Dual boot XP

[Fra]

I was looking at a new XP machine with 160GB HD.

I was thinking that l could split the drive into say 4, 40GB partitions. C: for Win98se, D: for XP, E: for programs and F: for data.

I was going to use the C: partition for internet use, if this drive became infected with a virus or adware would it infect or harm the other partitions if they were hidden partitions?

With XP and it's system restore facility is it still necessary to ghost an image to another partition?

TIA
Cheers
Fran

[Paul Komski]

Most such infections screw with the operating system and are not commonly destructive to the actual data files or to "structures" (partitions, partition tables and the mbr) on the drive itself. Hiding partitions by setting their formats as hidden or by simply formatting D,E and F as NTFS (not seen by Windows 98) adds an additional layer of protection.

There are destructive viruses that can delete partitions and, worse still, start zeroing a drive so if you are unlucky no data anywhere on the drive is safe. Viruses tend to infect executables because it takes an executable for them to regenerate themselves.

Installing a linux partition rather than Win98 for surfing would be an even better move since there are far fewer exploits that are going to gain entry with such a setup.

I would never rely on WinXP's system restore and would always suggest that important data be regularly backed-up off the computer and that an image of your system partition(s) be made to allow you to easily set your disk up anew. System restore is no good to you if you cant even gain entry to the OS whereas an image file should always be capable of being restored to the same drive (or a brand new on in the event of true HDD failure).

PS Keeping a copy of your mbr (or the whole of the first HDD track) somewhere is another good move - particuarly in a multiboot environment.

[Fra]

Paul, thanks for the information,

l had thought about installing one of the linux flavours a number years ago just to play and experiment with, unfortunately l don't think l would have the time or skills to install linux. My impression is that is it is a very command prompt driven thing and requires a lot of searching for drivers etc to get a system setup Ok.
Have things moved on? and if so do you have a favourite suitable for a linux beginner?
Do you have any links that l could find out a little more about installing linux?

Thanks again Paul

[jlreich]

PS Keeping a copy of your mbr (or the whole of the first HDD track) somewhere is another good move - particuarly in a multiboot environment.

Paul, I have never thought of that. How exactly would that be done? I am very interested.

[Paul Komski]

From within windows one can create such a backup file using disk hex editors such as TinyHexer but one needs to be able to access any such file once one is locked out by a corrupt MBR.

My most usual personal method is to enter the bios or use a floppy disk boot manager such as "smart boot manager" to boot up another hard drive which has an accessible "troubleshooting windows or dos partition on it" and then to restore the MBR on the problem drive from the OS on the second HDD.

One can also use utilities on a prepared EBCD (emergency boot bootable CD) or, probably most common of all, to have a DOS application on a bootable floppy diskette.

Two DOS-based utilities that I have played around with are:-
MBRtool from http://www.diydatarecovery.nl/mbrtool.htm
MBRwork from http://www.terabyteunlimited.com/utilities.html
At the moment I prefer the latter but both will do this sort of work.

AVG's rescue floppies can do this as well I believe though the utilities above have more flexibility and can save more than just the first sector if wanted and which is invaluable and necessary if you have any drive overlay for managing large hard drives or for a boot manager etc etc.

A completely different method is to note down, on paper, the partition table values read with a utility such as ptedit ( ftp://ftp.symantec.com/public/englis...ies/ptedit.zip ) and then to manually edit them back in at a later stage using the same utility.

He He - there are always so many ways to skin a cat!! Post back if you run into difficulties or have any other queries about this.

[jlreich]

Thanks Paul. I will definitely check it out. And I am sure I will have questions.

[Paul Komski]

unfortunately l don't think l would have the time or skills to install linux. My impression is that is it is a very command prompt driven thing and requires a lot of searching for drivers etc to get a system setup Ok

I have installed knoppix on a CD and SuSE 9 onto a hard drive. I found the latter much easier than installing windows and the only difficulty I really had was in finding a compatible modem. I don't remember having a single command prompt to enter details at. I have fairly standard hardware (on board sound, a radeon video card and HP laser printr - but it found all those type drivers itself). I haven't yet tried configurin a LAN but once I got myself an intel pci modem I could go on line and use eMail etc etc.

[Fra]

Thanks again Paul.

I found Knoppix on a covermount CD. I will give that a try to start with.

Cheers
Fran

[Steve]

Paul,

In regards to the saving of a copy of the mbr, doesn't Windows do this anyway?

In W9x we have the fdisk /mbr command which will rewrite a corrupted master boot record.

In W2k and XP we have the recovery console command fixmbr which will restore a new boot record.

Are these tools different from what you are suggesting?

[Paul Komski]

In a word - no.

fdisk /mbr and fixmbr can rewrite much of the mbr but neither of them can reinstate the original partition tables if these become deleted or corrupted. Both commands specifically rewrite only the first 442 bytes of the 512 that comprise the mbr. fdisk /mbr also writes a new disk signature (the four bytes 443 through 446) though fixmbr does not rewrite a new disk signature because this value is used in the WinXP registry for "soft encoding" of any partitions on the drive and changing it (particularly in a multiboot/multipartition environment) can prevent WinXP from booting at all.

The partition tables occupy bytes 447 through 510 and it is these values/records that it is imperative to backup (as well as the disk signature in the case of the NT-based OSes).

The last two bytes of the mbr (with the hex values 0x55 and 0xAA) identify the sector as a boot sector signature (as opposed to a drive signature or a partition serial number). If for any reason these have any other value then running fdisk /mbr or fixmbr will zero the partition tables "effectively" delete the partitions on the drive since all utilities will now think they are dealing with a pristine new drive.

Normally just the first sector needs backing up but if you are using any drive overlay, boot managers etc then one should back up the whole of the first track; the first 63 sectors from LBA sector 0 through 62.

I have numbered the bytes as if they were from 1 to 512 - so be aware that these can also be represented as offsets 0 to 511.

[Paleo Pete]

AVG's rescue floppies can do this as well I believe though the utilities above have more flexibility

Yep, it will and they do.

Have things moved on? and if so do you have a favourite suitable for a linux beginner?

Yes, things have moved on quite a lot actually. I'm running Mandrake 9.2 on this machine, have installed and run Mandrake 10 on a machine for a customer to use for an Internet Cafe, both work well. Installing is no problem as long as you read up a bit on it, not more difficult than installing Windows but if you use the "Individual Package selection" option it takes a while to go through the list and choose what you want. Google around for "Installing Linux" and you'll get plenty info. You can also go to Google for Linux and get all Linux specific results.

Not much command line use is required, although it is handy sometimes, I had no trouble with hardware or drivers, but I didn't try to use a winmodem. The only things mine didn't automatically pick up and configure were my web cam and scanner, both older models and both not well supported because the manufacturers haven't provided sufficient technical data so drivers can be designed for Linux. If Knoppix handles all your hardware chances are any full distribution will too. The more popular ones are Mandrake, Red Hat and SUSE, my pick is Mandrake while others prefer SUSE or Red Hat, Debian....

Installing a linux partition rather than Win98 for surfing would be an even better move since there are far fewer exploits that are going to gain entry with such a setup.

I agree with that completely, I almost never use my Windows machine online any more, anything I need to do Linux can do and it has the advantage because all the Windows spyware and viruses don't run under Linux. The above mentioned Internet Cafe machine is still in perfect condition after almost 3 months while the XP machine he put in 3-4 weeks ago has been cleaned out twice already, loads of spyware both times, plus what I removed before it was hooked into the system.

[Paul Komski]

In W2k and XP we have the recovery console command fixmbr which will restore a new boot record.

I just spotted this and even though I outlined what fixmbr does it is perhaps worth outlining what is meant by a new "boot record". The mbr is the master boot record for the whole hard drive. The partition boot sector (another boot record that can contain executable code and information about the partition) can be fixed by using the command fixboot from the NT-based recovery console.

Partition boot sectors are also indicated by having a hex boot signature of 55 AA but are different for different OSes and for different formats. They can also spill onto the following sector(s) and they provide specific information about where they themselves are on the drive and where the partition's other structures can be found. This sector is automatically backed-up if using FAT32 (usually on the 6th sector of the partition) and there is information about where to find the FAT tables or, with NTFS, where to find the MFT. Under the NT-based OSes this is the origin of the "notorious" ntldr is missing or corrupt message.

[Steve]

Thank you Paul. Good info, as usual. A little over my head but not to bad...

[Fra]

Thanks Pete for the additional info. I think l will look into using a linux distro for my internet machine.

Cheers
Fran

[Paul Komski]

Darnit - now I found an error which I'd better correct.
"fdisk /mbr also writes a new disk signature" (the four bytes 443 through 446) should actually read (the four bytes 441 through 444); I regularly make this error when writing it down but know which bytes to edit when I'm looking at an mbr. There are two bytes with zero values between the disk signature and the partition tables, which I forget about.

[jlreich]

Ok Paul. I have a couple questions(ok, maybe 5 or 6 ) just to clear things up in my mind, and make sure I am getting it right.

Backing up the entire track means backing up the whole 512 bytes. MBR, backup sectors(2-10), and partition tables. Correct?

If sectors 2-10 are used, but are not backups, they are most likely occupied by remnants of a partition manager, and/or boot manager. Correct?

Is it safe to clear sectors 2-10 no matter what is in them? Providing you are not actively using a boot manager?

Are sectors 2-10 a likely place for viruses to write to, to insure that if fixmbr or fdisk/mbr is used, it will just rewrite the same infected MBR? This being all the more reason to backup to a separate file, and not just to sector.

What exactly does it mean to refresh the MBR?

Thanks for your time Paul.

EDIT - PS - I am using MBRtool.

[Paul Komski]

Normally there are 512 bytes per sector and 63 sectors per track. A track represents the combination of a cylinder and a head (a head being represented by just one side of a spinning platter).

Just to really make life complicated the C and H values in a CHS reference always start with Cylinder 0 and Head 0 but the sectors are counted from 1 to 63. Thus the first track (track 0) is Cylinder 0/Head 0 and contains 63 sectors. The first sector is the mbr - the next 62 sectors form an EMBR (or extended master boot record) and is where most drive overlay flows onto. If you are using LBA to address these sectors (instead of CHS references) then the first track goes from LBA 0 through 62.

Don't blame me that the maths has been made so complicated and inconsistent.

There is also a convention that all HDD partitions start at the beginning of a track. Thus the second track (track 1 or cylinder 0/head 1) is the obvious place to start the first partition. It is not mandatory to start here but this is where it nearly always does start. In other words the first sector of the first partition will probably start at CHS = 0/1/1 or if you prefer at LBA 63.

Backing up the entire track means backing up the whole 512 bytes. MBR, backup sectors(2-10), and partition tables. Correct? No - backing up the whole track means backing up 63 sectors or 32256 bytes or the mbr plus the embr.

If sectors 2-10 are used, but are not backups, they are most likely occupied by remnants of a partition manager, and/or boot manager. Correct? Its 63 sectors but this is the area that such drive overlay utilises.

Is it safe to clear sectors 2-10 no matter what is in them? Providing you are not actively using a boot manager? It is safe to clear secors 2 to 63 (CHS) or 1 to 62 (LBA).

Are sectors 2-10 a likely place for viruses to write to, to insure that if fixmbr or fdisk/mbr is used, it will just rewrite the same infected MBR? This being all the more reason to backup to a separate file, and not just to sector. Boot sector viruses start on the mbr itself (or on a partition boot sector for that matter). They may move the resident mbr code in part or in large part onto the embr before usually returning control to the normal boot processes. In this respect they behave just like a boot manager - but with malicious intent. Using fdisk /mbr or fixmbr will eliminate such a virus (or such a boot manager) BUT (a big but) if the virus has moved or changed the boot sector bytes (55 AA) at the end of the sector, these utilities will now zero the partition tables and make the drive (at least temporarily) unbootable.

What exactly does it mean to refresh the MBR? Rewrite might be a better word. fdisk /mbr and fixmbr rewrite all the executable code present on the mbr (and thus would overwrite any drive overlay or virus or boot-manager code). In the absence of 55 AA they zero the partition tables and fdisk /mbr also rewrites a new 4-byte disk signature.

[jlreich]

Thanks for the info Paul. I guess I was way off in my thinking. That does clear some things up though. Poses more questions as well, but I guess I will just have to do some more research. Which is great, since I have been fascinated with hardware lately. I have probably been personally responsible for heavy bandwidth usage on ixl's Certiguide.com site. Hmm..... or will this be covered when I get to the OS part.....

Thanks again Paul.