A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Windows XP Boot Problem: NEW Question....?



 
 
Thread Tools Display Modes
  #1  
Old May 24th 21, 11:11 PM posted to microsoft.public.windowsxp.general
Brandon[_3_]
external usenet poster
 
Posts: 6
Default Windows XP Boot Problem: NEW Question....?

When I rolled back my Acronis image of the C: drive, it was a more
current one only weeks old. zmsybe that's why it didn't correct the
boot menu - MBR - problem.

I was wondering if I rolled my Windows image back to one saved months
ago, before this MBR problem happened, do you think the Acronis image
would have the old MBR in the saved image? Or does Acronis True Image
even save the MBR to an image?

I hate the thought of having to reinstall a whole bunch of programs,
but it might be worth it if I got my boot menu back?

Or do I even know what the hell I'm talking about?
Ads
  #2  
Old May 25th 21, 02:02 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Windows XP Boot Problem: NEW Question....?

Brandon wrote:
When I rolled back my Acronis image of the C: drive, it was a more
current one only weeks old. zmsybe that's why it didn't correct the
boot menu - MBR - problem.

I was wondering if I rolled my Windows image back to one saved months
ago, before this MBR problem happened, do you think the Acronis image
would have the old MBR in the saved image? Or does Acronis True Image
even save the MBR to an image?

I hate the thought of having to reinstall a whole bunch of programs,
but it might be worth it if I got my boot menu back?

Or do I even know what the hell I'm talking about?


I think before we get worked into a lather, we sit
back for a moment and think about what is loaded on the machine.

Some tools, like Paragon Disk Editor, they might boot into their own
little OS, when items like C: needed to be edited (change partition size)
while WinXP is not running. That's an example of a program which
"messes around". Now, it also happens to be pretty good about its messing,
and it generally does not damage the things it is dynamically modifying.
THey must have tested their stuff.

There are other programs with poorer reputations. The very first time
they perform their boot trick, they damage stuff. I've had computer
installs, where messages from that blasted software shows on the screen
while the OS boots, and I can never figure out where the message is
coming from.

The fun part, is when you load too many of these programs, one of the
program "tips over" the stuff another program is using, and there is
fallout.

Now, I bet your friend Acronis is not immune to this sort of stuff.
Backup programs like to install WinPE or WinRE boot materials.

You mentioned to Van, that your timer is set to 30 seconds, yet
you seem to be chainloading right past boot.ini, and ignoring it.
Something is doing that.

Now, you have to go back and think about what boot materials
are present.

boot_flag = 0x80, this is the Active partition
+------+--------------------------------------------------+-------------------------+
| MBR | PBR | boot.ini ntldr C: (NTFS say) | | D: Data, dont care |
+------+--------------------------------------------------+-------------------------+

When you first commission a disk drive, like as a data drive on your
technician machine, the MBR is fitted out with a minimum of stuff.
There's a four entry partition table, for defining partitions. But,
at that time, there are no boot materials.

OK, you pop in the WinXP CD and do an install.

One of the steps, is to write 440 bytes of stuff in the MBR.
At the end of the code in that 440 bytes, are some text strings.
Using "HxD.exe", I can copy these out right now, as we speak.

Invalid partition table
Error loading operating system
Missing operating system

"FixMBR" puts the proper 440 bytes back.

Notice no famous filenames are present. That's because, the
job of the MBR, is partially to identify the partition which
is "Active" and has the boot flag. All four primary partitions
could have the boot flag set, but by convention, tools try to only
write 0x80 into one of the primary partitions. The MBR code tries
to find such a partition, and such a marked partition, is next
in the boot sequence (for Windows at least).

Now, partitions have two roles:

1) A partition can be marked "SYSTEM", which means, it is the
partition where booting starts. (Hey, thank you Microsoft for
reverse terminology!)

2) The same partition, or a different partition, can be marked
as "BOOT" in Disk Management. This is the system partition aka C: .
((Hey, thank you Microsoft for reverse terminology!)

OK, where are we right now. We're in the MBR. We're sniffing
for "Active". In my fake Disk Management line above, I've marked
the very first partition as "Active" via the boot flag.

The MBR then jumps to the PBR (partition boot record) in the booting partition.
What are the strings down at the end of the PBR ? Let's copy them.
On my disk drive, this is at 0x7E00 with respect to the beginning
of the disk.

NTLDR is missing
Disk errorÿ
Press any key to restart

If I look in NTLDR, I find many many things, including

\boot.ini

So NTLDR and \boot.ini live on a partition that kicks off
the booting process.

Boot.ini, has the ARC path, which points at the "BOOT" partition
or C: system. In my case, the ARC path points to the very same partition
as had NTLDR on it.

Now, I have no idea what NTLDR does next. It's 245KB or so,
which is huge, and potentially, very very intelligent. I "assume"
that since this is the first really large file, that everything
after this is magical :-) End of lecture. Booting takes off, and
we don't care about anything after this.

Now, think of all the opportunities for mischief. Overwrite the MBR.
Overwrite the PBR. Overwrite NTLDR. Mess up boot.ini. Mess up materials
that come after NTLDR.

Now, let's say Acronis wanted to inject its boot loader into your
system. We'd then get out our copy of HxD, and start looking for
abnormal odds and ends. If we can ascertain that "something" has
happened, we're still not panicked. If the software is reputable,
the minute it is uninstalled, it puts back the original MBR and
PBR and etc. So we try to use the Add/Remove to correct the problem.

At this point, we suspect something isn't correct here, but it will
take a quick skim with HxD to get some hints.

If you happened to remember some warning dialog being put up
by one of the fine programs that is installed on the system,
that might help too.

*******

When this is run as Administrator, it gains access to the raw disk drive.
This is a very nice hex editor.

https://mh-nexus.de/en/hxd/

Under Extras, is "Open disk". The disks in Disk Management are numbered
from 0, so my second disk drive is "Disk 1". Whereas in HxD, the second
disk is "Hard Disk 2". If I go to address 0x0, that's the MBR. With
MSDOS partitioning, the first sector of the first partition is at 0x7E00.
That's what happens to be the PBR on my setup. The partition layout
can be just about anything, and yours might not be 0x7E00. If Windows 7
prepared the disk, the offset is a different value (around 0x100000 ?).

As long as we don't "save anything" while working like this, there is no
real danger to the hard drive. Just take your time. All you're doing, is
scrolling and looking at stuff. If you accidentally turn any text "red"
in the window, click the "X" in the upper right corner to exit.

There are a few brands of computer that work differently than this,
but we're not concerned about Dells right now. Are we ???

Paul
  #3  
Old May 25th 21, 02:34 AM posted to microsoft.public.windowsxp.general
Brandon[_4_]
external usenet poster
 
Posts: 5
Default Windows XP Boot Problem: NEW Question....?

On Mon, 24 May 2021 21:02:53 -0400, Paul wrote:

Brandon wrote:
When I rolled back my Acronis image of the C: drive, it was a more
current one only weeks old. zmsybe that's why it didn't correct the
boot menu - MBR - problem.

I was wondering if I rolled my Windows image back to one saved months
ago, before this MBR problem happened, do you think the Acronis image
would have the old MBR in the saved image? Or does Acronis True Image
even save the MBR to an image?

I hate the thought of having to reinstall a whole bunch of programs,
but it might be worth it if I got my boot menu back?

Or do I even know what the hell I'm talking about?


I think before we get worked into a lather, we sit
back for a moment and think about what is loaded on the machine.

Some tools, like Paragon Disk Editor, they might boot into their own
little OS, when items like C: needed to be edited (change partition size)
while WinXP is not running. That's an example of a program which
"messes around". Now, it also happens to be pretty good about its messing,
and it generally does not damage the things it is dynamically modifying.
THey must have tested their stuff.

There are other programs with poorer reputations. The very first time
they perform their boot trick, they damage stuff. I've had computer
installs, where messages from that blasted software shows on the screen
while the OS boots, and I can never figure out where the message is
coming from.

The fun part, is when you load too many of these programs, one of the
program "tips over" the stuff another program is using, and there is
fallout.

Now, I bet your friend Acronis is not immune to this sort of stuff.
Backup programs like to install WinPE or WinRE boot materials.

You mentioned to Van, that your timer is set to 30 seconds, yet
you seem to be chainloading right past boot.ini, and ignoring it.
Something is doing that.

Now, you have to go back and think about what boot materials
are present.

boot_flag = 0x80, this is the Active partition
+------+--------------------------------------------------+-------------------------+
| MBR | PBR | boot.ini ntldr C: (NTFS say) | | D: Data, dont care |
+------+--------------------------------------------------+-------------------------+

When you first commission a disk drive, like as a data drive on your
technician machine, the MBR is fitted out with a minimum of stuff.
There's a four entry partition table, for defining partitions. But,
at that time, there are no boot materials.

OK, you pop in the WinXP CD and do an install.

One of the steps, is to write 440 bytes of stuff in the MBR.
At the end of the code in that 440 bytes, are some text strings.
Using "HxD.exe", I can copy these out right now, as we speak.

Invalid partition table
Error loading operating system
Missing operating system

"FixMBR" puts the proper 440 bytes back.

Notice no famous filenames are present. That's because, the
job of the MBR, is partially to identify the partition which
is "Active" and has the boot flag. All four primary partitions
could have the boot flag set, but by convention, tools try to only
write 0x80 into one of the primary partitions. The MBR code tries
to find such a partition, and such a marked partition, is next
in the boot sequence (for Windows at least).

Now, partitions have two roles:

1) A partition can be marked "SYSTEM", which means, it is the
partition where booting starts. (Hey, thank you Microsoft for
reverse terminology!)

2) The same partition, or a different partition, can be marked
as "BOOT" in Disk Management. This is the system partition aka C: .
((Hey, thank you Microsoft for reverse terminology!)

OK, where are we right now. We're in the MBR. We're sniffing
for "Active". In my fake Disk Management line above, I've marked
the very first partition as "Active" via the boot flag.

The MBR then jumps to the PBR (partition boot record) in the booting partition.
What are the strings down at the end of the PBR ? Let's copy them.
On my disk drive, this is at 0x7E00 with respect to the beginning
of the disk.

NTLDR is missing
Disk errorÿ
Press any key to restart

If I look in NTLDR, I find many many things, including

\boot.ini

So NTLDR and \boot.ini live on a partition that kicks off
the booting process.

Boot.ini, has the ARC path, which points at the "BOOT" partition
or C: system. In my case, the ARC path points to the very same partition
as had NTLDR on it.

Now, I have no idea what NTLDR does next. It's 245KB or so,
which is huge, and potentially, very very intelligent. I "assume"
that since this is the first really large file, that everything
after this is magical :-) End of lecture. Booting takes off, and
we don't care about anything after this.

Now, think of all the opportunities for mischief. Overwrite the MBR.
Overwrite the PBR. Overwrite NTLDR. Mess up boot.ini. Mess up materials
that come after NTLDR.

Now, let's say Acronis wanted to inject its boot loader into your
system. We'd then get out our copy of HxD, and start looking for
abnormal odds and ends. If we can ascertain that "something" has
happened, we're still not panicked. If the software is reputable,
the minute it is uninstalled, it puts back the original MBR and
PBR and etc. So we try to use the Add/Remove to correct the problem.

At this point, we suspect something isn't correct here, but it will
take a quick skim with HxD to get some hints.

If you happened to remember some warning dialog being put up
by one of the fine programs that is installed on the system,
that might help too.

*******

When this is run as Administrator, it gains access to the raw disk drive.
This is a very nice hex editor.

https://mh-nexus.de/en/hxd/

Under Extras, is "Open disk". The disks in Disk Management are numbered
from 0, so my second disk drive is "Disk 1". Whereas in HxD, the second
disk is "Hard Disk 2". If I go to address 0x0, that's the MBR. With
MSDOS partitioning, the first sector of the first partition is at 0x7E00.
That's what happens to be the PBR on my setup. The partition layout
can be just about anything, and yours might not be 0x7E00. If Windows 7
prepared the disk, the offset is a different value (around 0x100000 ?).

As long as we don't "save anything" while working like this, there is no
real danger to the hard drive. Just take your time. All you're doing, is
scrolling and looking at stuff. If you accidentally turn any text "red"
in the window, click the "X" in the upper right corner to exit.

There are a few brands of computer that work differently than this,
but we're not concerned about Dells right now. Are we ???

Paul


I'm leaving the total of your post intact in my reply. You put too
much work into it to have it "edited" in my reply.

What caused all this was my fooling around with some freebie
"security" programs awhile back. I started having problems with other
'normal' software around that time. I uninstalled the "security" junk
after I realized what was happening. I guess I was too late in
realizing that things were already a bit berserk.

Anyway, Windows is still working fine, so I'm really not out much.
So, I guess I'll just settle for things as they are. Although, I do
have one bug in my mind that's bugging me: If I were to recall one of
the Acronis C: images made before this happened, would it contain the
boot file from that time? Would that straighten things out? Just
curious.
  #4  
Old May 25th 21, 04:17 AM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Windows XP Boot Problem: NEW Question....?

Brandon wrote:
On Mon, 24 May 2021 21:02:53 -0400, Paul wrote:

Brandon wrote:
When I rolled back my Acronis image of the C: drive, it was a more
current one only weeks old. zmsybe that's why it didn't correct the
boot menu - MBR - problem.

I was wondering if I rolled my Windows image back to one saved months
ago, before this MBR problem happened, do you think the Acronis image
would have the old MBR in the saved image? Or does Acronis True Image
even save the MBR to an image?

I hate the thought of having to reinstall a whole bunch of programs,
but it might be worth it if I got my boot menu back?

Or do I even know what the hell I'm talking about?

I think before we get worked into a lather, we sit
back for a moment and think about what is loaded on the machine.

Some tools, like Paragon Disk Editor, they might boot into their own
little OS, when items like C: needed to be edited (change partition size)
while WinXP is not running. That's an example of a program which
"messes around". Now, it also happens to be pretty good about its messing,
and it generally does not damage the things it is dynamically modifying.
THey must have tested their stuff.

There are other programs with poorer reputations. The very first time
they perform their boot trick, they damage stuff. I've had computer
installs, where messages from that blasted software shows on the screen
while the OS boots, and I can never figure out where the message is
coming from.

The fun part, is when you load too many of these programs, one of the
program "tips over" the stuff another program is using, and there is
fallout.

Now, I bet your friend Acronis is not immune to this sort of stuff.
Backup programs like to install WinPE or WinRE boot materials.

You mentioned to Van, that your timer is set to 30 seconds, yet
you seem to be chainloading right past boot.ini, and ignoring it.
Something is doing that.

Now, you have to go back and think about what boot materials
are present.

boot_flag = 0x80, this is the Active partition
+------+--------------------------------------------------+-------------------------+
| MBR | PBR | boot.ini ntldr C: (NTFS say) | | D: Data, dont care |
+------+--------------------------------------------------+-------------------------+

When you first commission a disk drive, like as a data drive on your
technician machine, the MBR is fitted out with a minimum of stuff.
There's a four entry partition table, for defining partitions. But,
at that time, there are no boot materials.

OK, you pop in the WinXP CD and do an install.

One of the steps, is to write 440 bytes of stuff in the MBR.
At the end of the code in that 440 bytes, are some text strings.
Using "HxD.exe", I can copy these out right now, as we speak.

Invalid partition table
Error loading operating system
Missing operating system

"FixMBR" puts the proper 440 bytes back.

Notice no famous filenames are present. That's because, the
job of the MBR, is partially to identify the partition which
is "Active" and has the boot flag. All four primary partitions
could have the boot flag set, but by convention, tools try to only
write 0x80 into one of the primary partitions. The MBR code tries
to find such a partition, and such a marked partition, is next
in the boot sequence (for Windows at least).

Now, partitions have two roles:

1) A partition can be marked "SYSTEM", which means, it is the
partition where booting starts. (Hey, thank you Microsoft for
reverse terminology!)

2) The same partition, or a different partition, can be marked
as "BOOT" in Disk Management. This is the system partition aka C: .
((Hey, thank you Microsoft for reverse terminology!)

OK, where are we right now. We're in the MBR. We're sniffing
for "Active". In my fake Disk Management line above, I've marked
the very first partition as "Active" via the boot flag.

The MBR then jumps to the PBR (partition boot record) in the booting partition.
What are the strings down at the end of the PBR ? Let's copy them.
On my disk drive, this is at 0x7E00 with respect to the beginning
of the disk.

NTLDR is missing
Disk errorÿ
Press any key to restart

If I look in NTLDR, I find many many things, including

\boot.ini

So NTLDR and \boot.ini live on a partition that kicks off
the booting process.

Boot.ini, has the ARC path, which points at the "BOOT" partition
or C: system. In my case, the ARC path points to the very same partition
as had NTLDR on it.

Now, I have no idea what NTLDR does next. It's 245KB or so,
which is huge, and potentially, very very intelligent. I "assume"
that since this is the first really large file, that everything
after this is magical :-) End of lecture. Booting takes off, and
we don't care about anything after this.

Now, think of all the opportunities for mischief. Overwrite the MBR.
Overwrite the PBR. Overwrite NTLDR. Mess up boot.ini. Mess up materials
that come after NTLDR.

Now, let's say Acronis wanted to inject its boot loader into your
system. We'd then get out our copy of HxD, and start looking for
abnormal odds and ends. If we can ascertain that "something" has
happened, we're still not panicked. If the software is reputable,
the minute it is uninstalled, it puts back the original MBR and
PBR and etc. So we try to use the Add/Remove to correct the problem.

At this point, we suspect something isn't correct here, but it will
take a quick skim with HxD to get some hints.

If you happened to remember some warning dialog being put up
by one of the fine programs that is installed on the system,
that might help too.

*******

When this is run as Administrator, it gains access to the raw disk drive.
This is a very nice hex editor.

https://mh-nexus.de/en/hxd/

Under Extras, is "Open disk". The disks in Disk Management are numbered
from 0, so my second disk drive is "Disk 1". Whereas in HxD, the second
disk is "Hard Disk 2". If I go to address 0x0, that's the MBR. With
MSDOS partitioning, the first sector of the first partition is at 0x7E00.
That's what happens to be the PBR on my setup. The partition layout
can be just about anything, and yours might not be 0x7E00. If Windows 7
prepared the disk, the offset is a different value (around 0x100000 ?).

As long as we don't "save anything" while working like this, there is no
real danger to the hard drive. Just take your time. All you're doing, is
scrolling and looking at stuff. If you accidentally turn any text "red"
in the window, click the "X" in the upper right corner to exit.

There are a few brands of computer that work differently than this,
but we're not concerned about Dells right now. Are we ???

Paul


I'm leaving the total of your post intact in my reply. You put too
much work into it to have it "edited" in my reply.

What caused all this was my fooling around with some freebie
"security" programs awhile back. I started having problems with other
'normal' software around that time. I uninstalled the "security" junk
after I realized what was happening. I guess I was too late in
realizing that things were already a bit berserk.

Anyway, Windows is still working fine, so I'm really not out much.
So, I guess I'll just settle for things as they are. Although, I do
have one bug in my mind that's bugging me: If I were to recall one of
the Acronis C: images made before this happened, would it contain the
boot file from that time? Would that straighten things out? Just
curious.


It would, because it would replace the MBR, the boot partition, the
system partition, and so on. On OSes that use a "boot track", such as
Linux, it backs that up too.

The people who write the backup software, sit down and draw those
diagrams I try to draw, and they know exactly what sectors need
a backup.

It's only when you "drag and drop" a single partition, that
defeats their logic. If you do "complete restores", then they
tend to everything for you. That's the only warning I would give
about backup/restore. Sometimes, it is necessary to restore
a single partition at a time, but if you do that, the backup
tool makes it your responsibility to click a button later
for "boot repair". If on the other hand, you restore everything
in the backup set, that increases the odds they will do all the
work for you.

On WinXP, examples of repair tools are "FixMBR" and "FixBoot".
These are not available in the running OS, and can only be
run from the WinXP CD. FixMBR fixes the 440 byte MBR area.
FixBoot reloads the PBR boot code. The names of these tools
changed on Vista or later.

HTH,
Paul
  #5  
Old May 25th 21, 09:55 PM posted to microsoft.public.windowsxp.general
Aoli
external usenet poster
 
Posts: 2
Default Windows XP Boot Problem: NEW Question....?



What about repair boot on the Macrium Reflect PE etc disk generated by
Macrium Reflect ?



Paul wrote:
Brandon wrote:
On Mon, 24 May 2021 21:02:53 -0400, Paul wrote:

Brandon wrote:
When I rolled back my Acronis image of the C: drive, it was a more
current one only weeks old. zmsybe that's why it didn't correct the
boot menu - MBR - problem.
I was wondering if I rolled my Windows image back to one saved months
ago, before this MBR problem happened, do you think the Acronis image
would have the old MBR in the saved image?Â* Or does Acronis True Image
even save the MBRÂ* to an image?

I hate the thought of having to reinstall a whole bunch of programs,
but it might be worth it if I got my boot menu back?

Or do I even know what the hell I'm talking about?
I think before we get worked into a lather, we sit
back for a moment and think about what is loaded on the machine.

Some tools, like Paragon Disk Editor, they might boot into their own
little OS, when items like C: needed to be edited (change partition
size)
while WinXP is not running. That's an example of a program which
"messes around". Now, it also happens to be pretty good about its
messing,
and it generally does not damage the things it is dynamically modifying.
THey must have tested their stuff.

There are other programs with poorer reputations. The very first time
they perform their boot trick, they damage stuff. I've had computer
installs, where messages from that blasted software shows on the screen
while the OS boots, and I can never figure out where the message is
coming from.

The fun part, is when you load too many of these programs, one of the
program "tips over" the stuff another program is using, and there is
fallout.

Now, I bet your friend Acronis is not immune to this sort of stuff.
Backup programs like to install WinPE or WinRE boot materials.

You mentioned to Van, that your timer is set to 30 seconds, yet
you seem to be chainloading right past boot.ini, and ignoring it.
Something is doing that.

Now, you have to go back and think about what boot materials
are present.

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* boot_flag = 0x80, this is the Active partition
+------+--------------------------------------------------+-------------------------+

|Â* MBR | PBR |Â* boot.ini ntldr C: (NTFS say)Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* |Â*Â*Â* | D:
Data, dont care |
+------+--------------------------------------------------+-------------------------+


When you first commission a disk drive, like as a data drive on your
technician machine, the MBR is fitted out with a minimum of stuff.
There's a four entry partition table, for defining partitions. But,
at that time, there are no boot materials.

OK, you pop in the WinXP CD and do an install.

One of the steps, is to write 440 bytes of stuff in the MBR.
At the end of the code in that 440 bytes, are some text strings.
Using "HxD.exe", I can copy these out right now, as we speak.

Â*Â*Â* Invalid partition table
Â*Â*Â* Error loading operating system
Â*Â*Â* Missing operating system

"FixMBR" puts the proper 440 bytes back.

Notice no famous filenames are present. That's because, the
job of the MBR, is partially to identify the partition which
is "Active" and has the boot flag. All four primary partitions
could have the boot flag set, but by convention, tools try to only
write 0x80 into one of the primary partitions. The MBR code tries
to find such a partition, and such a marked partition, is next
in the boot sequence (for Windows at least).

Now, partitions have two roles:

1) A partition can be marked "SYSTEM", which means, it is the
Â*Â*Â* partition where booting starts. (Hey, thank you Microsoft for
Â*Â*Â* reverse terminology!)

2) The same partition, or a different partition, can be marked
Â*Â*Â* as "BOOT" in Disk Management. This is the system partition aka C: .
Â*Â*Â* ((Hey, thank you Microsoft for reverse terminology!)

OK, where are we right now. We're in the MBR. We're sniffing
for "Active". In my fake Disk Management line above, I've marked
the very first partition as "Active" via the boot flag.

The MBR then jumps to the PBR (partition boot record) in the booting
partition.
What are the strings down at the end of the PBR ? Let's copy them.
On my disk drive, this is at 0x7E00 with respect to the beginning
of the disk.

Â*Â*Â* NTLDR is missing
Â*Â*Â* Disk errorÿ
Â*Â*Â* Press any key to restart

If I look in NTLDR, I find many many things, including

Â*Â*Â* \boot.ini

So NTLDR and \boot.ini live on a partition that kicks off
the booting process.

Boot.ini, has the ARC path, which points at the "BOOT" partition
or C: system. In my case, the ARC path points to the very same partition
as had NTLDR on it.

Now, I have no idea what NTLDR does next. It's 245KB or so,
which is huge, and potentially, very very intelligent. I "assume"
that since this is the first really large file, that everything
after this is magical :-) End of lecture. Booting takes off, and
we don't care about anything after this.

Now, think of all the opportunities for mischief. Overwrite the MBR.
Overwrite the PBR. Overwrite NTLDR. Mess up boot.ini. Mess up materials
that come after NTLDR.

Now, let's say Acronis wanted to inject its boot loader into your
system. We'd then get out our copy of HxD, and start looking for
abnormal odds and ends. If we can ascertain that "something" has
happened, we're still not panicked. If the software is reputable,
the minute it is uninstalled, it puts back the original MBR and
PBR and etc. So we try to use the Add/Remove to correct the problem.

At this point, we suspect something isn't correct here, but it will
take a quick skim with HxD to get some hints.

If you happened to remember some warning dialog being put up
by one of the fine programs that is installed on the system,
that might help too.

*******

When this is run as Administrator, it gains access to the raw disk
drive.
This is a very nice hex editor.

Â*Â*Â* https://mh-nexus.de/en/hxd/

Under Extras, is "Open disk". The disks in Disk Management are numbered
from 0, so my second disk drive is "Disk 1". Whereas in HxD, the second
disk is "Hard Disk 2". If I go to address 0x0, that's the MBR. With
MSDOS partitioning, the first sector of the first partition is at
0x7E00.
That's what happens to be the PBR on my setup. The partition layout
can be just about anything, and yours might not be 0x7E00. If Windows 7
prepared the disk, the offset is a different value (around 0x100000 ?).

As long as we don't "save anything" while working like this, there is no
real danger to the hard drive. Just take your time. All you're doing, is
scrolling and looking at stuff. If you accidentally turn any text "red"
in the window, click the "X" in the upper right corner to exit.

There are a few brands of computer that work differently than this,
but we're not concerned about Dells right now. Are we ???

Â*Â*Â* Paul


I'm leaving the total of your post intact in my reply.Â* You put too
much work into it to have it "edited" in my reply.

What caused all this was my fooling around with some freebie
"security" programs awhile back.Â* I started having problems with other
'normal' software around that time. I uninstalled the "security" junk
after I realized what was happening. I guess I was too late in
realizing that things were already a bit berserk.
Anyway, Windows is still working fine, so I'm really not out much.
So, I guess I'll just settle for things as they are. Although, I do
have one bug in my mind that's bugging me: If I were to recall one of
the Acronis C: images made before this happened, would it contain the
boot file from that time?Â* Would that straighten things out?Â* Just
curious.


It would, because it would replace the MBR, the boot partition, the
system partition, and so on. On OSes that use a "boot track", such as
Linux, it backs that up too.

The people who write the backup software, sit down and draw those
diagrams I try to draw, and they know exactly what sectors need
a backup.

It's only when you "drag and drop" a single partition, that
defeats their logic. If you do "complete restores", then they
tend to everything for you. That's the only warning I would give
about backup/restore. Sometimes, it is necessary to restore
a single partition at a time, but if you do that, the backup
tool makes it your responsibility to click a button later
for "boot repair". If on the other hand, you restore everything
in the backup set, that increases the odds they will do all the
work for you.

On WinXP, examples of repair tools are "FixMBR" and "FixBoot".
These are not available in the running OS, and can only be
run from the WinXP CD. FixMBR fixes the 440 byte MBR area.
FixBoot reloads the PBR boot code. The names of these tools
changed on Vista or later.

HTH,
Â*Â*Â* Paul


  #6  
Old May 25th 21, 11:47 PM posted to microsoft.public.windowsxp.general
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Windows XP Boot Problem: NEW Question....?

Aoli wrote:

What about repair boot on the Macrium Reflect PE etc disk generated by
Macrium Reflect ?


Under normal circumstances, where we understand what's going on,
the Boot Repair on the Macrium CD is excellent for this stuff.

However, in this case, we don't understand the exploit mechanism,
or, what will happen if we attempt to correct it.

Maybe it works, and works fine.

I would feel bad though, if the OP could no longer
boot and it was my fault :-)

Since the system is running, you can debug to your
hearts content with HxD, and try and figure out what
the security products have done to affect this. Sure,
paving over it is fun. Will it stay paved over ?
That depends on your "opponent".

Any time someone or something is fouling up a machine,
you really don't know what happens next.

Betting odds say you're right about this, and I'm worried
about nothing. However, if the security software loads
a Startup Item, it could pave it over as revenge.

Paul
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 08:26 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.