How NTFS File System Works: NTFS Physical Structure (3)
NTFS Boot Sector
The table Boot Sector Sections on an NTFS Volume describes the boot sector of a volume that is formatted with NTFS. When you format an NTFS volume, the format program allocates the first 16 sectors for the boot sector and the bootstrap code.
Boot Sector Sections on an NTFS Volume
Byte Offset | Field Length | Field Name |
---|---|---|
0x00 | 3 bytes | Jump instruction |
0x03 | 8 bytes | OEM ID |
0x0B | 25 bytes | BPB |
0x24 | 48 bytes | Extended BPB |
0x54 | 426 bytes | Bootstrap code |
0x01FE | 2 bytes | End of sector marker |
On NTFS volumes, the data fields that follow the BPB form an extended BPB. The data in these fields enables Ntldr to find the MFT during startup. On NTFS volumes, the MFT is not located in a predefined sector. For this reason, NTFS can move the MFT if there is a bad sector in the current location of the MFT. However, if the data is corrupted, the MFT cannot be located, and Windows Server 2003 assumes that the volume has not been formatted.
The following example illustrates the boot sector of an NTFS volume that is formatted by using Windows Server 2003. The printout is formatted in three sections:
- Bytes 0x00– 0x0A are the jump instruction and the OEM ID (shown in bold print).
- Bytes 0x0B–0x53 are the BPB and the extended BPB.
- The remaining code is the bootstrap code and the end of sector marker (shown in bold print).
The table BPB and Extended BPB Fields on NTFS Volumes describes the fields in the BPB and the extended BPB on NTFS volumes. The fields starting at 0x0B, 0x0D, 0x15, 0x18, 0x1A, and 0x1C match those on FAT16 and FAT32 volumes. The sample values correspond to the data in this example.
Byte Offset | Field Length | Sample Value | Field Name and Definition |
---|---|---|---|
0x0B | 2 bytes | 00 02 | Bytes Per Sector. The size of a hardware sector. For most disks used in the United States, the value of this field is 512. |
0x0D | 1 byte | 08 | Sectors Per Cluster.The number of sectors in a cluster. |
0x0E | 2 bytes | 00 00 | Reserved Sectors. Always 0 because NTFS places the boot sector at the beginning of the partition. If the value is not 0, NTFS fails to mount the volume. |
0x10 | 3 bytes | 00 00 00 | Value must be 0 or NTFS fails to mount the volume. |
0x13 | 2 bytes | 00 00 | Value must be 0 or NTFS fails to mount the volume. |
0x15 | 1 byte | F8 | Media Descriptor. Provides information about the media being used. A value of F8 indicates a hard disk and F0 indicates a high-density 3.5-inch floppy disk. Media descriptor entries are a legacy of MS-DOS FAT16 disks and are not used in Windows Server 2003. |
0x16 | 2 bytes | 00 00 | Value must be 0 or NTFS fails to mount the volume. |
0x18 | 2 bytes | 3F 00 | Not used or checked by NTFS. |
0x1A | 2 bytes | FF 00 | Not used or checked by NTFS. |
0x1C | 4 bytes | 3F 00 00 00 | Not used or checked by NTFS. |
0x20 | 4 bytes | 00 00 00 00 | The value must be 0 or NTFS fails to mount the volume. |
0x24 | 4 bytes | 80 00 80 00 | Not used or checked by NTFS. |
0x28 | 8 bytes | 1C 91 11 01 00 00 00 00 | Total Sectors. The total number of sectors on the hard disk. |
0x30 | 8 bytes | 00 00 04 00 00 00 00 00 | Logical Cluster Number for the File $MFT. Identifies the location of the MFT by using its logical cluster number. |
0x38 | 8 bytes | 11 19 11 00 00 00 00 00 | Logical Cluster Number for the File $MFTMirr. Identifies the location of the mirrored copy of the MFT by using its logical cluster number. |
0x40 | 1 byte | F6 | Clusters Per MFT Record. The size of each record. NTFS creates a file record for each file and a folder record for each folder that is created on an NTFS volume. Files and folders smaller than this size are contained within the MFT. If this number is positive (up to 7F), then it represents clusters per MFT record. If the number is negative (80 to FF), then the size of the file record is 2 raised to the absolute value of this number. |
0x41 | 3 bytes | 00 00 00 | Not used by NTFS. |
0x44 | 1 byte | 01 | Clusters Per Index Buffer. The size of each index buffer, which is used to allocate space for directories. If this number is positive (up to 7F), then it represents clusters per MFT record. If the number is negative (80 to FF), then the size of the file record is 2 raised to the absolute value of this number. |
0x45 | 3 bytes | 00 00 00 | Not used by NTFS. |
0x48 | 8 bytes | 3A B2 7B 82 CD 7B 82 14 | Volume Serial Number. The volume’s serial number. |
0x50 | 4 bytes | 00 00 00 00 | Not used by NTFS. |