A simple note on how to repair bootstructures.
Date : 07/05/2014
By: Albert van der Sel
Remarks: It's a simple note on how you might repair primary bootstructures.
How can you repair bootstructures, possibly corrupted by "malware"?
If indeed caused by malware, like a bootkit, Microsoft and/or your AV vendor *should* be the first to "respond".
Therefore, an important remark, or "warning" actually, is in place:
In case you suspect, or know, you got a nasty bootkit: first check with Microsoft, or your AV vendor. They might have the right solution.
If so, you don't need notes like this one.
However, they might instruct you to use some utility like "bcdboot" or something, then notes like this one might be of interest again.
In some situations IT is not "nice". Because:
Take notice of the fact that if you use a non Windows bootmanager, then using commands like you will find below,
- I'am afraid you should never (!) take "one source" for a definitive answer. If you have found something that looks like a good hint,
you must always cross reference it with answers on the Internet, good articles, or experts you can ask questions.
- If you use non-standard "bootmanagers" (e.g. multiboot configuration with a non-Windows OS), then the info in this note does not apply.
- Any info in this note only repairs objects in the very early stages of the primary boot sequence. So malware that gets activated
at later stages, is not affected. However, many bootkits alter primary bootstructures, in order to gain control at the early boot.
- Always be very carefull and be VERY critical on what a Monkey like "Albert", tries to sell you...
might actually harm your bootenvironment.
(1): Always first collect relevant information. For example, what does your AV software tells you with respect to the found boot/root kit,
or what does it say about malware names or other identifiers? Write that down.
Also, is there anything noticable in the "event viewer"? Do you know where your AV software keeps it scan logs?
(2): Try to document your steps. It does not have to be "beautifull" or something. You only need a sort of simple trace of your actions.
So, after those warnings and remarks, let's see what this short note is about.
1. How to check if your system uses BIOS/MBR/VBR, or EFI/GPT
First, It's important to know what type of Windows boot environment is used by your system(s).
Remember that in general, we have two major types of physical boot environments for the Windows OS.
- True computer: the legacy BIOS/MBR/VBR sequence, and
- True computer: the newer EFI/GPT boot sequence (in practice actually EFI extensions on BIOS for Windows/Intel).
- Virtual Machine: often a virtualized "Manufacturer modified" BIOS/MBR/VBR sequence
The question if a machine supports EFI, is not only an Operating System issue. For example, the type of CPU and mainboard, is
is more of a decisive factor.
However, here we concentrate on Operating Systems. The figure below illustrates the most common Win boots.
Fig. 1. Very schematic representation of the Windows early boot
- Note that for older systems, like Win2K3 Server, usually the BIOS/MBR is implemented.
- Newer systems like Win7, Win8, Win2K8 Server, might use one of both sequences, but usually it's an EFI implementation
It's certainly (!) not completely a "black and white" situation, since for example Win2K3 (IA64) on Itanium uses an EFI implementation.
So, how do you know what type of boot your machine uses?
Here are several methods.
From a (elevated) command prompt, run:
C:\> bcdedit /enum
If you get back records like:
Then your system uses EFI/GPT.
Furthermore, in that case, you would also see a reference to the bootloader "\Windows\system32\winload.efi".
This time, using graphical stuff only, goto "Administrative Tools", then "Computer Management", then "Disk Management".
An EFI partition is typically 100MB, or 300MB (or something in that order), and it should be the first partition
listed on "Disk 0". However, it is possible that the Computer Manufacturer has placed a "Recovery Partition" as well,
which might show as the "first" partition.
The Disk Manager should display "EFI Partition" for that first partition. However, it not always does that.
Then, revert to "Method 1" above.
You can also use the low-level utility "diskpart". This powerful tool can do a lot of stuff. However, it can also inform
you if the "disk" uses GPT or just the legacy MBR.
From an elevated command prompt, enter "diskpart", followed by the diskpart command "list disks".
DISKPART> list disk
If the GPT column is "blank", then you use the traditional MBR scheme.
The following tools will be discussed:
What will be discussed in this note? The following table shows a summary of tools:
||Use it for:
|Non standard tools
Especially the newer Windows boot utilities (bootrec/bcdboot/bcdedit) are, in my opinion, by no means trivial to use.
2. LEGACY MBR/VBR boot - How to remove/repair a bootkit modification from a MBR/VBR System.
- Section 2.1 does only apply for "NTLDR" systems, in effect, XP/Win2K3.
Furthermore, the commands listed in section 2.1, are usable for x86 machines only.
- Section 2.2 does apply for older and newer MBR/VBR systems, both x86 and x64.
- For GPT "BOOTMGR" systems, see Chapter 3.
2.1. The Recovery Console Microsoft.
Win2K3 and similar, have the "Recovery Console" option, which you can choose if you boot from the DVD.
If you do that, among various choiches, you are also able to use a number of commands to repair the MBR or VBR.
However, it must be noted that the Recovery Console also gives the option "to replace critical systemfiles",
in which case the current installion is inspected, and if neccessary, systemfiles are replaced by those on DVD.
This is a most valuable option. More strongly stated: it could even be your best option !
But, here we only touches on some commands to repair the MBR or VBR on a x86 machine.
- Repair the MBR: The "fixmbr" command (repair the Master Boot record) on a x86 machine:
It should repair/replace the MBR bootstrap code of the MBR, and leave the Partition Table as it is.
Most often it works fine, but in some cases, it does not. Like for exampe if you had a non-MS bootmanager.
example: fixmbr \Device\HardDisk0
Note: In several "layers" of the OS, "drive/partions" are often referred to in different ways. For example, "NTLDR" was formely supposed
to work not only with Intel, but with "DEC Alpha" systems too (like in NT 3.51). So, it understood a RISC Arc path like "scsi(X)disk(Y)rdisk(Z)partition(W)\ "
which is no more than a full path from Controller Card, all the way to some disk, and finally Partition on that disk.
Other layers think in more understandable qualifiers, like "\Device\HardDisk0" which obviously seems to be the "first" harddisk on the system.
Still other layers, may just present you Drive/Partitions like C:, D:, etc.. which we all know so well.
- Repair the VBR: The "fixboot" command (repair the Volume Boot Record- or Partition Bootsector) on a x86 machine:
If your MBR seems OK, but you suspect a corrupt VBR (or Partition Bootsector), you might consider "fixboot".
example: fixboot c:
In this example, the command writes a new VBR (or Partition Bootsector) on C:.
2.2. MBRfix from Systemintegrasjon
The latest editions works for MBR/VBR systems on both x86 and x64.
This command has many options or "switches" to save, or repair, or do other manipulations, on the MBR.
Generally, it is considered to be an advanced utility, meant for SysAdmins, but not for regular users.
Be very carefull in using it, and study the accompanying "readme" or consult websites.
The latest version could even be used on Vista and Win7 as well.
You might take a look at their site: www.sysint.no
example for XP: mbrfix /drive 0 fixmbr /yes
example for Vista: mbrfix /drive 0 fixmbr /vista
example for Win7: mbrfix /drive 0 fixmbr /win7
2.3. The "dd" command.
In Unix/Linux, "dd" is considered to be a "backup" command, mainly based on "blindly" copying sectors from an "if=inputfile" to an "of=outputfile".
You can "dd" a whole disk, to another disk, or just copy one or more sectors, or "dd" even "raw" volumes.
It's actually possible too, to "dd" the first sector of the bootable drive (the MBR), to another location.
And that not only works for one sector, but you can "dd" a bunch of startsectors to some other location.
As a rather extreme example, just suppose a number of PC's/VM's really were configured "exactly" the same on disklevel,
then it's possible to "dd" the MBR of a good machine to a file, and "dd" that file to sector 0 of a compromised machine.
And, also take into consideration that you also could boot from a "live" Linux DVD, or even USB. So, the dd command is close by.
Ofcourse, this might be a bit advanced for just the "average" Windows user.
You cannot use the exact commands below. They are for illustration only. How it exactly works on your system, is something
you need to find out. Although those commands are "good", I don't want to take risks.
So, whats listed in section "2.1" is the preferred method. But, this method works too!
Suppose you have booted from a Linux live DVD. Here is an example of how you could save your MBR to another location:
# dd if=/dev/sdX of=/tmp/mbr.bak bs=512 count=1
Where "sdX" is supposed to be the "bootable" harddisk on your physical system, and "/tmp" is model for any writable location
to store files on (so it could be another location). However, the C: devicefile could be "named" totally different.
To restore the MBR, use a command similar to:
# dd if=mbr.bak of=/dev/sdX count=1
2.4. Other Bootable DVD with MBR repair options.
Too bad that from Win2K3 like systems itself, it's not easy to create a Bootable DVD.
- However, there are many articles dealing on the issue on "how to create a Bootable XP/Win2K3 DVD".
- Secondly, from quite a few Linux distro's, a live bootable DVD's exist, or is easy to create one. Often, it's possible to recreate a MBR again.
- Some "special" boot DVD's exists, like "Hirens boot DVD", which contain many repair options, and for the MBR too.
Hirens should have the "MbrFix" tool on it.
I recommend that you do a Websearch on "Hirens" and other bootable DVD's. It's possible that some downloadable .iso's are
not fully legal. You need to evaluate that, if you download stuff like that. However, in order to repair a critical system,
I believe that nothing should stop you.
Now, before using any information of this chapter (!!!), please "cross check" the info with other sources.
For example, among many others, you might be interested in the following url's:
Win2K3 Recovery Console (microsoft.com)
Win2K3 Recovery Console (wikipedia)
Or check any other source (is what you always should do...)
3. NEWER EFI/GPT boot - How to repair a modification from a EFI/GPT System.