How does MFT and MBR influence disk imaging

Discussion in 'backup, imaging & disk mgmt' started by WYC999, Jun 20, 2013.

Thread Status:
Not open for further replies.
  1. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Hello everyone,

    I have been using imaging software for quite a while - but since i lately had some trouble on my machine concerning the harddisk, i came to the conclusion that i need to get my feet wet a little bit more about disks and NTFS to better understand what i'm doing. With google i didn't get to far on this, besides some theoretical articles about ntfs.

    All my questions here are concerning a machine with a traditional hard disk (not SSD), win7 and NTFS Filesystem.

    2 Questions i tried to understand for a longer time with google and reading but never got it:

    1. The role of the MFT. Is there one Master File Table for all Partitions or for every Partition another one? As far as i understand It's a Table saying which Blocks belong to one file and some attributes of the file itself. What i don't really understand, lets say i have i disk with 4 Partitions C,D,F,G. On C is the Systeminstallation, On D lays the Userprofile and F and G just carry some Data. Now i make a restore of C: The imaging program needs to change The MFT since the files stored on c are changing obviously. But the imaging program does not want to change the MFT regarding for the files stored on D,F,G (I'm assuming now that there is one MFT for the whole disk), but how can the imaging program now tell which entries not to change (regarding files on D,F,G)? Imaging programs do not have a tracking file they just take sector-by-sector of the disk and so of the MFT.
    2. Almost every Program has an Option "restore MBR". I'm struggling to capture the whole picture of this choice. As far as i read the MBR consists of 1) A mini starting program 2) Partitiontable 3)crazy number. My theory is now that you never want to restore the MBR. Why would you do this? The only case i think of is you restore the whole disk. Because if i change partition sizes and restore an old image of C and i restore MBR, then the Partition tabel would have a wrong picture of the size of the partitions. Besides this potential problems i can see no advantage of this Option. But in contradiction to my theory in reality most programs use it as a default option.

    Greetings to everyone
     
    Last edited: Jun 20, 2013
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Well, the MBR can be corrupted or infected like any other part of the hard drive.
     
  3. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Yes besides that and the scenario that i restore an entire disk, it has no use or?
     
  4. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,279
    Not in my experience. Paragon programs don´t back up the MBR by default, except when you image the whole disk. If you back up only the system partition, no option to restore the MBR is available at restore time. You can always “update” the MBR, but that´s different.

    ShadowProtect always back up the MBR and the track0, and at restore time it offers several options: to restore the MBR backed up with the image, to create a new one (update), or to do nothing with the MBR (I haven´t used the latest versions of SP, I don´t know if this has changed).

    I have restored the MBR in the past to solve malware problems (infected MBR). I suppose that the same result can be obtained by “updating” the MBR, but I haven´t done this and I´m not sure.

    I don´t think there can be a difference between the partition table and the physical partitions that exist in the disk. I think the partition table adjusts itself automatically to the physical partitions layout. The partition table is not really part of the MBR.
     
  5. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,483
    Location:
    California
    Each partition has its own MFT. Restoring a partition doesn't directly affect the MFT on another partition.

    The partition table sectors reside in sector 0 -- same as the MBR code. The partition table is not automatically updated per partition changes. It must be updated by the partitioning program to match the partitions on the drive. If they get out of sync for some reason (crash, error during changes, etc.) it can cause a real problem -- backups definately recommended.
     
  6. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Do you have a link or some reference for this? I never saw this - and it would make a big difference.

    Hm that would mean why bother about the partition table since it'll adjust automatically, so you would never have a problem with it?!

    Do you mean now that partition table = MBR since they both are in sector 0? I'm kinda confused now..

    Because in this link here:
    http://www.ntfs.com/ntfs-partition-boot-sector.htm

    it says that:

    What is right? And What excactly does an Imaging program usually do when i chose restore MBR. Does it restore the partition table and MFT as well or only the Bootstrap?
     
  7. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,483
    Location:
    California
    This has some MFT info: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx

    It's part of the NTFS file system so it's part of the formatting put on the partition. It's contained on the partition.

    The partition table and the MBR are not the same thing. The partition table and the MBR code (boot code) are both in sector 0. When you restore the MBR using most tools it only updates the code and leaves the partition table alone since the table may have changed. If you use a hex editor or similar tool and save the entire sector 0 and then later rewrite that sector back the partitions that were in the partition will show as on the drive. However, if they don't match EXACTLY you won't have access to the partitions or they'll be corrupted.

    The MBR and a NTFS Boot Sector are not the same thing. The MBR code just tells the computer where to look for the partition to boot (usually the Active partition). The Boot Sector code tells the partition what to run (ntldr or bootmgr, for example). Each partition has it's own boot sector (two actually).

    The MFT is not located in the MBR. Restoring the MBR or not restoring the MBR has no affect on the MFT on any partition. Restoring a partition will restore the MFT with the partition (it's part of the data of the partition).
     
  8. routerguy99

    routerguy99 Registered Member

    Joined:
    Sep 25, 2008
    Posts:
    108
    Do you mean now that partition table = MBR since they both are in sector 0? I'm kinda confused now..

    Because in this link here:
    http://www.ntfs.com/ntfs-partition-boot-sector.htm

    it says that:



    What is right? And What excactly does an Imaging program usually do when i chose restore MBR. Does it restore the partition table and MFT as well or only the Bootstrap?[/QUOTE]

    http://www.ntfs.com/ntfs-mft.htm
    NTFS reserves the first 16 records of the table for MFT

    If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT. The locations of the data segments for both the MFT and MFT mirror file are recorded in the boot sector
     
  9. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,279
    If you restore the MBR, you restore only the bootstrap code. If you restore the first track (track0), you restore both the MBR and the partition table (and any other data that is in the first track backup). As stated above, if the restored partition table doesn´t correspond to the existing physical partitions, it may be impossible to access the partitions.
     
    Last edited: Jun 20, 2013
  10. Brian K

    Brian K Imaging Specialist

    Joined:
    Jan 28, 2005
    Posts:
    8,634
    Location:
    NSW, Australia
    routerguy99,

    You are using the TeraByte apps. Restoring the First Track does not restore the Disk Signature or the Partition table. There is a separate option to restore the Disk Signature, if you think it's needed.

     
    Last edited: Jun 20, 2013
  11. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Hi folks,


    thanks for you enlightening answers. You can really count on the people here!! By the thank you Mudcrabb and Robin A. for helping me.

    So my reading of your posts and some more wikipedia/google stuff brought me to the following conclusions (please correct me if wrong):


    1. The Checkmark in the "Restore MBR" is most of the time pointless. Unless you have a virus in the MBR or the MBR was destroyed the Result will ALLWAYS be the same with or without the option
    2. It doesn't matter if change partition sizes and restore an old Image with different partion sizes. Since partition table stays same there is no risk - right?

    @ Robin A.: How did you find out That your MBR was infected, did your Virusscanner tell you?
     
  12. TheRollbackFrog

    TheRollbackFrog Registered Member

    Joined:
    Mar 1, 2011
    Posts:
    3,045
    Location:
    The Pond - USA
    WYC, that's mostly correct. The problem is with the word DESTROY that you used. You see, the MBR (as well as the rest of Track 0) is like No-Man's Land and like water rights... the first one there gets to use it for its own purposes, others should not tread. There are NO "rules" when it comes to using the MBR for your own purposes. The problem is... others do tread without regard to the first guy that was there. There are many apps on the market that modify the MBR and most of them without regard as to who might already be there. Some try and protect themselves, many don't. That's why the user/installer needs to be extremely aware of whether the app he's installing monkey's with that MBR... especially if the user already has an app installed that's tweaked the MBR for its use.
     
  13. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Hi RollbackFrog,

    that's an interesting point you mention.
    How can i check if an installed program is messing with the MBR? Before and after comparisons?

    Following my understanding now: The programs will propably not alter the partion table or? So what they can alter is the Boot code. So that would mean the only thing that could really happen is: Windows will not start anymore.

    Logic right? Forgot something?
     
  14. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,483
    Location:
    California
    Correct. You'd have to already know the program is modifying the MBR (sector 0) or check it yourself. Most good programs handle changes well and there's no need for concern.

    The partition table is usually only updated when a partitioning change requires it to be updated (partition deleted, resized, moved, etc.). Again, well behaved programs don't generally cause any problems in this area. Think about it... if you ran a program and it altered the partition table arbitrarily the system would be broken (at best) or completely corrupted (at worst) -- either way, you will know (an exception being if it adds a partition to unallocated space).

    Changing the MBR boot code is pretty much the same as changing the Boot Sector boot code. You can update the boot sector on a Vista+ NTFS partition to boot XP (ntldr) and it won't boot Vista+; change it back to Vista+ (bootmgr) and it will boot again -- no damage done and no changes to the partition's data, size, settings, etc.
     
  15. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Hi Mudcrab,

    How can i check wether programs alterate Bootcode or partitiontable?

    How does this works in practice with maybe 2 examples:
    I had long time Acrinis TIH 2013 installed, you had the option to create a Acronis Securezone. From my understanding now the program changed partitiontable (creating new partition), changingsomething in Bootcode, that the menü at startup popups that you could boot Acronis. But how does this work i thought bootcode Looks up active partition and starts first sector there. But i could see that c: was still active partition.

    Or Rollback Rx (i never used it) here in Forum people wrote that it hides the snapshots from Windows. So what exactly does this program why are so many having trouble with this.
     
  16. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,483
    Location:
    California
    You would either have to read the manual (check support, forums, etc.) and see if it says it changes the MBR code and/or partition table or check manually yourself by comparing before/after sector data.

    Acronis will update the MBR code to access its own loader (doesn't change the Active partition). Usually it will still boot Windows if the Acronis SRM breaks, but you'll get an "MBR Error 3" message (or something like that).

    I haven't used Rollback Rx, but as far as I know, it also changes the MBR code (along with breaking some other things).

    Just think of the MBR code as a little program that the computer runs when the drive boots.
     
  17. WYC999

    WYC999 Registered Member

    Joined:
    Jul 6, 2011
    Posts:
    74
    Know a good program for this?
     
  18. MudCrab

    MudCrab Imaging Specialist

    Joined:
    Nov 3, 2006
    Posts:
    6,483
    Location:
    California
    Not anything that does it automatically. I usually use TBOSDT or a disk editor to copy out or compare.
     
Loading...
Thread Status:
Not open for further replies.