Inside the High Performance File System - Part 3

From EDM2
Jump to: navigation, search
Inside the High Performance File System
Part: 1 2 3 4 5 6

By Dan Bridges

Part 3/6: The SuperBlock and the SpareBlock

Introduction

This article originally appeared in the March 1996 issue of Significant Bits, the monthly magazine of the Brisbug PC User Group Inc.

This month we start delving more deeply into HPFS' internal structures. Two REXX programs will be presented that will greatly assist you in the search for information. We will also briefly look at some other HPFS-related programs. Finally, you will see the Big Picture when the major structures of a HPFS partition are shown.

The BootBlock

There are only three structures on High-Performance File System volumes that are always at the same location. The first structure is the BootBlock commencing at LSN (Logical Sector Number) 0 and extending up to LSN 15. (All LSNs in this article are in decimal). In current versions of OS/2 only LSN 0-5 are used. As well as the Disk Bootstrap program, the BootBlock holds important data such as the Volume Name, the volume serial number and the BIOS Parameter Block (BPB). For the purposes of this month's installment you only need to know that there is a dword stored at offset 1Ch in LSN 0 that specifies the number of "hidden" sectors on a volume. (Hidden sectors are sectors before LSN 0.) On every partition on my system, except for C:, and on all standard DOS partitions, all of the first track (track 0) is "hidden". In CHS (Cyl/Hd/Sec) notation, track 0 starts at 0/0/1 with LSN 0 starting on track 1 at 0/1/1. However on C: drive, an OS/2 bootable partition, LSN 0 does not commence until 1/0/1. On this particular hard disk this means that C: has 0800h (2,048) hidden sectors (1 MB) while all the other partitions have 0020h (32) hidden sectors. We will return to the topic of hidden sectors later.

The SuperBlock

The second structure with a standardised location is the SuperBlock. This is comprised of a single sector situated at LSN 16. Most of the data stored in this sector never changes. Important information is stored here such as the location of the Root Directory Fnode, location of the Directory Band and where to find the sector listing the partition's disk-usage bitmap sectors. Information that can change includes the last time CHKDSK /F was run on this partition, the last time an optimisation operation was performed and the number of bad sectors.

Figure 1 contains a table showing the layout of the SuperBlock. Last month it was stated that key HPFS structures were identified by dword (32-bit) signatures so that, in the event of a catastrophe, blind scanning could be used to find them again. But, in the case of the SuperBlock and the SpareBlock, quad-word signatures are provided. I don't know why the extra dword is supplied. The Function Version is the earliest version of HPFS that is needed to read this partition. User ID sectors appear to have something to do with ACL (Access Control Lists) which are used by LAN SERVER v4 and will normally be empty with standard OS/2.

Offset          Data                Size           Comment
hex (dec)                           bytes

00h (1)     Signature                8       F995E849h FA53E9C5h
08h (9)     HPFS version             1
09h (10)    Functional ver           1       2 (<=4GB), 3 (>4GB)
0Ah (11)    Dummy                    2       Reestablish 32-bit alignment.
0Ch (13)    Root Dir Fnode           4       LSN pointer
10h (17)    Secs in Partition        4
14h (21)    Bad Sector Count         4
18h (25)    List of Bitmap Secs      4       LSN pointer
1Ch (29)    Bitmap SecList (spare)   4       0000h on my partitions
20h (33)    List of Bad Sectors      4       LSN pointer
24h (37)    Bad Sec List  (spare)    4       0000h on my partitions
28h (41)    CHKDSK /F Last Run       4       Seconds since 0:00 1-1-1970
2Ch (45)    Last Optimised           4       Seconds since 0:00 1-1-1970
30h (49)    Dir Band Sectors         4       LSN pointer
34h (53)    Dir Band Start Sec       4       LSN pointer
38h (57)    Dir Band End Sec         4       LSN pointer
3Ch (61)    Dir Band Bitmap          4       LSN pointer
40h (65)    Unused                  32
60h (97)    First UserID Sec         4       LSN pointer to beginning of
                                              8 sec blk of ACLs.
                                              Only used with HPFS386.

Fig. 1 The layout of the SuperBlock (LSN 16)

The SpareBlock

The final HPFS structure with a known location is the SpareBlock sector at LSN 17. Some of the data stored here will change depending on the status of the partition. Figure 2 shows its layout. The Partition Status byte is a bitmap that indicates various cautionary and fault-recovery conditions. On listed HPFS partitions, bit 0 of this byte is checked by the file system at start-up time. The check list is specified in the IFS line e.g. IFS=C:\OS2\HPFS.IFS /AUTOCHECK:CDFGH. If bit 0 is set then that particular partition was in a "dirty" state when the system was shutdown i.e. there was information in memory that had not been committed to the partition and/or all open files were not closed. A CHKDSK /F will automatically be performed to rebuild inconsistent HPFS structures.

Offset        Data              Size             Comment
hex (dec)                      bytes

00h (1)   Signature               8       F9911849h FA5229C5h
08h (9)   Partition Status        1       Bit 7: Written by old IFS
                                          Bit 5: FastFormatted Flag
                                          Bit 4: Bad bitmap
                                          Bit 3: Bad sector
                                          Bit 2: Hotfix secs used
                                          Bit 1: Spare DirBlks used
                                          Bit 0: Dirty flag
09h (10)  Dummy                   3       Reestablish 32-bit alignment.
0Ch (13)  HotFix List Start       4
10h (17)  HotFix Entries Used     4
14h (21)  Total HotFix Entries    4
18h (25)  # Spare DirBlks 4
1Ch (29)  Free Spare DirBlks      4
20h (33)  Code Page Dir Sec       4
24h (37)  # Code Pages    4
28h (41)  SuperBlock CRC32        4       These Checksums are unused
2Ch (45)  SpareBlock CRC32        4         except for HPFS386.
30h (49)                         60       Space for 15 "Extra" dwords.
6Ch (109) First Spare DirBlk      4       First dword in a list in the
                                            SpareBlock of all spare DirBlk
                                            locations (each 4 secs).

Fig. 2 The layout of the SpareBlock (LSN 17)

Hotfixes

Hotfixes are on-the-fly sector redirections that were made by the file system when a write fault is detected while committing data to a sector. The redirection is recorded in a dword pair in the Hotfix List's mapping table. The dword pair links the unreliable sector to the replacement sector. On a normal 100 MB partition there is a Hotfix List Block (4 sectors) mapping 100 Hotfix sectors (none of which is typically in use). I've never seen a hotfix occur (modern HDs are very reliable) but apparently a message appears on the screen indicating that a error occurred during a write operation and a hotfix has been performed to overcome the problem. Now you could have one or more hotfixes in the list for quite some time. The next time a CHKDSK /F is performed, one of the operations performed is to clear the Hotfix list with the unreliable sector marked in the BadSector list and the hotfix sector freed up again after the data in it is copied to a free sector in the main sector pool. Note: the sector will be located as close as possible to the original Fnode and the rest of the file's sectors.

HPFS386 automates the clearing of the Hotfix List. At start time it checks the stored 32-bit CRCs of the SuperBlock and of the SpareBlock and compares them with their current computed value. If these figures differ e.g. a hotfix was performed in the last session, then CHKDSK /F is run.

Spare DirBlks

Another important item is the SpareBlock is the location and number of spare DirBlks. When a file is created, deleted or renamed, much extra activity can occur in the DirBlks as blocks are rearranged in the tree structure to maintain branch balance. There is a very small chance of running out of diskspace due to this activity. This is prevented by the availability of a number of spare DirBlks. On a 100 MB partition, 20 spare DirBlks (80 sectors) are located just after the end of the Dir Band. Their location is indicated by 20 dword pointers stored starting from offset 6Dh.

The ShowSuperSpare Program

To assist you in investigating the operation and layout of HPFS we will now examine ShowSuperShare.cmd. First off, look at its screen output in Figure 3. For the purposes of illustration I've used the Graham Utilities' HPFS-Bad program to mark 1,000 sections on this partition as bad. The output takes up 35 lines on the screen. I usually operate in 43-61 line mode and have made no effort to cater for smaller windows. Anyway, its output is best redirected to the printer so it can be used as a guide for further investigation.

Inspecting drive O:

  SUPER BLOCK (LSN 16):
  Signature Qword:        0x00    0xF995E849      FA53E9C5
  HPFS version:           0x08    2
  Functional Version:     0x09    2               (<=4GB)
  Root Directory Fnode:   0x0C    0x00018810      (100368)
  Sectors in Partition:   0x10    0x00031FE0      (204,768) 102,384KB
  Bad Sector Count:       0x14    0x000003E8      (1,000) 500 Kb
  List of Bitmap Secs:    0x18    0x00018FF0      (102384)
  Bmp Sec list (spare):   0x1C    0x00000000      (0)
  List of Bad Sectors:    0x20    0x00018FF4      (102388)
  Bad Sec List (spare):   0x24    0x00000000      (0)
  CHKDSK /F Last Run:     0x28    0x313848D3      02-Mar-96 13:10:43
  Last Optimised:         0x2C    0x00000000      (Never)
  Directory Band Secs:    0x30    0x000007BC      (1,980) 990 Kb
  Dir Band Start Sec:     0x34    0x00018004      (98308)
  Dir Band End Sec:       0x38    0x000187BF      (100287)
  Dir Band Bitmap:        0x3C    0x00017FF4      (98292)
  User ID secs (8 sec):   0x60    0x00018FF8      (102392)

  SPARE BLOCK (LSN 17):
  Signature Qword:        0x00    0xF9911849      FA5229C5
  Partition Status:       0x08    0x20            (FastFmt, Clean)
  HotFix List Start:      0x0C    0x00000018      (24)
  HotFix Entries Used:    0x10    0x00000000      (0)
  Total HotFix Entries:   0x14    0x00000064      (100)
  # Spare DirBlks:        0x18    0x00000014      (20)
  Free Spare DirBlks:     0x1C    0x00000014      (20)
  Code Page Dir Sec:      0x20    0x00000080      (128)
  # Code Pages:           0x24    0x00000002      (2)
  SuperBlock CRC32:       0x28    0x68235198
  SpareBlock CRC32:       0x2C    0xFBBDB294
  First Spare DirBlk:     0x6D    0x000187C0      (100288)
  Last Spare DirBlk:      0xB9    0x0001880C      (100364)

Fig. 3 The output of the ShowSuperSpare.cmd program.

The contents of ShowSuperSpare.cmd is shown in Figure 4. This REXX program makes use of SECTOR.DLL (written by Thomas Christinck) and RXDATE.DLL (written by Barry Pederson). Both DLLs are Freeware.

001 /* Show LSN 16 & LSN 17 on a HPFS partition */
002 ARG drive .
003 IF drive =  THEN CALL Help
004 IF WordPos(drive,'? /? /H HELP A: B:') \= 0 THEN CALL Help

005 CALL RxFuncAdd 'ReadSect','Sector','ReadSect'   /*In SECTOR.DLL*/
006 CALL RxFuncAdd 'RxDate','RexxDate','RxDate'      /*In REXXDATE.DLL*/

007 sectorString = ReadSect(drive, 16)    /* SuperBlock is LSN 16 */

008 '@cls'
009 SAY
010 SAY "Inspecting drive" drive
011 SAY
012 SAY "SUPER BLOCK (sector 16):"
013 SAY "       Signature Qword: 0x00  0x"FourChars2Hex(1) FourChars2Hex(5)
014 hpfsVer = Strip(C2X(Substr(sectorString,9,1)),'L','0')
015 SAY "   HPFS version: 0x09 " hpfsVer

016 funcVer = Strip(C2X(Substr(sectorString,10,1)),'L','0')
017 SELECT
018 WHEN funcVer = "2" THEN dispStr = "2   (<=4GB)"
019 WHEN funcVer = "3" THEN dispStr = "3   (>4GB)"
020 OTHERWISE dispStr = 
021 END

022 SAY "  Functional Version: 0x0A " dispStr

023 CALL ShowDword "Root Directory Fnode",13
024 CALL ShowDwordPlusSize "Sectors in Partition",17
025 CALL ShowDwordPlusSize "   Bad Sector Count",21
026 CALL ShowDword " List of Bitmap Secs",25
027 CALL ShowDword "Bmp Sec list (spare)",29
028 CALL ShowDword " List of Bad Sectors",33
029 CALL ShowDword "Bad Sec List (spare)",37

030 lastChkdskRun = FourChars2Hex(41)
031 dateTimeString = SubStr(sectorString,41,4)
032 CALL DecipherDateTime dateTimeString
033 SAY "CHKDSK/F Last Run: 0x29  0x"lastChkdskRun dateStr timeStr

034 lastOpt = FourChars2Hex(45)
035 dateTimeString = SubStr(sectorString,45,4)
036 CALL DecipherDateTime dateTimeString
037 SAY "  Last Optimised: 0x2D  0x"lastOpt dateStr timeStr

038 CALL ShowDwordPlusSize " Directory Band Secs",49
039 CALL ShowDword "  Dir Band Start Sec",53
040 CALL ShowDword "   Dir Band End Sec",57
041 CALL ShowDword "   Dir Band Bitmap",61
042 CALL ShowDword "User ID secs (8 sec)",97

043 SAY
044 sectorString = ReadSect(drive, 17)       /* SpareBlock is LSN 17 */
045 SAY "SPARE BLOCK (sector 17):"
046 SAY "    Signature Qword: 0x00  0x"FourChars2Hex(1) FourChars2Hex(5)
047 CALL ShowPartitionStatusFlags
048 CALL ShowDword "   HotFix List Start",13
049 CALL ShowDword " HotFix Entries Used",17
050 CALL ShowDword "Total HotFix Entries",21
051 CALL ShowDword "   # Spare DirBlks",25
052 CALL ShowDword "  Free Spare DirBlks",29
053 CALL ShowDword "   Code Page Dir Sec",33
054 CALL ShowDword "   # Code Pages",37
055 SAY  "   SuperBlock CRC32: 0x29  0x"FourChars2Hex(41)
056 SAY  "   SpareBlock CRC32: 0x2D  0x"FourChars2Hex(45)
057 spareDirBlocks = C2D(Reverse(Substr(sectorString,25,4)))
058 CALL ShowDword " First Spare DirBlk",109
059 CALL ShowDword " Last Spare DirBlk",109+(4*(spareDirBlocks-1))

060 EXIT  /******************EXECUTION ENDS HERE****************/

061 DriveInfo:     /* Determine drive geometry */
062 PARSE VALUE QDrive(drive) WITH totalSec totalCyl totalHd, secPerTrk .
063 RETURN

064 FourChars2Hex:
065 ARG startPos
066 RETURN C2X(Reverse(Substr(sectorString,startPos,4)))

067 ShowDword:
068 PARSE ARG label, offset
069 hexStr = FourChars2Hex(offset)
070 SAY label": 0x"D2X(offset,2) " 0x"hexStr "("X2D(hexStr)")"
071 RETURN

072 ShowDwordPlusSize:
073 PARSE ARG label, offset
074 hexStr = FourChars2Hex(offset)
075 decStr = X2D(hexStr)
076 SAY label": 0x"D2X(offset,2) " 0x"hexStr "("WithCommas(decStr)"
                          )" WithCommas(decStr / 2) "KB"
077 RETURN

078 TwoChars2Hex:
079 ARG offset
080 RETURN C2X(Reverse(Substr(sectorString,offset,2)))

081 WithCommas:
082 ARG string
083 string = Format(string,,,,12)
084 strLen = Length(string)
085 IF strLen >= 4 THEN
086    string = Left(string, strLen-3)","Right(string,3)
087 ELSE
088    RETURN string

089 IF strLen >= 7 THEN
090    string = Left(string, strLen-6)","Right(string,7)
091 ELSE
092    RETURN string

093 IF strLen >= 10 THEN
094    string = Left(string, strLen-9)","Right(string,11)

095 RETURN string


096 DecipherDateTime:
097 ARG hexNum
098 num=C2D(Reverse(hexNum))
099 IF num = 0 THEN
100    DO
101    dateStr = "(Never)"
102    timeStr = ""
103    END
104 ELSE
105    DO
106    days = (num%86400)      /* Int div to get whole days since 1970 */
107    remainderSecs = (num//86400)  /* Mod div to get remainder.
108                       This is # of secs in last (part) day. */
109    h = remainderSecs%3600      /* Whole hours in last day. */
110    /* Format(num,2) will ensure that if num is only single char
111       then a space will precede it. Since we can't force Format()
112       to use a leading 0 instead, use Translate(string,replacestr,
113       findstr) to fix this so mins & secs have leading zeros. */

114    /* Total whole mins in last day - mins in whole hours */
115    m = Translate(Format(remainderSecs%60 - h*60,2),"0"," ")
116    /* Take secs in whole mins & in whole hours
117       away from total last day secs */
118    s = Translate(Format(remainderSecs -h*3600 -m*60,2),"0"," ")
119    /* We're going to use RXDATE20.xxx by Barry Pederson to
120       work out the date. It will convert # of days since
121       1/1/0001 to a formatted date. Add 719162 to days count
122       to adapt 0s/2's 1970-based counting to this. */
123    days = days + 719162
124    dateStr = rxDate(days,'%d-%b-%y')
125    timeStr = h':'m':'s
126    END
127 RETURN

128 ShowPartitionStatusFlags:
129 byte = Substr(sectorString,9,1)
130 IF BitAnd(byte, '1'x) = '1'x THEN
131    status = 'Dirty'
132 ELSE
133    status = 'Clean'
134 IF BitAnd(byte,'02'x) = '02'x THEN status='SpareUsed,' status
135 IF BitAnd(byte,'04'x) = '04'x THEN status='Hotfix,' status
136 IF BitAnd(byte,'08'x) = '08'x THEN status='BadSec,' status
137 IF BitAnd(byte,'10'x) = '10'x THEN status='BadBmp,' status
138 IF BitAnd(byte,'20'x) = '20'x THEN status='FastFmt,' status
139 IF BitAnd(byte,'80'x) = '80'x THEN status='OldVer,' status
140 SAY '     Partition Status: 0x08  0x'C2X(byte) '   ('status')'
141 RETURN

142 Help:
143 SAY
144 SAY
145 SAY "Purpose:"
146 SAY "  ShowSuperSpare    Decodes the SuperBlock & SpaceBlock"
147 SAY "                       sectors on a HPFS partition"
148 SAY
149 SAY "Example:"
150 SAY "  ShowSuperSpare C:"
151 SAY
152 EXIT

Fig. 4 ShowSuperSpare.cmd. Don't include line numbers. Ensure that a comment of some sort in in row1, col1.

The design of the program is very straightforward and deserves only a little further comment. Line 4 uses an unusual method to check for a help invocation parameter. "sectorString" is generic name used in this program for either the contents of the SuperBlock sector (LSN 16) or the SpareBlock sector (LSN 17). Lines ending in a comma are treated by the REXX interpreter as continuing on the next line. Unfortunately you can't do this in a SAY line so indented lines without line numbers are a continuation of the previous SAY line and should be typed in as one long line.

Multiple Addressing Formats

There are a number of programs that are useful for HPFS investigation but they use different addressing methods. The Graham Utilities has HPFInfo (decimal LSN and CHS - Cyl/Hd/Sec), HPFSView (CHS) and Diskedit (CHS). The GammaTech Utilities has Sedit (hex LSN). FST (File System Tool - written by Eberhard Mattes) uses decimal LSN. And SECTOR.DLL is driven using decimal LSN. Furthermore, when you look at a hex dump of a sector, the 32-bit values require a bit of mental gymnastics to interpret. For example, the sequence "12 34 56 78" in a dump represents 0x78563412.

To cope with the variety of different addressing methods I've designed the REXX sector dumping program SEC.CMD to handle four different methods, namely:

1. Decimal LSN - SEC C: 123
2. Hex LSN - SEC C: 0x123
3. My "Custom" Dword LSN - SEC C: 0y 12 3 0 1  = 0x01000312
4. CHS physical addressing - SEC C: 12/8/3 = Cyl 12, Hd 8, Sec 3

Parsing Frolics

Originally I had a complex IF structure to determine which form of addressing was specified. Mark Hessling suggested that I use the powerful and little understood features of the PARSE instruction to perform much of this work. We constructed a parsing testbed and then threw it a number of command lines to see what would come out. See Figures 5 & 6.

01  /* A testbed for the parsing section of SEC.CMD
02      The following command line, split into 4 lines
03      for clarity, performs 4 passes.
04  */
05  PARSE ARG drive dec .,
06      1 '0x' hex .,
07      1 '0y' y1 y2 y3 y4 .,
08      1 . cyl '/' hd '/' sec .

09  IF drive =  | dec =  THEN CALL Help

10  CALL Show 'Drive' drive
11  CALL Show 'Dec'     dec
12  CALL Show 'Hex'     hex
13  CALL Show 'Y1'      y1
14  CALL Show 'Y2'      y2
15  CALL Show 'Y3'      y3
16  CALL Show 'Y4'      y4
17  CALL Show 'Cyl'     cyl
18  CALL Show 'Head'    hd
19  CALL Show 'Sec'     sec

20  SAY
21  SAY 'Output:'
22  IF hex =  & y1 =  & hd =  & sec =  THEN SAY 'SEC' drive dec
23  IF hex \=  THEN SAY 'SEC' drive '0x'hex
24  IF Y1 \=  THEN
25     DO
26     y = Right('00'y4,2)||Right('00'y3,2)||Right('00'y2,2)||Right('00'y1,2)
27     SAY 'SEC' drive '0x'y
28     END

29  IF sec \=  THEN SAY 'SEC' drive 'cyl'cyl||' hd'hd||', sec'sec
30  EXIT                /************ END OF PROGRAM ************/


31  Show:
32  PARSE ARG label aa
33  SAY label '<'aa'>'
34  RETURN


35  Help:
36  SAY
37  SAY "In Help Section"
38  SAY
39  EXIT

Fig.5 TEST.CMD examines commandline parsing

[d:\]test c: 123        [d:\]test c: 0x 123         [d:\]test c: 0x123
Drive <c:>              Drive <c:>                  Drive <c:>
Dec <123>               Dec <0x>                    Dec <0x123>
Hex <>                  Hex <123>                   Hex <123>
Y1 <>                   Y1 <>                       Y1 <>
Y2 <>                   Y2 <>                       Y2 <>
Y3 <>                   Y3 <>                       Y3 <>
Y4 <>                   Y4 <>                       Y4 <>
Cyl <123>               Cyl <0x 123>                Cyl <0x123>
Head <>                 Head <>                     Head <>
Sec <>                  Sec <>                      Sec <>

Output:                 Output:                     Output:
SEC c: 123              SEC c: 0x123                SEC c: 0x123



[d:\]test c: 0y12 3     [d:\]test c: 0y 12 34 0 7   [d:\]test c: 1/2/3
Drive <c:>              Drive <c:>                  Drive <c:>
Dec <0y12>              Dec <0y>                    Dec <1/2/3>
Hex <>                  Hex <>                      Hex <>
Y1 <12>                 Y1 <12>                     Y1 <>
Y2 <3>                  Y2 <34>                     Y2 <>
Y3 <>                   Y3 <0>                      Y3 <>
Y4 <>                   Y4 <7>                      Y4 <>
Cyl <0y12 3>            Cyl <0y 12 34 0 7>          Cyl <1>
Head <>                 Head <>                     Head <2>
Sec <>                  Sec <>                      Sec <3>

Output:                 Output:                     Output:
SEC c: 0x0000312        SEC c: 0x07003412           SEC c: cyl1, hd2, sec3

Fig.6 Results of running the parsing testbed shown in Fig.5

Here is how to interpret the first pass (line5): 1. The first parm is drive. The second parm (after any white space) is dec. The rest of the line, if any, is discarded.

Now the second pass (line 6): 2. Reset parsing start point to the first character. Look forward for '0x'. If found, take the next word (after any whitespace) and assign it to hex. Discard the rest of line.

The third pass (line 7): 3. Reset parsing point to the first character. Look for '0y'. If found, assign the next 4 words, if present, to y1 through y4. Discard the rest of the line.

The final pass (line 8): 4. Reset parsing point to first char. Throw away first parm ("C:"). Next parm becomes cyl up to the first slash. After the first slash until the second slash, any characters become hd. Any characters, after the second slash up until the next whitespace becomes sec. Discard the rest of the line.

In the simple usage above, the starting point must be 1 since it is acting as a stop point for the preceding section as well. If it is 1 then PARSE seems to take the whole line otherwise, in "PARSE ARG drive dec . 2...", drive ends up as just "C" (no colon) and dec is empty. If you want to restart from a different point then you have to use a more explicit form of positional patterning. For example, character 4 would be a good restarting point since the second parm can not start any earlier. (Note: character counting is zero-based since character 1 can never be immediately after the REXX program name but must be separated from it by a space.) So this could be restated as:

PARSE ARG drive dec . 254,
      4 '0x' hex . 254,
      4 '0y' y1 y2 y3 y4 . 254,
      4 . cyl '/' hd '/' sec .

Don't worry too much about performance considerations either. 10,000 iterations of the above command on a 486DX/50 took only 3.5 seconds meaning that a single four-pass run takes only 350 microseconds! Another important point: all leading and trail white space is stripped off assigned variables except for the last variable. So, if you want the last variable to be trimmed as well, ensure that you have a dot at the end of a run's assignment pattern. I noticed in the CHS example that surrounding spaces were preserved for the hd variable only. I presume this is because it is surrounded by slashes. You can also use relative repositioning e.g. +2 or -2.

One further parsing alteration is needed for the SEC program, namely the inclusion of the UPPER keyword in the PARSE instruction. This is so both "0X123" and "0x123" are accepted.

The SEC Program

Figure 7 shows the display produced by SEC.CMD. The sector being dumped is part of the Directory Band on D: . Regardless of the addressing format used, all three formats are shown along with the maximum CHS figure for this partition. This makes the program handy for cross-referencing purposes. Figure 8 shows three out-of-range error messages and also shows the Help Screen being invoked in response to the lack of the first parameter (drive).

LSN 393384 (0x000600A8) on D:  Cyl:192, Hd: 6, Sec:9  (Max CHS: 399/63/32)

0000  AE 0A E4 77 58 05 00 00-10 00 00 00 AC 00 06 00   ...wX...........
0010  A8 00 06 00 28 00 00 40-95 16 03 00 5A FD 85 2F   ....(..@....Z../
0020  00 00 00 00 5A FD 85 2F-5A FD 85 2F 00 00 00 00   ....Z../Z../....
0030  00 00 09 4E 6F 74 65 4D-65 73 67 73 28 00 00 00   ...NoteMesgs(...
0040  96 16 03 00 C8 DA F3 2E-1D 00 00 00 A4 18 E4 30   ...............0
0050  54 EE 85 2F 1A 01 00 00-00 00 09 70 61 73 74 65   T../.......paste
0060  2E 6D 61 63 2C 00 00 00-98 16 03 00 B2 F3 85 2F   .mac,........../
0070  00 00 00 00 B2 F3 85 2F-B2 F3 85 2F 00 00 00 00   ......./.../....
0080  00 00 0A 50 4D 41 6E 73-69 2E 45 72 72 00 00 00   ...PMAnsi.Err...
0090  2C 00 00 00 99 16 03 00-7C FA 2A 2F 78 34 00 00   ,.......|.*/x4..
00A0  B5 51 EC 30 54 EE 85 2F-B8 09 00 00 00 00 0A 70   .Q.0T../.......p
00B0  6D 61 6E 73 69 2E 65 78-65 00 00 00 2C 00 00 00   mansi.exe...,...
00C0  BA 16 03 00 8E F4 85 2F-21 07 00 00 A4 18 E4 30   ......./!......0
00D0  BE EE 85 2F 00 00 00 00-00 00 0C 50 4D 53 65 72   .../.......PMSer
00E0  69 61 6C 2E 45 72 72 00-2C 00 00 00 BF 16 03 00   ial.Err.,.......
00F0  5E FA 2A 2F 69 2D 00 00-B5 51 EC 30 54 EE 85 2F   ^.*/i-...Q.0T../
0100  B8 09 00 00 00 00 0B 70-6D 76 74 31 30 30 2E 65   .......pmvt100.e
0110  78 65 00 00 28 00 00 00-DC 16 03 00 E4 AC 17 2F   xe..(........../
0120  7B 22 00 00 A4 18 E4 30-54 EE 85 2F 00 00 00 00   {".....0T../....
0130  00 00 06 72 65 61 64 6D-65 00 00 00 2C 00 00 00   ...readme...,...
0140  EF 16 03 00 BC A4 2C 2F-06 05 00 00 A4 18 E4 30   ......,/.......0
0150  56 EE 85 2F 00 00 00 00-00 00 0C 72 65 67 69 73   V../.......regis
0160  74 65 72 2E 74 78 74 00-2C 00 00 00 F3 16 03 00   ter.txt.,.......
0170  B0 F8 2A 2F 15 87 00 00-A4 18 E4 30 54 EE 85 2F   ..*/.......0T../
0180  00 00 00 00 00 00 0B 72-65 78 78 69 6E 74 2E 64   .......rexxint.d
0190  6C 6C 00 00 28 00 00 10-74 3F 01 00 46 DA DA 30   ll..(...t?..F..0
01A0  00 00 00 00 46 DA DA 30-46 DA DA 30 00 00 00 00   ....F..0F..0....
01B0  00 00 06 73 63 72 69 70-74 00 00 00 2C 00 00 00   ...script...,...
01C0  3C 17 03 00 96 F8 2A 2F-55 26 00 00 A4 18 E4 30   <.....*/U&.....0
01D0  54 EE 85 2F 00 00 00 00-00 00 0B 73 74 61 74 77   T../.......statw
01E0  69 6E 2E 64 6C 6C 00 00-2C 00 00 00 51 17 03 00   in.dll..,...Q...
01F0  F6 F7 2A 2F D5 14 00 00-A4 18 E4 30 54 EE 85 2F   ..*/.......0T../

Fig.7 The display produced by SEC.CMD

[d:\]sec d: 1234567
Requested sector is greater than the maximum LSN of this volume (819167)

[d:\]sec d: 1/63/35
Requested C/H/S is greater than the geometry of D: (399/63/32)

[d:\]sec d: 0/0/6
Requested C/H/S is below LSN 0 which starts at: 0/1/1

[d:\]sec 0/1/1

Purpose:
  SEC dumps disk sectors to STDOUT

Usage:
  SEC drive logical_sector_number in decimal,
                hex (0x) or dump style (0y)
  or
  SEC drive Cyl/Hd/Sec

Examples:
  SEC C: 1015
  SEC C: 0x3F7
  SEC C: 0yF7 03 01  or  0yF7 3 1  or   0y F7 3 1 0 = 0x000103F7
  SEC C: 2/14/5

Notes:
  LSN, Cyl & Hd are zero-based while Sec is one-based.
  LSN, being a logical numbering scheme, does not include the hidden
  sectors before the logical boot sector (LSN 0).

Fig.8 Error messages produced by SEC.CMD. Also shown is the invocation of the Help screen through the lack of a drive paramater.

The SEC.CMD program is listed in Figure 9. Again the program's operation is fairly straightforward. If you compare this program with the FILEDUMP.CMD program presented in The Joy Of REXX, SigBits, Sept 95 you can see that the display of the hex character is achieved using completely different methods. SEC follows a more traditional approach which I've used for variety and also because I wanted to put a dash halfway along the row. In the lines 41-57 section the Charout() function is used rather than SAY so as to control when a carriage return occurs. The program accounts for the different number of hidden sectors on a boot partition compared to other partitions and the effect these have on the physical location of LSN 0.

001 /* Shows a sector based on Drive and either LSN or C/H/S */

002 PARSE UPPER ARG drive lsn . 1 '0X' hex . 1 '0Y' y1 y2 y3 y4 .,
003     1 . cyl '/' hd '/' sec .         /* Parse parm line 4 times */

004 /* There must be at least two parms supplied */
005 IF drive =  | lsn =  THEN CALL HELP
006 /* Only parm supplied was for help */
007 IF WordPos(drive,"? /? /H HELP") \= 0 THEN CALL Help

008 /* Register external functions */
009 CALL RxFuncAdd 'QDrive','sector','QDrive'
010 CALL RxFuncAdd 'ReadSect','sector','ReadSect'
011 CALL DriveInfo           /* Determine drive geometry */
012 secPerCyl = (totalHd + 1) * secPerTrk

013 /* Adjust for presence of other secs before LSN 0 */
014 lsnStartPos = GetHiddenSecs()

015 SELECT
016 WHEN hex= & y1= & hd= & sec= THEN    /* Dec LSN format */
017    CALL WithLSN
018 WHEN hex \=  THEN                 /* 0x hex format */
019    DO
020    lsn = X2D(hex)
021    CALL WithLSN
022    END
023 WHEN Y1 \=  THEN                  /* 0y hex format */
024    DO
025    lsn = X2D(Right('00'y4,2)||Right('00'y3,2)||,
026               Right('00'y2,2)||Right('00'y1,2))
027    CALL WithLSN
028    END
029 WHEN sec \=  THEN    /* C/H/S format */
030    DO
031    CALL WithCHS
032    CALL CheckForNegativeLSN
033    END
034 OTHERWISE CALL Help
035 END

036 '@cls'
037 SAY "LSN" lsn "(0x"D2X(lsn,8)") on" drive " Cyl:"cyl", Hd:
      "hd", Sec:"sec " (Max CHS:" totalCyl"/"totalHd"/"secPerTrk")"
038 SAY
039 sec = ReadSect(drive,lsn)        /* Read in required sector */

040 /* Display the sector */
041 DO paraBoundary = 0 TO 511 BY 16
042    /* Display hex char & a space */
043    CALL Charout, D2X(paraBoundary,4)" "
044    DO offset = 1 TO 16
045       IF offset \= 9 THEN
             CALL Charout, " "C2X(Substr(sec,paraBoundary+offset,1))
047       ELSE    /* Put a dash between hex bytes 7 & 8 */
             CALL Charout, "-"C2X(Substr(sec,paraBoundary+offset,1))
049    END offset

050    CALL Charout, "   "   /* 3 spaces between hex & ASCII */
051    DO offset=1 TO 16     /* Display the printable ASCII chars */
052       char = Substr(sec,paraBoundary+offset,1)
053       IF char < " " | char > "~" THEN
054          CALL Charout, "."    /* Swap non-print char for a dot */
055       ELSE
056          CALL Charout, char
057    END offset

058    SAY                       /* Start a new line */
059 END paraBoundary
060 EXIT     /****************EXECUTION ENDS HERE****************/

061 DriveInfo:          /* Determine drive geometry */
062 PARSE VALUE QDrive(drive) WITH totalSec totalCyl totalHd secPerTrk .
063 totalCyl = totalCyl - 1
064 totalHd  = totalHd - 1
065 RETURN

066 GetHiddenSecs: /* Given Drive, return dec value of Dword */
067 /* Num of hidden secs is specified in the logical boot sec
068     (LSN 0) in the dword stored at offset 29 decimal.
069     This region is part of the BPB (BIOS Parameter Block) */
070 logicalBootSec = ReadSect(drive, 0)
071 hiddenSecs = Reverse(Substr(logicalBootSec,29,4))
072 RETURN C2D(hiddenSecs)

073 WithCHS:                    /* Given CHS, determine LSN */
074 IF dec < 1 THEN CALL ShowErrMsg "Physical sector numbering starts from 1"
075 IF cyl < 0 THEN CALL ShowErrMsg "Cylinder numbering starts from 0"
076 IF cyl > totalCyl | hd > totalHd | sec > secPerTrk THEN
077    DO
078    SAY
079    SAY "Requested C/H/S is greater than geometry of" drive
                       "("TotalCyl"/"TotalHd"/"secPerTrk")"
080    EXIT
081    END

082 IF hd<0 THEN CALL ShowErrMsg "Head numbering starts from 0"

083 /* Work out LSN, given Cyl, Hds, Sec */
084 lsn = cyl * secPerCyl
085 lsn = lsn + (hd * secPerTrk)
086 lsn = lsn + sec
087 lsn = lsn - lsnStartPos - 1         /* LSN is zero-based */
088 RETURN

089 ShowErrMsg:
090 ARG errMsg
091 SAY
092 SAY errMsg
093 EXIT

094 CheckForNegativeLSN:
095 /* Neg LSN will occur if specified CHS is in hidden area */
096 IF lsn < 0 THEN
097    DO
098    lsn = 0
099    CALL WithLSN
100    displayString = cyl"/"hd"/"sec
101    SAY
102    SAY "Requested C/H/S is below LSN 0 which starts at:" displayString
103    EXIT
104    END
105 RETURN

106 WithLSN:          /* Given LSN, determine CHS */
107 sec = lsn + lsnStartPos

108 IF lsn + 1 > totalSec THEN  /* LSN is zero-based */
109    DO
110    SAY
111    SAY "Requested sector is greater than the maximum LSN"
112    SAY "of this volume ("totalSec-1")"
113    SAY
114    EXIT
115    END

116 cyl = sec % secPerCyl           /* Determine cyl value */
117 sec = sec - (Cyl*secPerCyl)  /* Determine remainder secs */
118 hd = (sec % secPerTrk) // (totalHd+1)  /* Determine hd */
119 sec = sec - (hd*secPerTrk)+1    /* Determine sec value */
120 RETURN

121 Help:
122 SAY
123 SAY "Purpose:"
124 SAY "  SEC dumps disk sectors to STDOUT"
125 SAY
126 SAY "Usage:"
127 SAY "  SEC drive logical_sector_number in decimal, hex (0x)
                                             or dump style (0y)"
128 SAY "       or"
129 SAY "  SEC drive Cyl/Hd/Sec"
130 SAY
131 SAY "Examples:"
132 SAY "  SEC C: 1015"
133 SAY "  SEC C: 0x3F7"
134 SAY "  SEC C: 0yF7 03 01  or  0yF7 3 1  or  0y F7 3 10
                                                     = 0x000103F7"
135 SAY "  SEC C: 2/14/5"
136 SAY
137 SAY "Notes:"
138 SAY "  LSN, Cyl & Hd are zero-based while Sec is one-based."
139 SAY "  LSN, being a logical numbering scheme, does not include"
140 SAY "  the hidden secs before the logical boot sec (LSN 0)."
141 EXIT

Fig. 9 The SEC.CMD sector dumping program.

Other Programs

ShowSuperSpare.cmd and SEC.CMD provide a good basis on which to launch an investigation into HPFS' structure. But other programs ease the task considerably. Let's see some examples of their output. Figure 10 shows how the GammaTech Utilities' Sedit displays the contents of a file's Fnode sector. It can also display this data in a raw hex format. This file has 10 fragments. (It was download by a DOS comms package which negated HPFS anti-fragmentation strategies.) A very nice feature is that a highlight bar can be tabbed between valid dword pointer addresses on the screen. If you then press Enter you teleport to that location. The screen has two sizes: 25 and 41 rows. The later size is much more convenient since a complete sector's contents can be displayed without scrolling.

HPFS F-Node

Signature: ..................... F7E40AAE
Length of Full Name: ........... 0B
Name (Max 15 ASCII Characters):  ALBT170.ZIP
Directory F-Node Pointer: ...... 0005C327
Flag: .......................... 00 File
Data Length: ................... 0008AB64
Allocation Pointers:
FFFFFFFF  000769D6  000349CC  000000CD  00000029  000763F9
000000F6  00000069  0007661A  0000015F  00000014  000766C9
00000173  0000001B  0007671B  0000018E  00000033  0007673F
000001C1  000000C7  0007680E  00000288  00000028  0007699C

Path: \DN\ALBT170.ZIP

   Format: HPFS ESC=Menu F1=Help D: Sector: 000349CB

Figure 10: FNODE display from the GammaTech Utilities' Sedit. Highlight bar is on the LSN of the second extent (of 10). The first extent starts at 000349CCh so there is quite a distance between these two extents. The remainder of the extents are close to the second extent. Press Enter on any highlighted address switches to show that location.

Figure 11 shows the display of the Graham Utilities' HPFSView. The screen resizes in response to the mode setting. The display is colour and symbol coded and a legend is shown when F1 is pressed. When you click on a sector all other sectors associated with it are highlighted and the name of the structure is given. In this diagram three of the file's 10 extents (the large green areas) are shown. The intervening "F" and the light sector just after it are another file's Fnode and its first extent. The dark "A" represents ALBT170.ZIP's Anode, with the next 3 "u" sectors being unallocated (free). Since ALBT170.ZIP has more than 8 extents its layout can not be described within its Fnode so an Anode is used. Note: HPFSView is also available in the demo version of the GU's, GULITE.ZIP.

Hpfs 11.gif

Fig.11 Graphical display of The Graham Utilities' HPFSView. Shown are the 2nd, 3rd and start of the 4th extent (in green). Also shown is the file's ALNODE ("A") due to there being more than 8 extents.

DiskEdit (also from the GUs) looks like a typical sector editor until you actually enter Edit mode. If you do so while situated on a HPFS structure then the display becomes much more interesting, as shown in figure 12. Here part of ALBT170.ZIP's Fnode is shown. (Pressing Down Arrow brings up the remainder). As you move the cursor down through the data fields the description changes at the bottom.

 HPFS Disk D: Cylinder 105 Head 15 Sector 12  FNODE  No Mask         Offset 000
 .sig                     :f7e40aae
 .ulSRHist                :0
 .ulFRHist                :0
 .achName[0] (name length):11
 .achName[1] (name itself):ALBT170.ZIP
 .lsnContDir              :377639 (Cyl= 184 Head=26 Sector= 8)
 .aiACL.sp.cbRun          :0
 .aiACL.sp.lsn            :0      (Cyl=   0 Head= 1 Sector= 1)
 .aiACL.usFNL             :0
 .aiACL.bDat              :0
 .cHistBits               :0
 .aiEA.sp.cbRun           :0
 .aiEA.sp.lsn             :0      (Cyl=   0 Head= 1 Sector= 1)
 .aiEA.usFNL              :0
 .aiEA.bDat               :0
 .bFlag                   :0
 .fst.alb.bFlag           :80
 .fst.alb.bPad            :000000
 .fst.alb.cFree           :11
 .fst.alb.cUsed           :1
 .fst.alb.oFree           :16
 .fst.a.aaln[0].lsnLog    :4294967295
 .fst.a.aaln[0].lsnPhys   :485846 (Cyl= 237 Head=15 Sector=23)
 .fst.a.aaln[1].lsnLog    :215500
 .fst.a.aaln[1].lsnPhys   :205    (Cyl=   0 Head= 7 Sector=14)
 .fst.a.aaln[2].lsnLog    :41
 .fst.a.aaln[2].lsnPhys   :484345 (Cyl= 236 Head=32 Sector=26)
 .fst.a.aaln[3].lsnLog    :246
 .fst.a.aaln[3].lsnPhys   :105    (Cyl=   0 Head= 4 Sector=10)
 This is the signature for the FNODE. It should be F7E40AAE.

Fig.12 The Graham Utilities' DiskEdit FNODE editing screen output.

Finally, the output of the freeware FST in info mode is shown in Figure 13. After examining FST's included C source code it is evident that both FST and GU's DiskEdit use the same field names so I suspect that both authors have had access to the same detailed HPFS structural information. (I've not been able to find out yet where they got it from.)

[d:\]fst info d: \dn\albt170.zip

Directory entry 8 of DIRBLK 394788+0 (394788)
  Length:                      44
  Flags:                       0x00
  Attributes:                  0x20 arch
  FNODE:                       215499
  Time of creation:            0x3114b500 (1996-02-04 13:30:40)
  Time of last modification:   0x2fcefa76 (1995-06-02 11:48:06)
  Time of last access:         0x3115342c (1996-02-04 22:33:16)
  Size of file:                568164
  Size of extended attributes: 0
  Number of ACEs:              0
  Code page:                   437
FNODE: 215499
  Flags:                       0x00
  Size of file:                568164
  Number of `need' EAs:        0
  Offset of first ACE:         196
  ACL size in FNODE:           0
  External ACL size:           0
  Node count:                  1
ALSEC(.0): 485846
  Leaf count:                  10
  File data in 205 sectors 215500-215704 (file sector 0)
  File data in 41 sectors 484345-484385 (file sector 205)
  File data in 105 sectors 484890-484994 (file sector 246)
  File data in 20 sectors 485065-485084 (file sector 351)
  File data in 27 sectors 485147-485173 (file sector 371)
  File data in 51 sectors 485183-485233 (file sector 398)
  File data in 199 sectors 485390-485588 (file sector 449)
  File data in 40 sectors 485788-485827 (file sector 648)
  File data in 16 sectors 485830-485845 (file sector 688)
  File data in 406 sectors 485892-486297 (file sector 704)
  Allocation tree height:      1
  Number of sectors:           1110
  Number of extents:           10

Fig. 13 FST 's info display of a file's DIRBLK, FNODE and ALSEC (Anode) contents.

The Big Picture

When dealing with something as complex as HPFS it helps if you can get an overall idea of the layout of the partition. Figure 14 shows the layout of an empty 100 MB volume.


     LSN      Name                     Size
                                       Secs

       0   BootBlock                     16
      16   SuperBlock                     1
      17   SpareBlock                     1
      18   Marked "allocated"             2
      20   Bitmap #1                      4
      24   Hotfix Mapping Table           4
      28   Hotfix Secs                  100
     128   Code page info                 1
     129   Code page data                 1
     130     Band 1                  16,254
   16384     Band 2                  16,380
   32764   Bitmap #2                      4

   32768   Bitmap #3                      4
   32772     Band 3                  16,380
   49152     Band 4                  16,380
   65532   Bitmap #4                      4

   65536   Bitmap #5                      4
   65540     Band 5                  16,380
   81920     Band 6                  16,372
   98292   DirBlk Band Bitmap             4
   98296   Root Directory DirBlk          4
   98300   Bitmap #6                      4

   98304   Bitmap #7                      4
   98308   DirBlk Band                1,980
  100288   Spare DirBlks                 80
  100368   Root Directory Fnode           1
  100369     Band 7 (start)           2,015
  102384   List of Bitmap Secs            4
  102388   List of Bad Secs               4
  102392   Used ID (ACL) Table            8
  102400     Band 7 (continued)      12,288
  114688     Band 8                  16,380
  131068   Bitmap #8                      4

  131072   Bitmap #9                      4
  131076     Band 9                  16,380
  147456     Band 10                 16,380
  163836   Bitmap #10                     4

  163840   Bitmap #11                     4
  163844     Band 11                 16,380
  180224     Band 12                 16,380
  196604   Bitmap #12                     4

  196608   Bitmap #13                     4
  196612     Band 13                  8,156

Fig.14 The layout of a 100 MB HPFS partition.

Notes:

  1. While Bitmap #1 is situated at LSN 20, it covers allocation of LSN 0-16383. I've shown Band 1 as having 16,254 sectors. This is free space. The actual size is 16,384 sectors but 130 sectors are occupied by other structures and are marked in the bitmaps as used.
  2. LSN 18 and 19 are always marked as "allocated" in Band 1's bitmap but do not belong to any file or structure. So they could be considered to be "lost" sectors. However CHKDSK does not report them as such.
  3. There is no separate list sector shown for the Spare DirBlks (LSN 100288-100367). Rather, the list of Spare DirBlks is kept within the SpareBlock as 20 dword pointers to their location.
  4. This partition ends at LSN 204767. Notice how the DirBlk Band (LSN 98308-100287) is near the seek centre of this volume.

Conclusion

By now you should be forming some concept of HPFS's layout. But a lot more information will need to be presented before we've connected all the dots on the Big Picture. Next month we look at how disk space is assigned when we examine the layout of a band's Bitmap Block. We will also see how Code Pages are used.