5

So on my C: drive, there was a file called BOOTSECT.BAK. Not knowing what it is, I opened it up in HxD and the first 14 bytes were B \0 O \0 O \0 T \0 M \0 G \0 R \0 corresponding to the UTF-16LE string BOOTMGR. After some research, I found out this is the VBR for Windows. This is installed onto sector 63 (or 2048 on Vista+).

After more research, it turns out to be a copy of the VBR, not the actual thing. That confused me as I am pretty sure I heard somewhere that Windows gives it its own file somewhere in C:\Windows\System32 or C:\Windows\boot. I also heard that Windows assigns the MBR a file in one of those directories.

TL;DR: Can NTFS (or any other file system for that matter) assign a file outside of the partition? Most likely with negative integers or LBA of the start sector (i.e. -2048 for sector offset or 2048 for LBA)

Improve this question

3 Answers 3

Reset to default
4 
Does NTFS (or any file system) support files outside of the partition?

Not that much on Windows but on Unix variants, and depending on how you define what a file is, you'll find file systems supporting files outside the partition.

  • tmpfs support files stored partially or totally in RAM.
  • procfs contains files in /proc/pid/fd/ that definitely belong to other file systems
  • in /dev (or /devices) you have "files" which content is outside the partition. You can access the VBRs and MBRs through them (eg: /dev/sda1, /dev/dsk/c0d0t0p1, ...).
  • All file systems supporting symbolic links can also sort of store files from foreign locations.

It looks like installing cygwin will provide a /dev directory from which you would be able to access full disk and partition raw data including the VBRs and MBRs.

Improve this answer
2
  • Even so, those directories are just mount-points under another filesystem as I mentioned previously. Accessing files and sub-directories under those mount-points completely bypasses the filesystem one level up (i.e. I mount my main EXT4 FS at /, and mount my RAMDISK at /tmp, the files in /tmp have nothing to do with the EXT4 FS, just the RAMDISK one). This is the same thing as mount-points under Windows.
    – Breakthrough
    Commented Dec 23, 2012 at 16:08
  • @Breakthrough tmpfs, procfs and symbolic links were just examples. The real answer is /dev. Its entries are not at all mount-points. They are files of a special kind (character and block devices) containing data outside the current file system and one of these start with an UTF-16LE encoded BOOTMGR in Cole's case.
    – jlliagre
    Commented Dec 23, 2012 at 20:47
6

Can NTFS (or any other file system for that matter) assign a file outside of the partition?

No, wouldn't that completely void the purpose of a filesystem to begin with? If you just want to manipulate the raw 0's and 1's stored on the disk outside your partition, there's plenty of low-level disk operation tools you can use. You can also mount another partition within a mounted NTFS partition (i.e. you can mount another partition at C:\MyNewVol\), if the files are stored within another filesystem.

Those particular files you outlined above are called metafiles, and are well defined per the NTFS specification. See that previous link for a description of various metafiles (e.g. the VBR you mentioned is stored in the $Boot metafile), and where they are located on-disk with respect to the NTFS partition boundaries.

Also, with respect to the whole MBR vs. VBR, from the Wikipedia page on VBR:

[The VBR] is the first sector of an individual partition on the device, with the first sector of the entire device being a master boot record (MBR) containing the partition table.

Thus, you can access the VBR through the NTFS filesystem (assuming you have the proper permissions to do so), but you can't directly access the MBR; for that, you do need low-level disk tools.

Improve this answer
1

Filesystems only address data inside their own allocated space.

However an operating system has no such limitations and it can stores information read from anywhere on the disk in a file.

The distinction between the OS and the FS might be small, but it is vital.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .