The NTFS boot sector is very similar in structure to FAT partition boot sectors. It begins with a jump to the entry point of the boot loader code, followed by a data record, called the BIOS Paramter Block, which describes the geometry of the partition, followed by the IPL or initial program loader, a small program that locates, loads to memory, and then executes the partition's startup code.
HEX/ASCII dump of NTFS Boot Sector
Table - The BIOS Parameter Block
| Byte Offset | Field Length | Sample Value | Field Name |
| 0x0B | Word | 0x0002 (512) | Bytes per Sector |
| 0x0D | Byte | 0x08 | Sectors per Cluster |
| 0x0E | Word | 0x000 | Reserved Sectors |
| 0x10 | 3 Bytes | 0x000000 | reserved |
| 0x13 | Word | 0x0000 | not used |
| 0x15 | Byte | 0xF8 | Media Descriptor |
| 0x16 | Word | 0x0000 | reserved |
| 0x18 | Word | 0x3F00 (63) | Sectors per Track |
| 0x1A | Word | 0xFF00 (255) | Number of Heads |
| 0x1C | DWord | 0x3F000000 (63) | Hidden Sectors |
| 0x20 | DWord | 0x00000000 | not used |
| 0x24 | DWord | 0x00800080 | not used |
| 0x28 | QWord | 0x00000000009C25FD | Total Sectors |
| 0x30 | QWord | 0x0000000000000004 | $MFT Start Cluster |
| 0x38 | QWord | 0x000000000009C25F | $MFTmirr Start Cluster |
| 0x40 | DWord | 0x000000F6 | Clusters per FRS |
| 0x44 | DWord | 0x00000001 | Cluster per Index |
| 0x48 | QWord | 0xD83AEE5E98D83B12 | Volume Serial Number |
| 0x50 | DWord | 0x00000000 | CRC |
Note: The values Clusters per FRS (File Record Segment) and Clusters per Index will be negative in the case where the sectors per cluster is greater than size of the FRS or Index record. In the case described here the value in the Clusters per FRS field is F6h or -10. The actual size of the record is then calculated as 2 ^ (-1 * -10) or 1024 bytes.
The IPL begins by determining whether or not the active partition begins outside the 8GB boundry. If it does, the IPL must use the BIOS LBA extensions to read from the disk. It uses CHS addressing otherwise (only the first 8GB of a hard disk can be addressed via CHS).
Having the addressing mode, the IPL then reads the initial 16 sectors of $Boot, which includes a copy of the boot sector itself plus the extended part of the IPL, to memory at 0D00h:0000h, then continues execution at 0D00h:026Ah.
The code in the extended part of the IPL has the job of locating and starting NTLDR. This requires reading the Master File Table to locate the root index (ie, root directory), finding the NTLDR entry in the root index, reading NTLDR's file record segment from the Master File Table, then loading NTLDR to memory and jumping into it.
<以上資料收集自網路,以供交流學習>
