Path: news.mitre.org!blanket.mitre.org!philabs!newsjunkie.ans.net!newsfeeds.ans.net!portc02.blue.aol.com!howland.erols.net!ais.net!newsm.ibm.net!ibm.net!uunet!in5.uu.net!ozemail!ozreader From: "Geoff Chappell" Newsgroups: comp.os.ms-windows.programmer.nt.kernel-mode Subject: Re: Signaure/Checksum on boot record. Date: 26 Dec 1997 13:39:52 GMT Organization: Software Analyst Lines: 36 Message-ID: <680c38$q6h$1@reader1.reader.news.ozemail.net> References: <34A1369E.5B1A@ibm.net> NNTP-Posting-Host: 203.108.233.64 Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Trace: reader1.reader.news.ozemail.net 883143592 26833 (None) 203.108.233.64 X-Complaints-To: abuse@ozemail.com.au X-Newsreader: Microsoft Internet News 4.70.1155 TomerG wrote in article <34A1369E.5B1A@ibm.net>... > What device is responsible for the update of the Signaure/Checksum > > when NT is shutting down? It doesn't happen quite that way. Anyone can write an MBR signature by sending IOCTL_DISK_SET_DRIVE_LAYOUT to a device object for the relevant disk (e.g. \\.\physicaldrive0 from an application). Similaly, anyone can check for the presence of an MBR signature by using IOCTL_DISK_GET_DRIVE_LAYOUT. The typical way that all this gets done is that users run the Disk Administrator. In standard configurations, IOCTL codes for drive layout are handled by the DISK.SYS driver, which in turn uses the IoReadPartitionTable and IoWritePartitionTable functions. The default implementations for these are in the NTOSKRNL. When NT starts up (as opposed to shutting down), the MBR is examined for the signature. Also, a checksum is calculated. This is done using whatever method of disk access applies before the relevant boot drivers are loaded - so for multi devices, this means int 13h. The results are recorded in a registry key so that when boot drivers initialise, they can match their devices (accessed using the methods that will apply for the rest of the NT session) to the ones that were accessible before NT. The NT DDK provides the source code to DISK.SYS, so you can see how this happens in practice. DISK.SYS makes a call to IoReadPartitionTable. If the result shows a non-zero signature, the signature is trusted. If the result shows a zero signature, a checksum is calculated. -- Geoff Chappell Software Analyst For email address change host to ozemail.com.au Web site in directory ~geoffch at www.ozemail.com.au