Jump to content

Bootsect.exe: Various Versions Compared


jaclaz

Recommended Posts

My interest in the matter was started by the need to restore a corrupted disk (originally running Windows 7) and I initially thought that I could quickly use JFX's nice GetWaikTools program to get the bootsect.exe, but wasn't successful to get the actual one I *wanted*, no actual problem as anyway the filesystem had other issues, so that even if would have managed to get the thingy it would have not solved the actual issue at hand.

However, once fixed the problem (using other tools) and having restored the bootsector using a bootsect.exe from a "full" copy of the Windows 7 AIK I had at home, I posted this:

http://www.msfn.org/board/topic/156869-get-waik-tools-wo-downloading-the-huge-isos/?p=1076121

And dencorso pointed out:

http://www.msfn.org/board/topic/156869-get-waik-tools-wo-downloading-the-huge-isos/?p=1076145

how there are even two versions of the WAIK (actualy ADK along the new naming) "5.x" i.e. correspondent to the Windows 8.1 release.

Though irrational, the official numbering of PE's is given here:

http://technet.microsoft.com/en-us/library/dn293271.aspx

and thus I will use that numbering:

  • XP/2003 -> PE 1.x
  • Vista /2008 -> PE 2.x
  • 7/2008R2 -> PE 3.x
  • 8-> PE 4.x
  • 8.1->PE 5.x (though it should have been logically called 4.1)

Anyway, since I am picky I wanted to make sure what the various versions do.

 

 

I have tested a few versions of the MS bootsect.exe program.

Versions tested:

A.1 Vista/Waik2/PE2.x->6.0.6000.16386->02/11/2006->87,552 bytes

A.2 VistaSP1/Waik2.1/PE2.1->6.0.6001.18000->19/01/2008->102,400 bytes

B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytes

B.2 7SP1/Waik3/PE3.1->6.1.7601.17514->20/11/2010->97,280 bytes

C.1 8/Waik4/PE4.x->6.2.9200.16384->25/07/2012->117,688 bytes

D.1 8.1/Waik5/PE5.0->6.3.9431.0->15/06/2013->119.912 bytes

D.2 8.1/Waik5/PE5.1->6.3.9600.16384->21/08/2013->100.968 bytes

The A.1 version has NOT the /mbr switch, thus it can only change the bootsector of a volume (and NOT the MBR of the disk).

Version A.1:

The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the Vista one (type NT60).

The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16/32 volumes is the Vista one (type NT60).

Starting with the A.2 release, the tool has the /mbr switch, thus it can change BOTH the bootsector of the volume AND the MBR of the disk that hosts it.

Version A.2:

The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the Vista one BUT with 2 bytes different from the A.1 version (type NT60x).

The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16/32 volumes is the Vista one (type NT60).

The boot code written with the /NT60 /mbr options to the MBR is the Vista one (type NT60).

Versions B:

The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the 7 one (type NT61).

The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16/32 volumes is the Vista one (type NT60).

The boot code written with the /NT60 /mbr options to the MBR is the 7 one (type NT61).

Versions C:

The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the 8 one (type NT62).

The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16 volumes is the Vista one (type NT60).

The boot code written with the /NT60 option to the bootsector/VBR of FAT32 volumes is the 8 one (type NT62).

The boot code written with the /NT60 /mbr options to the MBR is the 7 one (type NT61).

Versions D:

The boot code written with the /NT60 option to the bootsector/VBR for NTFS volumes ($Boot) is the 8 one (type NT62).

The boot code written with the /NT60 option to the bootsector/VBR of FAT12/16 volumes is the Vista one (type NT60).

The boot code written with the /NT60 option to the bootsector/VBR of FAT32 volumes is the 8 one (type NT62).

The boot code written with the /NT60 /mbr options to the MBR is the 7 one (type NT61).

The boot code written with the /NT52 option is the SAME for ALL the above versions, and it is actually the 2K/XP one (type NT52).

Each version of the bootcode *should* be fully compatible with previous OS versions (i.e., as an example, you can use bootsect.exe 6.3.9431.0 to fix the MBR or bootsector of a Vista install, BUT you won't have recreated the original bootsector or MBR code).

The known tool MBRFIX:

http://www.sysint.no/nedlasting/mbrfix.htm

can supplement the version A.1 providing a way to write the original Vista (or 7) MBR code.

The tool contains the NT52/NT60/NT61 versions of the MBR code and the DOS6 and DOS7/8 VBR code.

Attached is the usual half-@§§ed batch, the idea is that you have in the same "root" directory the batch and the needed files, i.e. dsfo (part of the DSFOK toolkit):

http://members.ozemail.com.au/~nulifetv/freezip/freeware/

and gsar:

http://home.online.no/~tjaberg/

and a number of subdirectories, each with a separate version of bootsector.exe or mbrfix.exe, then you run the batch and it will extract the MBR's and VBR's and will attempt to "classify" them.

Also in the attachment is the result of running the batch in my setup.

Sources/References:

A.1 https://www.microsoft.com/en-us/download/details.aspx?id=10333 vista_6000.16386.061101-2205-LRMAIK_EN.img

A.2 http://www.microsoft.com/en-us/download/details.aspx?id=9085 6001.18000.080118-1840-kb3aikl_en.iso

B.1 http://www.microsoft.com/en-us/download/details.aspx?id=5753 KB3AIK_EN.iso

B.2 http://www.microsoft.com/en-us/download/details.aspx?id=5188 waik_supplement_en-us.iso

C.1 Not available as .iso, use the "current" version of GetWAIKtools

D.1 Not available as .iso, use the "old" version of GetWAIKtools 150 in dencorso's post

D.2 Not available as .iso, use the "current" version of GetWAIKtools

bootsect_test.zip

Link to comment
Share on other sites


Thank you for this very interesting thread, jaclaz!

Just for the sake of completeness, I'll add some other versions of bootsect.exe I know, and have a sample of:

A.1 Vista/Waik2/PE2.x->6.0.6000.16386->02/11/2006->87,552 bytes
A.2 VistaSP1/Waik2.1/PE2.1->6.0.6001.18000->19/01/2008->102,400 bytes
B.0 7RC/Waik3RC/PE3.x->6.1.7100.0->103,312 bytes (Released April 30, 2009)
B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytes
B.2 7SP1/Waik3/PE3.1->6.1.7601.17514->20/11/2010->97,280 bytes

C.§ 8DP/ADK4DP/PE4.x->6.2.8102.0->110,408 bytes (Released September 13, 2011)

C.0 8RP/ADK4RP/PE4.x->6.2.8400.0->117,672 bytes (Released May 31, 2012)

C.1 8/Waik4/PE4.x->6.2.9200.16384->25/07/2012->117,688 bytes
D.1 8.1/Waik5/PE5.0->6.3.9431.0->15/06/2013->119.912 bytes
D.2 8.1/Waik5/PE5.1->6.3.9600.16384->21/08/2013->100.968 bytes
 

I didn't check it again today, yet I seem to remember those pre-release WAIK/ADKs were withdrawn, and are not available anymore at MS, but I'm not really sure about it. In any case I cannot see what those three additional bootsect.exe versions would add to your careful analysis, if tested. However, they do permit the inference that all pre-release version WAIK/ADKs seem to have build number zero.

Link to comment
Share on other sites

I didn't check it again today, yet I seem to remember those pre-release WAIK/ADKs were withdrawn, and are not available anymore at MS, but I'm not really sure about it. In any case I cannot see what those three additional bootsect.exe versions would add to your careful analysis, if tested. However, they do permit the inference that all pre-release version WAIK/ADKs seem to have build number zero.

Well, if you could run the batch on those "other" ones (even if not available anymore) and post the "log", we could see if they contain "different" MBR's or PBR's code, though I believe that they would fall in the categorization you made of them. :)

Anyway, everyone can run the batch and find him/herself if there is any difference.

 

jaclaz

Link to comment
Share on other sites

...what about "None_FAT32_75096.VBR" and "None_NTFS__66904.VBR", in 6.2.8102.0?  :D

Open each of them in a hex editor, comparing with the ones "recognized".

They may be "very similar" to the other versions found (like one or two bytes difference).

Edit:

I quickly checked, and they seem very similar to the 6.2.9200.16384 (and to the 6.2.8400.0) version, only with the (presumably an error message) text:

An operating system wasn't found. Try disconnecting any drives that don't contain an operating system.

 

missing.

 

All in all a very good thing that they are not anymore available, IMHO.

 

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Yes, I mean... no: "None_FAT32_75096.VBR" is different from "type NT60" bootcode in just 14 bytes. I'd say it's yet another variation of "type NT60", rather than a variation of the "type NT62".  :)

Link to comment
Share on other sites

Best one is 6.1.7600.16385 (win7_rtm.090713-1255). I have never had problem with it. And it is not same size you wrote

 

B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytes

 

mine is

 

6.1.7600.16385->14/07/2009->95,0 KB (97.280 bayt)

 

There should be a mistake between two

 

B.1 7/Waik3/PE3.x->6.1.7600.16385->14/07/2009->103,312 bytes
B.2 7SP1/Waik3/PE3.1->6.1.7601.17514->20/11/2010->97,280 bytes

Edited by Kullenen_Ask
Link to comment
Share on other sites

I don't know. :unsure:

 

Mine is 6.1.7600.16385 (win7_rtm.090713-1255) is dated 14/07/2009 and it is 103,312 bytes in size (and it comes as explained in the footnote from the KB3AIK_EN.iso).

 

To be more exact, it is the file inside:

D:\Windows7\KB3AIK_EN.iso\wAIKX86.msi\x86AIK.cab\

F1_BOOTSECT.EXE

extracted with 7-zip and renamed to BOOTSECT.EXE.

I am attaching a screenshot.

 

Could it be that 7-zip somehow miscomputes the size of the file? :w00t:

And then it extract it with this "false" size? :ph34r:

I would find this improbable, but it is of course possible.

 

In any case the point was not about a particular version being "better" or "worse" it was about the fact that different versions, using the SAME command write different code.

 

Yes, I mean... no: "None_FAT32_75096.VBR" is different from "type NT60" bootcode in just 14 bytes. I'd say it's yet another variation of "type NT60", rather than a variation of the "type NT62".  :)

Well, here it is NOT similar to "type NT60" \031_Windows7.SP1_AIK_3.1\NT60_FAT32_55808.VBR but it is similar to \040_Windows8.0_ADK4\NT62_FAT32_72024.VBR

 

jaclaz

post-25215-0-98935700-1399502978_thumb.j

Edited by jaclaz
Link to comment
Share on other sites

:huh:   In the attached image, only lines having at least one different byte were included, the rest being equal.   dubbio.gif

 

While NT62_FAT32_72024.VBR differs from None_FAT32_75096.VBR in 182 bytes, which can be reduced to 54, if one disconsiders the 128 corresponding to the text that's only present in NT62. Now, in a glance the 14 differences in the picture below can be counted....

 

Left file is NT60_FAT32_55808.VBR MD5=13b15145f2639a094ba85953c3832981 1536 bytes...

post-134642-0-63769200-1399504978_thumb.

Link to comment
Share on other sites

Well, not really, or "yes and no" but it's OK.

When you compare a file like this, you need to go "beyond" the mere differences.
A large part of the code in the bootsector code are jump instructions, or however references - as offsets - to a "later part" of the code.
Thus, if you "move" a "block" of code, a number of references to it will change (by the amount of bytes you move the code).
These latter changes are not "actual differences, IMNSHO.
 
Not entirely unlike DENCORSO and dencorso being 8 different bytes.
 
 
jaclaz
 
A better example is this snippet (from NT62_FAT32_72024.VBR)

seg000:0100 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:0100
seg000:0100
seg000:0100 sub_100 proc near ; CODE XREF: seg000:00D1p
seg000:0100 ; sub_100+6Aj ...
seg000:0100
seg000:0100 ; FUNCTION CHUNK AT seg000:00D7 SIZE 0000001F BYTES
seg000:0100 ; FUNCTION CHUNK AT seg000:00FB SIZE 00000005 BYTES
seg000:0100
seg000:0100 pushad
seg000:0102 cmp byte ptr [bp+2], 0
seg000:0106 jz loc_12A
seg000:010A push large 0
seg000:010D push eax
seg000:010F push es
seg000:0110 push bx
seg000:0111 push large 10010h
seg000:0117 mov ah, 42h ; 'B'
seg000:0119 mov dl, [bp+40h]
seg000:011C mov si, sp
seg000:011E int 13h ; DISK -
seg000:0120 pop eax
seg000:0122 pop eax
seg000:0124 pop eax
seg000:0126 pop eax
seg000:0128 jmp short loc_15D
seg000:012A ; ---------------------------------------------------------------------------


 compared with this one (from None_FAT32_75096.VBR)
 

seg000:00FF ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
seg000:00FF
seg000:00FF
seg000:00FF sub_FF proc near ; CODE XREF: seg000:00D1p
seg000:00FF ; sub_FF+6Aj ...
seg000:00FF
seg000:00FF ; FUNCTION CHUNK AT seg000:00D7 SIZE 0000001E BYTES
seg000:00FF ; FUNCTION CHUNK AT seg000:00FA SIZE 00000005 BYTES
seg000:00FF
seg000:00FF pushad
seg000:0101 cmp byte ptr [bp+2], 0
seg000:0105 jz loc_129
seg000:0109 push large 0
seg000:010C push eax
seg000:010E push es
seg000:010F push bx
seg000:0110 push large 10010h
seg000:0116 mov ah, 42h ; 'B'
seg000:0118 mov dl, [bp+40h]
seg000:011B mov si, sp
seg000:011D int 13h ; DISK -
seg000:011F pop eax
seg000:0121 pop eax
seg000:0123 pop eax
seg000:0125 pop eax
seg000:0127 jmp short loc_15C
seg000:0129 ; ---------------------------------------------------------------------------

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...