• Introduction
• The Norton Disk Editor and ...
• MD5 Checksums -- links for obtaining some
free MD5 programs (required).
• How to make a Windows Startup Disk
• Make more than one copy!
• Can DISKEDIT run under Windows 2000/XP or Windows
9x/ME ?
• Running DISKEDIT under DOS
• DIRECTORY View of the Windows 98 Startup Disk
• "Layout" of a 1440 kb diskette
(Boot Record, FATs, Directory and Data)
• Windows 98 SE Startup Disk Directory
• Windows ME Startup Disk Directory
• The Windows XP
Startup Disk (only an edited version of the Win ME disk!)
• MD5
Sums for checking every file on all the Windows Startup Disks!
This page makes use of DISKEDIT.EXE (one
of the utility programs in the Norton Utilities package)
to examine the contents of the Windows 98, 98 SE, ME and
XP Startup Disks.
[Note: Although Microsoft's
DEBUG.EXE program is quite limited compared to DISKEDIT, there
are a number of things you can learn here using only DEBUG.]
The version of DISKEDIT we'll be using is from the Norton
System Works 2002 CD by Symantec (Spammers have
been hawking this one at reduced prices for a long time... NOTE:
Most of the software on this CD is what I consider overbloated
and will stuff the Windows REGISTRY full of junk, a practice which always
disgusts me! Obviously, I'm not encouraging you to install everything
on this CD nor to purchase it just for this page! I have, however, found a
few of their programs helpful; though some are also dangerous!
Caution: I do not recommend ever
using NDD on a system with many logical
drives; especially if you have both a Win NT/2000/XP OS and
Windows 98 (perhaps as a dual boot system) which will share any FAT/FAT32
drives. If you do happen to run NDD, never use 'fix'
on any drive; unless you SAVE all the changes to an Undo
file first!).
ALTERNATE METHOD for Obtaining a Rescue Version of DISKEDIT.EXE:
Search Symantec's Public FTP site (ftp://ftp.symantec.com/public/english_us_canada/tools/win95nt/)
for files related to NAV, and you just might find a download which contains
the DISKEDIT utility! When we looked in 2007, the file ned_2001.exe (NED="Norton
Emergency Disks"), included DISKEDIT.EXE inside the file, Disk2.img
(a floppy diskette image file). Either use the executable (ned_2001) to create
only diskette 2 (it gives you a choice for each disk), or find an imaging program
to extract the files (the .exe and its
DOS help, DISKEDIT.HLP).
What you will Learn
These pages are
intended to show you how to use a Disk Editor to both view (at first) and make
changes to a floppy diskette, or even your hard drives (later on). We are examining
The Windows 98 (and the Win ME or Win XP) Startup (boot) Disks
and using the Norton Disk Editor, simply because these are readily
available (there are other commercial disk editors; such as
WinHex,
which can be used while running a Win NT/2000/XP OS). At the same time, you
will also be learning about the FAT file systems (how their Boot Records,
FATs and Directory structures function); also some facts about the OSs which
use these file systems and possibly a bit about NTFS and others as well.
The
Details of Norton's DISKEDIT.EXE
DISKEDIT.EXE can be found in the \NU
directory of this CD along with its "Help file" DISKEDIT.HLP
and some other helpful utilities. It is not necessary
to go through an install process in order to use DISKEDIT (or UNERASE.EXE;
which I'll be commenting on later); as a matter of fact, I'd
avoid using the Windows install programs on this CD if you can. The DOS
utilities can be run 'as is' from the CD itself in an emergency.
To be as specific as possible, this version of
DISKEDIT.EXE has an MD5 checksum*
of:
98fa8bf2ac5b64726515369db2e72a1f
DISKEDIT.EXE
and a size of: 677,872 bytes. It may have a date/time of:
08-10-2001 6:00 am associated with it (but I've seen copies of the same
CD with other dates and times for the same exact DISKEDIT program; for example,
a date/time of 08-09-2001 10:00 pm is also common).
If you extracted DISKEDIT.EXE and DISKEDIT.HLP
from the second Norton Emergency Disk, its stats should be:
753b0bd4a940215f3e348151bfd96aee
DISKEDIT.EXE
(size: 677,808 bytes; may be time/dated: 05:00.00 2000-08-27)
0a449fd009ef17fd0435e387817e375b
DISKEDIT.HLP
(size: 96,117 bytes; and possible time/date: 05:00.00 2000-08-27)
However, there are a few other versions of DISKEDIT
which could still be used; even with a FAT32 file system and this web page.
The ones listed above are the latest versions I could find. Other versions include
the very first DISKEDIT (actually an UPGRADE version for FAT32
partitions) that came with the Norton Utilities for Windows 95 (©1996)
and a rather slow version (under Win 9x) that came with Norton Utilities
2000 (©1999). For example:
8bd37c30a62348da1b122c3e9c09908b
DISKEDIT.EXE
(662,144 bytes 09-24-1996 10:00 am) or:
1a5c3b2f527fb5b385d708940a1a3a13 DISKEDIT.EXE
(677,280 bytes 08-09-1999 12:00 am)
[To the best of my knowledge,
no version of DISKEDIT will run under Win 2000/XP and/or understand NTFS
5.0 (NTFS 4.x was the file system for Win NT4). The only disk editors I
know of that run under Win 2000/XP are:
WinHex (which
I recommend; it has MANY features in a single program!) or Runtime Software's
disk explorer for NTFS (a 'spinoff' of their recovery software); you must purchase
separate programs for either FAT32 or NTFS from them! If you know of a similar
disk editor (not one that is just someone's dream or still in alpha tests),
please tell me about it.]
DISKEDIT.EXE can be installed anywhere on your
computer (in a FAT32 or FAT16 file system) or even on a floppy
diskette (FAT12). If you run Win 2k/XP, place it on a floppy and consider
creating a FAT32 partition on your hard disk for such programs. If you run Win9x,
you should place a copy in your C:\WINDOWS directory (along with its help file),
so you have it available at any DOS/Win9x Command prompt.
____________
* MD5
checksums are essentially a unique way of identifying files
or streams of bytes. They are created by use of an open source mathematical
algorithm which has been built into many security applications. You can
read more about MD5 checksums and find links to some free MD5 programs here:
Free MD5 Programs. MD5 programs
will be required to complete the exercises.
How
to make a Windows Startup (Boot)
Disk
Note: Making a Windows ME Startup Disk is very similar to
what you'll see below. However, for Windows XP you insert a diskette
in the floppy drive and open the FORMAT Dialog (such as right-clicking on the
drive letter under Explorer), but before starting the actual format
process, you select the checkbox to make a "Startup Disk"
instead.
This section will explain how to make a Windows 98 Startup Disk from a Win 98 installation (so we can all have the same copy of a diskette to examine and work on; well, almost the same, since the OEM field in your Startup Disk's Boot Record will likely have a different "IHC" string and also have a different serial number depending upon when the diskette was created. There are also a couple other files that will be dated at the time of its creation).
You may already have one!
Since this is also the same disk that Windows asks you to create during the installation process, you may already have one! In that case, the OEM field in its Boot Record will contain the phrase "MSWIN4.1" rather than an "IHC" string.
NOTE: If you do
not have a bootable Windows 98 or 98 SE OS on your computer, you should
still be able to download a copy of the Windows 98 Startup Disk from the Internet
(you could start looking for one at:
www.bootdisk.com), or possibly
borrow one from a friend to remedy the situation.
The Procedure for Creating a Win 98 Startup Disk
If your hard disk does not contain a folder titled "win98" which contains all of the ".CAB" install files for your OS, then at some point during this process you will be asked to insert the Windows 98 CD in your CD-ROM drive:
1) Click on the "Start" button, select "Settings" and then "Control Panel" (or bring up the Control Panel some other way).
2) Double-click on the "Add/Remove Programs" item.
3) Click on the tab at the top labeled "Startup Disk" and then on the "Create Disk" button like this:
4) At this point, a progress bar will appear in the dialog box which counts up to 20% while displaying: "Preparing startup disk files..." like this:
5) You should then see the following dialog box; follow the directions (although you should label the diskette as suggested, remember that this what most techs simply refer to as a boot disk), then Click on the "OK" button:
and follow the progress of your Boot Disk's creation in the same box as before while it writes the files to your diskette:
5) Once the progress bar reaches 100% it will disappear and the floppy disk drive activity light should turn off. If you're going to keep the diskette as one of your trusted Boot Disks, then remove it from the drive and set the write-protect tab to read-only and test to make sure that it will boot up your computer; running a check on the MD5 sums for your diskette (see below) will make sure that all the files on your disk are OK. If you use the disk at a later date and something doesn't work, you could check the MD5 sums again (perhaps on another machine) to make sure it hasn't become corrupted. Make two or more boot disks (preferably with even more utility programs than just the Microsoft versions; I'll comment on that later) and store them in clean and safe locations so you'll always have one when necessary.
For the diskette we'll be using here, you can just leave it in the drive as is (since we'll actually be making changes to it later on).
|
NOTE:
Do NOT use the only Windows
Startup Disk you have here!
[ We'll be altering its contents; and you may need it! ] Make another copy if you wish to have a known good Startup Disk! |
Although I do not recommend doing so,
it is actually possible to run the Norton Disk Editor under Windows 2000/XP
if and only if you:
1) Force it to do so,
2) Understand that this will only be possible for a diskette
in your floppy drive (never for a hard disk!) and
3) Accept the consequences of whatever side-effects may arise
from doing so; such as DISKEDIT running at a slower speed than
normal.
First, make sure you have placed a floppy diskette in your A: drive (with the write-protect tab set to read-only). After executing DISKEDIT, it may take quite some time before you see anything happen! When you finally see this warning message, click on the "Ignore" button:
After waiting again for some time, you will finally be able to select your floppy drive as a Logical drive from the menu (use the ALT+ENTER keys to switch between a DOS-Window and full-screen). I wouldn't try doing much more than simply viewing the diskette's Boot Record, FATs or Directory under these conditions; trying to write to the disk may cause other problems. This is, however, one way you could study the HELP file without having to boot into real DOS. Each time you execute DISKEDIT under Win 2000, a note will be placed in Win2000's System Event Log stating: "Application popup: 16 bit MS-DOS Subsystem : DISKEDIT.EXE An application has attempted to directly access the hard disk, which cannot be supported. This may cause the application to function incorrectly. Choose 'Close' to terminate the application."
If you run Norton's DISKEDIT program under these Windows OSs, you'll see the following warning messages:
The ominous warnings you saw above from the Windows 2000 OS and in DISKEDIT itself are mainly directed at someone trying to use DISKEDIT to edit a hard disk under Windows; you probably could use DISKEDIT to make changes to a floppy diskette under any Windows OS (I've done it), but you must assume any and all risks if you do so!
I do not recommend that you make changes with DISKEDIT under any Windows OS! Therefore, we'll be switching to Real (16-bit) DOS in order to complete any exercise that uses DISKEDIT.
| NOTE: Although it's not absolutely necessary, DISKEDIT may be a lot easier to use if you install a DOS mouse driver before executing the program. Try searching for "mouse" on your system; if that fails, look in an older OS or search the Net for one. Place the mouse program on the same floppy disk or in the same folder as DISKEDIT (if it's not in the PATH) and run it prior to using the Disk Editor (note: special mice such as 'trackballs' or 'pads' often come with their own DOS driver; try those first). |
If you're running Win 2000 or Win XP, you can boot up your computer with a Windows 98 Startup Disk, place the target diskette in the drive and run DISKEDIT from a FAT32 partition. If you use Win 98, you can select the "Restart in MS-DOS mode" before shutting down or use the same Win 98 Startup Disk to boot into DOS.
After booting into DOS and placing your Win 98 Startup Disk into the A: drive, start DISKEDIT from whatever directory you placed it into (or any other prompt if it's in the PATH) with this command:
Drive:\somefolder>DISKEDIT A:
This starts DISKEDIT with its standard Logical Drive / Root Directory View of whatever media happens to be in the A: drive at the time.
DISKEDIT will briefly (blink and you'll miss it!) display this dialog box while it quickly checks the Boot Record for any errors and "scans" the file data in its Root Directory:
This procedure could take a few minutes or longer for many hard drives; the amount of time depends upon how many directories there are. Under DOS 7.1 or above, you'll see a small dialog box that declares the drive has been "locked" by the OS after its directories have been scanned:
This means that only DISKEDIT should normally be allowed to change the contents of the A: drive (instead of the OS) until it is "unlocked" by DOS. Here's what the Windows 98 Startup Disk Directory should look like in DISKEDIT (we'll be looking at the Win 98 SE diskette next):
This picture is actually a composite of two different screenshots so you can see all the files on the diskette at once. NOTE: The date and time for the two underlined files, MSDOS.SYS and EBD.SYS, are always the same as when the Disk was copied by the Windows OS to your floppy drive; so this diskette was made at 8:02 pm on March 31, 2003. All of the other files on an original Windows 98 Startup Disk; except for the two files mentioned above and EXTRACT.EXE (which is dated 11-24-98 8:02 am) are dated: 5-11-98 7:01 pm. For some odd reason, the file EXTRACT.EXE (which is part of the .CAB file archiving and extraction system from Microsoft) has the same date/time as all the files on the Win 98 install CD (11-24-98 8:02 am) rather than this diskette.
For the Windows 98 SE OS, all the files on its Startup Disk (except for MSDOS.SYS and EBD.SYS) are dated: 4-23-99 10:22 pm. More info will be provided later about the Win 98 SE and other Startup Disks.
Selecting the "Object" menu in DISKEDIT:
And then choosing the "Sector..." item from the list, results in:
This dialog box gives you a simple map of a 1440 kb diskette's layout after having been formatted with the FAT12 file system: It shows where the Boot Record, both copies of the FAT, the Root Directory and the beginning of the Data Area are located:
|
The
Layout of all 1440 kb Diskettes
Formatted with the FAT12 File System* |
|
|---|---|
|
Sectors
|
Contents
|
|
0
|
Boot
Record
|
|
1 - 9
|
FAT
1
|
|
10 - 18
|
FAT 2
|
|
19 - 32
|
Root
Directory
|
|
33
- 2879
|
Data
Area
|
|
*They
have: 18 Sectors Per Track, 80 Tracks,
2 Sides, 512 bytes per Sector and use 1 Sector per
Cluster.
|
|
The "Data Area" isn't just restricted to files though, you can also create sub-directories in the Data Area with files that appear to be contained inside them (note: Subdirectories are really nothing more than special files which list all of the files they 'contain' and all the relevant data about each file; such as, the location of each file's Starting Cluster, date, time and file size).
The Windows 98 SE Startup Disk is quite similar to its predecessor. If you select "Tools" and then "Print Object As..." from the DISKEDIT Menu while observing the Win 98 SE Startup Disk's Root Directory, like this (if you are using a Win 98, ME, XP or any other kind of Startup Disk, you should also carry out this procedure so you'll know how to save data from within DISKEDIT):
Then insert a file name such as the one shown below (W98SEDIR.TXT) and
click "OK" to save it as a file:
That text file will appear similar to this:
Windows 98 SE Disk Editor
Symantec Core Component
April 1, 2003 2:58pm
**************
Root Directory
**************
Sector 19
Name .Ext ID Size Date Time Cluster 76 A R S H D V
--------------------------------------------------------------------------
IO SYS File 222390 4-23-99 10:22 PM 2 A R S H - -
AUTOEXEC BAT File 1103 4-23-99 10:22 PM 437 A - - - - -
CONFIG SYS File 629 4-23-99 10:22 PM 440 A - - - - -
SETRAMD BAT File 1416 4-23-99 10:22 PM 442 A - - - - -
README TXT File 14764 4-23-99 10:22 PM 445 A - - - - -
FINDRAMD EXE File 6855 4-23-99 10:22 PM 474 A - - - - -
RAMDRIVE SYS File 12663 4-23-99 10:22 PM 488 A - - - - -
ASPI4DOS SYS File 14386 4-23-99 10:22 PM 513 A - - - - -
BTCDROM SYS File 21971 4-23-99 10:22 PM 542 A - - - - -
ASPICD SYS File 29620 4-23-99 10:22 PM 585 A - - - - -
BTDOSM SYS File 30955 4-23-99 10:22 PM 643 A - - - - -
ASPI2DOS SYS File 35330 4-23-99 10:22 PM 704 A - - - - -
ASPI8DOS SYS File 37564 4-23-99 10:22 PM 774 A - - - - -
ASPI8U2 SYS File 40792 4-23-99 10:22 PM 848 A - - - - -
FLASHPT SYS File 64425 4-23-99 10:22 PM 927 A - - - - -
EXTRACT EXE File 93242 4-23-99 10:22 PM 1054 A - - - - -
Sector 20
FDISK EXE File 63916 4-23-99 10:22 PM 1238 A - - - - -
DRVSPACE BIN File 68871 4-23-99 10:22 PM 1363 A - - - - -
COMMAND COM File 93890 4-23-99 10:22 PM 1498 A - - - - -
HIMEM SYS File 33191 4-23-99 10:22 PM 1682 A - - - - -
OAKCDROM SYS File 41302 4-23-99 10:22 PM 1747 A - - - - -
EBD CAB File 272206 4-23-99 10:22 PM 1828 A - - - - -
MSDOS SYS File 9 4-01-03 9:53 am 2360 A R S H - -
EBD SYS File 0 4-01-03 9:53 am A R S H - -
|
Once again, you'll see that the two files, MSDOS.SYS and EBD.SYS (the only zero-length file) were added at the time the Disk was created; so this diskette was made at 9:53 am on April 1st, 2003.
Before examining them, you can imagine it would make sense for the Windows 98 SE Startup Disk's README.TXT file to be different than that of the original Startup Disk; and it is: The first thing they did was to remove some erroneous remarks about an "uninstal.exe" file that was never included on the Win 98 diskette, so references to it shouldn't have been in the final README.TXT file either; yet they were! The other differences are less interesting. However, the IO.SYS, FDISK.EXE and COMMAND.COM files are not the same either. Although the IO.SYS files are both exactly 222,390 bytes, there are many differences in the actual machine code; just as there are in the COMMAND.COM file (which has hundreds of differences). But for sheer numbers, the FDISK.EXE file appears to differ the most! For anyone who wants to do some serious file comparisons between these FDISK files, you really need to unpack them first! Much of the files are packed like .ZIP files are (with an executable file packer); you can read more about FDISK here: Detailed Notes on Microsoft's FDISK.EXE program.
Although the Windows ME Startup Disk is still similar to that of the Windows 98 and 98 SE diskettes, it is also quite different because it includes some files (such as EBDUNDO.EXE and HIBINV.EXE) that interact with files from the Windows Operating System.
Windows ME Disk Editor
Symantec Core Component
April 25, 2003 4:45pm
**************
Root Directory
**************
Sector 19
Name .Ext ID Size Date Time Cluster 76 A R S H D V
-------------------------------------------------------------------------
IO SYS File 116736 6-08-00 5:00 PM 2 A R S H - -
AUTOEXEC BAT File 1253 6-08-00 5:00 PM 230 A - - - - -
CONFIG SYS File 847 6-08-00 5:00 PM 233 A - - - - -
SETRAMD BAT File 1443 6-08-00 5:00 PM 235 A - - - - -
README TXT File 12661 6-08-00 5:00 PM 238 A - - - - -
FINDRAMD EXE File 6855 6-08-00 5:00 PM 263 A - - - - -
FIXIT BAT File 1247 6-08-00 5:00 PM 277 A - - - - -
RAMDRIVE SYS File 12663 6-08-00 5:00 PM 280 A - - - - -
ASPI4DOS SYS File 14386 6-08-00 5:00 PM 305 A - - - - -
BTCDROM SYS File 21971 6-08-00 5:00 PM 334 A - - - - -
ASPICD SYS File 29606 6-08-00 5:00 PM 377 A - - - - -
BTDOSM SYS File 30955 6-08-00 5:00 PM 435 A - - - - -
ASPI2DOS SYS File 35330 6-08-00 5:00 PM 496 A - - - - -
ASPI8DOS SYS File 37564 6-08-00 5:00 PM 566 A - - - - -
ASPI8U2 SYS File 44828 6-08-00 5:00 PM 640 A - - - - -
FLASHPT SYS File 64425 6-08-00 5:00 PM 728 A - - - - -
Sector 20
EXTRACT EXE File 53767 6-08-00 5:00 PM 854 A - - - - -
FDISK EXE File 66060 6-08-00 5:00 PM 960 A - - - - -
COMMAND COM File 93040 6-08-00 5:00 PM 1090 A - - - - -
HIMEM SYS File 33191 6-08-00 5:00 PM 1272 A - - - - -
OAKCDROM SYS File 41302 6-08-00 5:00 PM 1337 A - - - - -
EBDUNDO EXE File 29843 6-08-00 5:00 PM 1418 A - - - - -
CHECKSR BAT File 922 6-08-00 5:00 PM 1477 A - - - - -
HIBINV EXE File 3501 6-08-00 5:00 PM 1479 A - - - - -
EBD CAB File 264631 6-08-00 5:00 PM 1486 A - - - - -
MSDOS SYS File 9 4-25-03 11:44 am 2003 A R S H - -
EBD SYS File 0 4-25-03 11:44 am A R S H - -
|
Once again though, the files MSDOS.SYS and EBD.SYS are dated at the time when the diskette is copied by the OS, so we can see that this Windows ME Startup Disk was made on April 25th, 2003 at 11:44 am. (I may add a link to more information about the Windows ME Startup Disk later, but this page is for learning the basics of how to use a disk editor; not the Win ME OS.)
"The Windows XP Startup Disk can almost be thought of as a hacked version of the Win ME Startup Disk!" Why? Well for one thing, you can still see all of the deleted Windows ME filenames in its Directory! Microsoft took a Win ME Disk and simply erased most of the files, edited the IO.SYS file then added some new ones to it. It boots up to the same DOS 8.0 Command prompt as Windows ME. You can find all the evidence on my WinXPSD page which includes a forensic analysis of all the MAC Times from its Directory (MAC Times will be explained on the next page of this course; along with a link to the WinXPSD page!)
If you place a copy of the Windows XP Startup Disk in the drive and open the A:\ folder in the NORTON UNERASE.EXE program, you'll be able to recover all the deleted Win ME files that were not overwritten by Microsoft. (If you use Windows XP, this will be one of your exercises.)
This section provides known good
MD5 sums for every file that is supposed to be on any of the Windows Startup
Disks.
Once you have installed the free hkSFV Windows program, all you need to do is place your Startup Disk in the A: drive and click on the appropriate *.md5 file for your Win OS version! The hkSFV program will immediately begin checking each file to see if the MD5 sums match.
|
Operating System |
See MD5 Checksums |
MD5 Download File |
|
Windows 98 |
||
|
Windows 98 SE |
||
|
Windows ME |
||
|
Windows XP |
The Starman.
Last Update: June 1, 2003.
The
Starman's Realm Index Page
