DOCUMENT:Q121517 12-JUN-2002 [winnt] TITLE :How to Recover From a Corrupt NTFS Boot Sector PRODUCT :Microsoft Windows NT PROD/VER::3.1,3.5,3.51,4.0 OPER/SYS: KEYWORDS:kbnetworkkbfaq ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server versions 3.1, 3.5, 3.51, 4.0 - Microsoft Windows NT Workstation versions 3.1, 3.5, 3.51, 4.0 - Microsoft Windows NT Advanced Server ------------------------------------------------------------------------------- SUMMARY ======= When a Windows NT system with a Windows NT File System (NTFS) partition has a corrupt boot sector, you may never get the Windows NT boot menu selections, or the following error message may appear at the boot loader screen: Windows NT could not start because the following file is missing or corrupt <%SYSTEMROOT%>\SYSTEM32\NTOSKRNL.EXE If you start the emergency repair process, the following message appears before the emergency repair disk restores any data: Setup has determined that your file system is corrupt Booting with an MS-DOS system disk and using the command fdisk /MBR does not resolve the problem. The purpose of this article is to describe a method of recovering from a corrupt NTFS boot sector. Before proceeding with this method, make sure that you have the hard disk information backed up. Additionally, if any NTFS partition is showing as UNKNOWN in Disk Administrator and the volume is NOT part of any FT Fault Tolerant sets, this, too, can be caused by a corrupted NTFS boot sector. Following the procedure described below should allow you to run a CHKDSK against the volume and recover the data. MORE INFORMATION ================ The Windows NT version 3.xx file system keeps a duplicate copy of the NTFS boot sector at the logical center of the volume, whereas Windows NT version 4.0 keeps a duplicate copy at the end of the partition. The Norton Utilities DiskEdit program can help find the duplicate boot sector and restore it over the original boot sector. You may be able to recover one NTFS partition for each hard disk or multiple NTFS and FAT-combination partitions for each hard disk. If the partitions on the disk were created with Windows NT 4.0 and you can successfully boot into Windows NT V4.0 but have UNKNOWN partitions, please see the following Microsoft Knowledge Base article: Q153973 Recovering NTFS Boot Sector on NTFS Partitions NOTE: This article assumes you have knowledge of Primary and Extended partitions. The following procedure describes the process of recovering one NTFS partition on a 1 gigabyte (GB) hard disk: 1. From an MS-DOS boot disk, run Norton Utilities (Diskedit.exe). 2. On the Tools menu, select Configuration. 3. Clear the read-only check box, and then click OK. 4. From the Object menu, select Drive, select the Physical disk option, select the Hard disk in question, and then click OK. Norton Utilities DiskEdit should read the hard disk you selected and display Data from Cyl 0, Side 0, Sector 1. 5. On the View menu, select As Partition Table, and note the starting and ending cylinder, sector, and side information for the corrupt partition. If the corrupt NTFS partition is contained on a logical drive in an Extended partition, you will need to walk the partition table to get to the logical drive in question. 6. On the Object menu, select Physical sector. 7. Input the starting cylinder, side, and sector, select the maximum amount of sectors, and then click OK. You will be at the beginning of the corrupt partition. 8. The Primary NTFS boot sector will be found one side up. For example, if you are looking at Cyl 0, Side 0, Sector 1, go to Cyl 0, Side 1, Sector 1. You should see something similar to the following on a good NTFS partition: 00000000: EB 5B 00 4E 54 46 53 20 - 20 20 20 00 02 01 00 00 .[.NTFS......... 00000010: 00 00 00 00 00 F8 00 00 - 3E 00 0E 00 3E 00 00 00 ........>...>... 00000020: 00 00 00 00 80 00 80 00 - D6 57 0A 00 00 00 00 00 .........W...... 00000030: 1D 10 00 00 00 00 00 00 - EC 2B 05 00 00 00 00 00 .........+...... 00000040: 02 00 00 00 04 00 00 00 - FD 1E 6F 0C 65 6F 0C 76 ..........o.eo.v 00000050: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 FA 33 C0 ..............3. 00000060: 8E D0 BC 00 7C FB B8 C0 - 07 8E D8 C7 06 54 00 00 ....|........T.. 00000070: 00 C7 06 56 00 00 00 C7 - 06 5B 00 10 00 B8 00 0D ...V.....[...... 00000080: 8E C0 2B DB E8 07 00 68 - 00 0D 68 56 02 CB 50 53 ..+....h..hV..PS 00000090: 51 52 06 66 A1 54 00 66 - 03 06 1C 00 66 33 D2 66 QR.f.T.f....f3.f 000000A0: 0F B7 0E 18 00 66 F7 F1 - FE C2 88 16 5A 00 66 8B .....f......Z.f. 000000B0: D0 66 C1 EA 10 F7 36 1A - 00 88 16 25 00 A3 58 00 .f....6....%..X. 000000C0: A1 18 00 2A 06 5A 00 40 - 3B 06 5B 00 76 03 A1 5B ...*.Z.@;.[.v..[ 000000D0: 00 50 B4 02 8B 16 58 00 - B1 06 D2 E6 0A 36 5A 00 .P....X......6Z. 000000E0: 8B CA 86 E9 8A 36 25 00 - B2 80 CD 13 58 72 25 01 .....6%.....Xr%. 000000F0: 06 54 00 83 16 56 00 00 - 29 06 5B 00 76 0B C1 E0 .T...V..).[.v... 00000100: 05 8C C2 03 D0 8E C2 EB - 8A 07 5A 59 5B 58 C3 BE ..........ZY[X.. 00000110: 54 01 EB 03 BE 34 01 E8 - 09 00 BE A8 01 E8 03 00 T....4.......... 00000120: FB EB FE AC 3C 00 74 09 - B4 0E BB 07 00 CD 10 EB ....<.t......... 00000130: F2 C3 1D 00 41 20 64 69 - 73 6B 20 72 65 61 64 20 ....A disk read 00000140: 65 72 72 6F 72 20 6F 63 - 63 75 72 72 65 64 2E 0D error occurred.. 00000150: 0A 00 29 00 41 20 6B 65 - 72 6E 65 6C 20 66 69 6C ..).A kernel fil 00000160: 65 20 69 73 20 6D 69 73 - 73 69 6E 67 20 66 72 6F e is missing fro 00000170: 6D 20 74 68 65 20 64 69 - 73 6B 2E 0D 0A 00 25 00 m the disk....%. 00000180: 41 20 6B 65 72 6E 65 6C - 20 66 69 6C 65 20 69 73 A kernel file is 00000190: 20 74 6F 6F 20 64 69 73 - 63 6F 6E 74 69 67 75 6F too discontiguo 000001A0: 75 73 2E 0D 0A 00 33 00 - 49 6E 73 65 72 74 20 61 us....3.Insert a 000001B0: 20 73 79 73 74 65 6D 20 - 64 69 73 6B 65 74 74 65 system diskette 000001C0: 20 61 6E 64 20 72 65 73 - 74 61 72 74 0D 0A 74 68 and restart..th 000001D0: 65 20 73 79 73 74 65 6D - 2E 0D 0A 00 00 00 00 00 e system....... 000001E0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000001F0: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 55 AA ..............U. This is a valid NTFS boot sector. The offset (the first column on the left) is 00000000. When you have found the original NTFS boot sector, note the location (Cyl ___, Side___, Sect___). Then, you must look for the backup NTFS boot sector. NOTE: Below are two separate sections on locating the backup copy of the NTFS boot sector. Follow Section 1 if the partition was created under Windows NT version 3.xx or Section 2 if the partition was created under Windows NT version 4.0. Section 1: To Locate the Backup Copy for a Partition Created by Windows NT version 3.xx: a. Divide the total number of cylinders for the partition by two. In the example above, the total number of cylinders is 1014. Therefore, the target would be cylinder 507. It is recommended that you subtract five cylinders from that number because NTFS puts it at the logical center. b. On the Object menu, select Physical sector. c. Input your cylinder number (502 for this example), side 0, sector 1, maximum number of sectors, and then click OK. You will be at that location. d. On the Tools menu, select Find. e. Input the hex string 4E 54 46 53 20, and then start a search for that string. When you find one, note the Cyl, Side, and Sector numbers. Make sure it is at the beginning of that sector. If it is not, continue the search until you find the string that is at the beginning. After you find the string at the beginning of the sector (and it looks similar to the original boot sector), you are ready to copy the sector. NOTE: It may be necessary to select As Hex from the View menu after selecting the search string if the data displayed does not appear to be in the same format. f. On the Object menu, select Physical sector. g. Input the Cyl, Side, and Sector information for the backup boot sector. This time, select ONLY ONE sector (this is very important), and then click OK. You will be back at the backup boot sector. If you page down, you should only see that sector. If you are able to see more sectors after that, stop and reselect the Physical sector as one sector. Go to Step 9 below and continue to the end. Section 2: To Locate the Backup Copy for a Partition Created by Windows NT version 4.0: a. Using the partition table information found is step 2 above, note the ending cylinder, sector, and side information for the corrupt partition. b. Select Physical sector from the Object menu. Input the ending cylinder, side, and sector, and select only one sector to read (this is very important). When you click OK, you will be at the backup NTFS boot sector. If you page down, you should only see that sector. If you are able to see more sectors after that, stop and reselect the Physical sector as one sector. Go to Step 9 and continue to the end. 9. Select Mark from the Edit menu and use the arrow keys to select the whole sector. 10. Select Write To from the Tools menu and input the location of the original boot sector (as noted in Step 4 above). When you click OK, it will ask if you are sure. Click OK again and it will write the backup sector to the original boot sector. 11. Quit the Norton Utilities DiskEdit program, and then restart the computer. If your original boot sector was indeed corrupt, your computer should start now, or if it was showing as UNKNOWN in disk administrator, you should be able to run chkdsk /F against the partition to make it accessible once again. Additional query words: ====================================================================== Keywords : kbnetwork kbfaq Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT351search kbWinNT350search kbWinNT400search kbWinNTW350 kbWinNTW350search kbWinNTW351search kbWinNTW351 kbWinNTW310 kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS350 kbWinNTS310 kbWinNTAdvSerSearch kbWinNTS351search kbWinNTS350search kbWinNTS310search kbWinNT310Search kbWinNTW310Search Version : :3.1,3.5,3.51,4.0 Issue type : kbinfo ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2002.