dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
60262
Cronk
join:2005-07-16

1 edit

Cronk

Member

Re-write MBR on external Hdd

I have a hard drive in my external enclosure that I would like to format and re-write the MBR (to ensure there is no malware in there). Is there a way to re-write the MBR on it from a command prompt?

Thanks

Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium Member
join:2001-04-19
1970 442 W30

Doctor Olds

Premium Member

»support.microsoft.com/kb/69013
Cronk
join:2005-07-16

Cronk

Member

Thanks for the info, but that page says:

NOTE: The fdisk /mbr command only re-writes the MBR on the system drive (DISK-0) using BIOS calls. You cannot specify any other drive for the fdisk /mbr command to operate on other than DISK-0.

I need to write the mbr on an external disk.

Thanks

salzan
Experienced Optimist
Premium Member
join:2004-01-08
WA State

salzan to Cronk

Premium Member

to Cronk
You could run D-Ban on it. That will remove everything.

jeno
@bellsouth.net

jeno to Cronk

Anon

to Cronk
FIXMBR
fixmbr device name
Use this command to repair the MBR of the boot partition. In the command syntax, device name is an optional device name that specifies the device that requires a new MBR. Use this command if a virus has damaged the MBR and Windows cannot start.

Warning This command can damage your partition tables if a virus is present or if a hardware problem exists. If you use this command, you may create inaccessible partitions. We recommend that you run antivirus software before you use this command.

You can obtain the device name from the output of the map command. If you do not specify a device name, the MBR of the boot device is repaired, for example:
fixmbr \device\harddisk2
If the fixmbr command detects an invalid or non-standard partition table signature, fixmbr command prompts you for permission before it rewrites the MBR. The fixmbr command is supported only on x86-based computers.
»support.microsoft.com/kb/314058
Cronk
join:2005-07-16

Cronk

Member

Thanks,
but that page refers to using the Recovery Console in XP. I am running Vista, don't have the boot disk ( I know I can download it from NeoSmart) but I am trying to find out if I can do this from the command prompt. I tried to run fixmbr from Vista's command prompt and it would not recognize the command.

redxii
Mod
join:2001-02-26
Michigan

redxii

Mod

Just scan it with an anti-virus. If you plugged it in and it was already infected with a boot sector virus then your other hard drives probably already have it too.
Cronk
join:2005-07-16

Cronk

Member

Been there and did that.

I'd still like to re-write the MBR, and now I'm curious to find out if it can be done from the command prompt, will help me in other issues I've got.

Thanks
Cronk

1 edit

Cronk

Member

If I just delete the volume using Disk Management, will that delete the MBR?

Thanks
alfee
join:2006-05-12
Toledo, OH

alfee to Cronk

Member

to Cronk
mbrwizard
»mbrwizard.com/support.shtml

and mbr utility
»www.terabyteunlimited.co ··· ware.htm

jeno
@bellsouth.net

jeno to Cronk

Anon

to Cronk
You failed to specify your OS/Version in your OP...

You can use the Bootrec.exe tool in the Windows Recovery Environment (Windows RE) to troubleshoot and repair the following items in Windows Vista:

* A master boot record (MBR)
* A boot sector
* A Boot Configuration Data (BCD) store
»support.microsoft.com/kb/927392

What happened to the Recovery Console?:
Applies to all editions of Windows Vista.
»windowshelp.microsoft.co ··· 033.mspx
Cronk
join:2005-07-16

Cronk

Member

Thanks,

I've never played with bootrec, but from what I read on your linked page, it seems to imply it only works on the system drive, not an external drive.

The /FixMbr option writes a Windows Vista-compatible MBR to the system partition.

GILXA1226
MVM
join:2000-12-29
Dayton, OH

GILXA1226 to Cronk

MVM

to Cronk
I think we're missing the bigger point... since, it seems to me at least, the external drive was never used for a boot drive there should be no MBR on it correct?

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

I think we're missing the bigger point... since, it seems to me at least, the external drive was never used for a boot drive there should be no MBR on it correct?
The MBR is also the partition table. It is tradition to use a partition table (except on floppies), even if only one partition is intended.
nwrickert

nwrickert to Cronk

Mod

to Cronk
For what it's worth, here is how I would do it -- mainly because I trust linux tools more than I trust Windows tools.

I would boot linux, perhaps with a live CD.

The first step would be to find the names of the hard drives. The output of "fdisk -l" should help with that.

Then I would copy the MBR from a known good disk to the disk where you want it. To describe this, I will assume that the known good disk is "/dev/sda", and the disk where you desire to do this is "/dev/sdb".

I would first make a copy of the good MBR, with

cd /tmp ## where to write the copy
dd if=/dev/sda of=mbr.sda count=1

That should create a 512 byte file "mbr.sda" containing the good MBR. The name indicates where it came from, as a reminder in case I want to keep it for a long time.

I would then copy that to the desired disk, with

dd bs=446 if=mbr.sda of=/dev/sdb count=1

That should copy the desired data - the first 446 bytes of the MBR. The last 66 bytes is a 64 byte partition table, and a two byte validity flag that you probably don't want to copy.

If you decide to do it this way, carefully check the commands before hitting enter. If you copy too much (more than 446 bytes) you can wipe out some of the data already on the disk. It might be safer to also use the "bs=446" on the first command, making it harder to accidently copy too much on the second.

For reference:
of : output file
if : input file
bs : the logical blocksize to use for the copy
count : the number of logical blocks to copy

Parted Magic
@cox.net

Parted Magic to Cronk

Anon

to Cronk
Much easier is to download the iso, burn and boot up with the live cd, then use TestDisk, in the system tools menu, you can accomplish your goal. Recover lost partitions, too.

»partedmagic.com/

Mannus
Premium Member
join:2005-10-25
Fort Wayne, IN

Mannus to Cronk

Premium Member

to Cronk
Ultimate Boot CD is also an option.

»www.ubcd4win.com/
Cronk
join:2005-07-16

Cronk

Member

I am working through all the suggestions here, thanks.

Does anyone know if deleting & recreating the volume using Vista's Disk Management will re-write the MBR?

Thanks

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Does anyone know if deleting & recreating the volume using Vista's Disk Management will re-write the MBR?
I doubt it.

That will rewrite the partition table, which is part of the MBR. It is unlikely to rewrite the boot code, which is presumably what you want.

If modifying partitions with Vista were to rewrite the boot code part of the MBR, you would have lots of angry linux users, since the GRUB or LILO boot code is often placed in the MBR.
Cronk
join:2005-07-16

1 edit

Cronk

Member

I'm not just talking about modifying a partition, I mean to remove every volume on the disk so the whole disk shows as "Raw", and therefore no active partitions.

Thanks

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

If you have linux available, such as a linux live CD, then use:

dd if=/dev/zero of=/dev/sdX count=1

where you replace the "/dev/sdX" by the device name for the particular disk. That overwrites the MBR with binary zeros. It will then look like a fresh disk, never before used. The first time you try to write to the disk, the standard software will write a new MBR.

The output from "fdisk -l" might help you identify the device for the disk.
Cronk
join:2005-07-16

1 edit

Cronk

Member

I don't know anything about Linux. I'd hate to have to learn it just for this one task.

This drive was the boot drive on a severely infected computer. Now it is in an external enclosure, and it's been re-formatted. I'm concerned about the newer rootkits that hide in the MBR. I've read that you cannot depend upon anti virus software to be able to detect them because they are hidden. So I thought that re-writing the MBR would not be that big of deal.

Thanks

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Malware that hides in the MBR is going to be in the boot code part of the MBR, and is activated when you boot from that disk. If you never boot from the disk, then I doubt that it can ever do any harm. I do understand that knowing it might be there is a source of discomfort.

Possibly some root kits hide in the remainder of the track that contains the MBR, since that track is often left unused. Again, that would be harmless unless there is other malware on your computer that knows to access it.

If you know somebody who is familiar with linux, you could probably ask them to wipe the MBR for you.

What you are probably looking for is a disk wipe utility. Do a search on google, and you will find many. They probably wipe your disk more thoroughly than you need, but that should give you the confidence to use that disk again.

VikingBob
Go Jets Go!
Premium Member
join:2004-06-05
MB Canada

VikingBob to Cronk

Premium Member

to Cronk
If that machine was dinged with Mebroot, you may need to scrub that clean - see also »community.norton.com/nor ··· 4#M15179

mmainprize
join:2001-12-06
Houghton Lake, MI

1 edit

mmainprize to Cronk

Member

to Cronk
said by Cronk:

I'm not just talking about modifying a partition, I mean to remove every volume on the disk so the whole disk shows as "Raw", and therefore no active partitions.

Thanks
Here is what you do.

Boot to Dos
Format the external disk
xfer the dos boot files to it with the SYS command

Boot to the external disk, and fdisk /mbr

then delete all partitions

that is what you want to do right.

rcdailey
Dragoonfly
Premium Member
join:2005-03-29
Rialto, CA

rcdailey

Premium Member

The other thread, re "Secure Erase," may suggest an alternative way to clean a drive.
Cronk
join:2005-07-16

Cronk

Member

Looks like D-ban as suggested by salzan will work. Got an email back from their tech support, it does wipe the mbr and partition table.