I have had 3 different computers to fix recently that blue screen with INACCESSIBLE_BOOT_DEVICE.
Usually this means a faulty HDD but in these cases a surface scan came back OK. Hooking the HDD up as an external,
disk management shows it as RAW. Now here's the weird thing, in all 3 cases the partition type in the MBR had changed
from 7 (NTFS) to 6 (FAT16). Surely Windows doesn't muck around with the MBR beyond reading it at boot?
Changing it to 7 with a hex editor restores it to life. Just wondering if this has happened to someone or if anyone knows what Windows does.
you may have a root-kit virus in there
i use MbrWizard to make backup copies of the MBR's...
i see he is now charging $7 for the newer GUI version
http://mbrwizard.com/
but, i prefer the old command-line version (v 2)
the site is strangely constructed
1) start out at mbrwizard.com
2) click the Downloads catagory at the top of the page
3) click the Legacy catagory at the top of that page
don't bother trying to bookmark or link to the legacy page, directly - lol
Hi,
In my experience, only a boot manager, partitioning programs,
low level disk editors, weird experiments, and malware will muck
about with partition tables. And three times in a row tends to
rule out a random event. I guess I have to add in backup
programs as Dave mentioned, though I haven't personally seen
them modify the MBR.
Regards,
Steve N.
Maybe some old floppie infected forgotten in drive and unfortunately bios setup to boot this device, fat 16 is a characteristic of this, maybe a pen drive used to boot itself(USB)?. Some old programs try to do a jmp to some of the last sector, generaly in non formated space to .... you know, so I'm supposing they have failed, because they don't understand ntfs.
Check bios firmware too, in principle if it is a flash bios or another type of writeable bios.
Think in memory too, if some program is loaded before O.S., they eat some memory space to brief(cheat?) the law, so future reports will say less memory than avaliable. A cmp betwen before and after show you this.
Another suposition, first sector being bad block, but in exactly 3 machines, hmm, I have discarted this hypothesis... .
And hardware problems and drivers problems i discarted too, only because this happened to 3 machines instantly.
No viruses, no rootkits, that was my first thought. Standard MBR code, just corrupt by 1 bit in the partition table.
I fix around 15 computers a week, so 3 in a couple of months isn't that much but it is an unusual problem.
Who made the hard drives?
desktop, XP, Western Digital IDE
laptop, Vista, Hitachi SATA
laptop, Vista, Toshiba SATA
This happened last year but I just backed up data and formatted, this latest batch made me dig in a bit further.
I do love me a hex editor...
perhaps it is the app you are using to backup or format :bg
?
I backed up then formatted because of the problem, now I can hex edit and fix it.
my point is this....
you are having a problem on different machines that is somewhat uncommon
there is likely a common reason this is happening to you
that fact may help you find the culprit
somehow, the same thing is happening - it sounds to me like
1) you have a virus and are spreading it as you move apps to computers to work on
or
2) one of your apps has a bug - same deal - you are moving that code to the computer to work on it
(or perhaps it is happening if you temporarily stick the hard drive into your own machine)
that brings to mind a bug in MbrWizard :bg
when you enter a type ID byte value on the command line, it always wants the "h" specifier for hex
From type 7 NTFS to type 6 FAT is a single bit error.
It could be a 'consistent' random error on the drive itself... maybe the drive is a bit old
There are not any influential magnetic sources nearby ?
What happens if you reset it to 7 ?
:8)
Any random error getting past the drive's error detection/correction mechanism is unlikely, and a single-bit error is the least likely to do so.
I've seen the phenomenon of NTFS randomly changing into "RAW" after mounting them in non-MS NTFS drivers (i.e. Linux dual-boots, live-CD's etc).
random does not fly, here
he is talking about 3 different machines with totally different drives
The common factor is likely to be human interference. Did they come directly to you with the very same problem, or did someone else work on them before you and then pass it on to you?
Otherwise, it would have to be some obscure software they have all used that modifies the MBR for whatever reason. If it was any of the standard windows tools, this would be a more common occurrence.
Here's a new one. MBR is all 00, except for the AA55 signature. Once again, no virus/malware/rootkit.
Can't really think how it happened, maybe a rootkit install interrupted?
Got the partitions back with a nice program - TestDisk (http://www.cgsecurity.org/wiki/TestDisk).
Hello Sr sinsi
I have seen some virtual machines changing mbr on real machines. These computers have some VM installed?
This happened to me while using vmware (forgot the version now), my real mbr changed.
Alias, to backup partition, search for bad blocks, unerase files, ..., a good disk heditor program can be "winhex"
somewhere out in the middle of an NTFS partition, is supposed to be a copy of the MBR
i haven't figured out how to find it, yet - lol
but - i do keep a copy of all MBR's for each drive i have :U
i use MbrWizard
Quote from: dedndave on April 12, 2012, 02:02:09 PM
somewhere out in the middle of an NTFS partition, is supposed to be a copy of the MBR
i haven't figured out how to find it, yet - lol
but - i do keep a copy of all MBR's for each drive i have :U
i use MbrWizard
QuoteThe Win 2000/XP OSs make a "backup" of each NTFS volume's Boot Record which they store in the very last sector of its partition!
Regards, P1 :8)
does that mean that vista and win7 do not ?
or is that some really old text :P
Quote from: dedndave on April 12, 2012, 04:06:40 PM
does that mean that vista and win7 do not ?
or is that some really old text :P
Do they run a NTFS format on the hard drive ???
Regards, P1 :8)
hey - it was your quote, not mine :bg
QuoteThe Win 2000/XP OSs make a "backup" of each NTFS volume's Boot Record which they store in the very last sector of its partition!
Quote from: dedndave on April 12, 2012, 07:33:21 PM
hey - it was your quote, not mine :bg
QuoteThe Win 2000/XP OSs make a "backup" of each NTFS volume's Boot Record which they store in the very last sector of its partition!
Base utilities for dealing with hard drive issues of NTFS, like the MBR are the same, even through W7.
Regards, P1 :8)