0 8RP/ADK4RP/PE4.x->6.2.8400.0->117,672 bytes (Released May 31, 2012)C.1 8/Waik4/PE4.x->6.2.9200.16384->25/07/2012->117,688 bytesD.1 8.1/Waik5/PE5.0->6.3.9431.0->15/06/2013->119.912 bytesD.2 8.1/Waik5/PE5.1->6.3.9600.16384->21/08/2013->100.968 bytes I didn't check it again today, yet I seem to remember those pre-release WAIK/ADKs were withdrawn, and are not available anymore at MS, but I'm not really sure about it. In any case I cannot see what those three additional bootsect.exe versions would add to your careful analysis, if tested. However, they do permit the inference that all pre-release version WAIK/ADKs seem to have build number zero.
jaclaz Posted May 7, 2014 Author Posted May 7, 2014 I didn't check it again today, yet I seem to remember those pre-release WAIK/ADKs were withdrawn, and are not available anymore at MS, but I'm not really sure about it. In any case I cannot see what those three additional bootsect.exe versions would add to your careful analysis, if tested. However, they do permit the inference that all pre-release version WAIK/ADKs seem to have build number zero.Well, if you could run the batch on those "other" ones (even if not available anymore) and post the "log", we could see if they contain "different" MBR's or PBR's code, though I believe that they would fall in the categorization you made of them. Anyway, everyone can run the batch and find him/herself if there is any difference. jaclaz
dencorso Posted May 7, 2014 Posted May 7, 2014 Here you go! So: "B.0" ≡ "B.1" and "C.0" ≡ "C.1", but then there is "C.§"... ...what about "None_FAT32_75096.VBR" and "None_NTFS__66904.VBR", in 6.2.8102.0? other_bootsects2.7z
jaclaz Posted May 7, 2014 Author Posted May 7, 2014 (edited) ...what about "None_FAT32_75096.VBR" and "None_NTFS__66904.VBR", in 6.2.8102.0? Open each of them in a hex editor, comparing with the ones "recognized".They may be "very similar" to the other versions found (like one or two bytes difference).Edit:I quickly checked, and they seem very similar to the 6.2.9200.16384 (and to the 6.2.8400.0) version, only with the (presumably an error message) text:An operating system wasn't found. Try disconnecting any drives that don't contain an operating system. missing. All in all a very good thing that they are not anymore available, IMHO. jaclaz Edited May 7, 2014 by jaclaz
dencorso Posted May 7, 2014 Posted May 7, 2014 Yes, I mean... no: "None_FAT32_75096.VBR" is different from "type NT60" bootcode in just 14 bytes. I'd say it's yet another variation of "type NT60", rather than a variation of the "type NT62".
Kullenen_Ask Posted May 7, 2014 Posted May 7, 2014 (edited) Best one is 6.1.7600.16385 (win7_rtm.090713-1255). I have never had problem with it. And it is not same size you wrote B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytes mine is 6.1.7600.16385->14/07/2009->95,0 KB (97.280 bayt) There should be a mistake between two B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytesB.2 7SP1/Waik3/PE3.1->6.1.7601.17514->20/11/2010->97,280 bytes Edited May 7, 2014 by Kullenen_Ask
jaclaz Posted May 7, 2014 Author Posted May 7, 2014 (edited) I don't know. Mine is 6.1.7600.16385 (win7_rtm.090713-1255) is dated 14/07/2009 and it is 103,312 bytes in size (and it comes as explained in the footnote from the KB3AIK_EN.iso). To be more exact, it is the file inside: D:\Windows7\KB3AIK_EN.iso\wAIKX86.msi\x86AIK.cab\ F1_BOOTSECT.EXE extracted with 7-zip and renamed to BOOTSECT.EXE. I am attaching a screenshot. Could it be that 7-zip somehow miscomputes the size of the file? And then it extract it with this "false" size? I would find this improbable, but it is of course possible. In any case the point was not about a particular version being "better" or "worse" it was about the fact that different versions, using the SAME command write different code. Yes, I mean... no: "None_FAT32_75096.VBR" is different from "type NT60" bootcode in just 14 bytes. I'd say it's yet another variation of "type NT60", rather than a variation of the "type NT62". Well, here it is NOT similar to "type NT60" \031_Windows7.SP1_AIK_3.1\NT60_FAT32_55808.VBR but it is similar to \040_Windows8.0_ADK4\NT62_FAT32_72024.VBR jaclaz Edited May 7, 2014 by jaclaz
dencorso Posted May 7, 2014 Posted May 7, 2014 In the attached image, only lines having at least one different byte were included, the rest being equal. While NT62_FAT32_72024.VBR differs from None_FAT32_75096.VBR in 182 bytes, which can be reduced to 54, if one disconsiders the 128 corresponding to the text that's only present in NT62. Now, in a glance the 14 differences in the picture below can be counted.... Left file is NT60_FAT32_55808.VBR MD5=13b15145f2639a094ba85953c3832981 1536 bytes...
bphlpt Posted May 7, 2014 Posted May 7, 2014 Hey dencorso, just curious which tool you used to find and show those file differences? Cheers and Regards
dencorso Posted May 7, 2014 Posted May 7, 2014 Beyond Compare 3 (3.3.10.17762 actually). Not free but surely worth the cost, IMO.Multibooter convinced me to try it, and I've never regreted it.. it's really great!
jaclaz Posted May 8, 2014 Author Posted May 8, 2014 Well, not really, or "yes and no" but it's OK.When you compare a file like this, you need to go "beyond" the mere differences.A large part of the code in the bootsector code are jump instructions, or however references - as offsets - to a "later part" of the code.Thus, if you "move" a "block" of code, a number of references to it will change (by the amount of bytes you move the code).These latter changes are not "actual differences, IMNSHO. Not entirely unlike DENCORSO and dencorso being 8 different bytes. jaclaz A better example is this snippet (from NT62_FAT32_72024.VBR)seg000:0100 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦seg000:0100seg000:0100seg000:0100 sub_100 proc near ; CODE XREF: seg000:00D1pseg000:0100 ; sub_100+6Aj ...seg000:0100seg000:0100 ; FUNCTION CHUNK AT seg000:00D7 SIZE 0000001F BYTESseg000:0100 ; FUNCTION CHUNK AT seg000:00FB SIZE 00000005 BYTESseg000:0100seg000:0100 pushadseg000:0102 cmp byte ptr [bp+2], 0seg000:0106 jz loc_12Aseg000:010A push large 0seg000:010D push eaxseg000:010F push esseg000:0110 push bxseg000:0111 push large 10010hseg000:0117 mov ah, 42h ; 'B'seg000:0119 mov dl, [bp+40h]seg000:011C mov si, spseg000:011E int 13h ; DISK -seg000:0120 pop eaxseg000:0122 pop eaxseg000:0124 pop eaxseg000:0126 pop eaxseg000:0128 jmp short loc_15Dseg000:012A ; --------------------------------------------------------------------------- compared with this one (from None_FAT32_75096.VBR) seg000:00FF ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦seg000:00FFseg000:00FFseg000:00FF sub_FF proc near ; CODE XREF: seg000:00D1pseg000:00FF ; sub_FF+6Aj ...seg000:00FFseg000:00FF ; FUNCTION CHUNK AT seg000:00D7 SIZE 0000001E BYTESseg000:00FF ; FUNCTION CHUNK AT seg000:00FA SIZE 00000005 BYTESseg000:00FFseg000:00FF pushadseg000:0101 cmp byte ptr [bp+2], 0seg000:0105 jz loc_129seg000:0109 push large 0seg000:010C push eaxseg000:010E push esseg000:010F push bxseg000:0110 push large 10010hseg000:0116 mov ah, 42h ; 'B'seg000:0118 mov dl, [bp+40h]seg000:011B mov si, spseg000:011D int 13h ; DISK -seg000:011F pop eaxseg000:0121 pop eaxseg000:0123 pop eaxseg000:0125 pop eaxseg000:0127 jmp short loc_15Cseg000:0129 ; ---------------------------------------------------------------------------
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now