Programs to examine registry hive files:
Perl Parse::Win32Registry module and regdump.pl (Debian: libparse-win32registry-perl).
hivex (Debian: libhivex-bin)
Moving an NTFS partition:
Tools available on Ubuntu LiveCD and on GParted LiveCD
Steps:
Shrink filesystem within partition with ntfsresize (−s to specify size in bytes which will be rounded down to cluster size).
Create new partition (type 7).
sfdisk can:
edit a single partition (−N2);
align partition to sectors (−uS) or cylinders (−uC);
write CHS address using given geometry (−C and −H).
Should align to 128 sectors (64 kB).
Copy filesystem data with dd or ntfsclone.
Enlarge filesystem within partition with ntfsresize (no −s to use entire partition, −f to run even though a check is scheduled by the previous resizing).
The sector address of the partition is recorded in its first sector in little-endian 4 bytes at offset 0x1c. This can be patched:
by gparted automatically when it is doing these steps;
by hand (dd if=/dev/sda2 count=1 |
xxd >sector; vi sector; xxd -r sector
>/dev/sda2);
by ms-sys automatically:
patch src/main.c to remove call to write_partition_physical_disk_drive_id because it overwrites something important;
compile with make on Ubuntu LiveCD;
bin/ms-sys -p /dev/sda2
by TestDisk (download Linux binary) using its boot sector recovery feature (also replaces MFT addresses by scanning the filesystem).
Booting a moved Vista partition:
The boot sector loads some more sectors (\$Boot), which then loads \bootmgr, which uses Boot Configuration Data in \Boot\BCD.
BCD must be updated after a partition move, otherwise booting results in an instant system reboot.
If the sector address of the partition still points to the old location of the partition, booting instead stops on file \Boot\BCD with status 0xc0000225.
Running chkdsk from Windows doesn't help (but it does update the backup boot sector).
Updating the BCD:
The startup repair feature of a Vista installation disc (any version) fixes it.
Manually editing:
The BCD file is in registry hive format.
Objects\{*}\Elements\11000001 binary values contain pointers to the partition. The byte address of the partition is in little-endian 8 bytes (maybe more or fewer) is at offset 0x20 of these values.
The values also contain other information identifying the partition, such as the 4-byte disk signature from MBR offset 0x1b8. This shouldn't change if the partition is simply moved on the disk.
Replace all instances (e.g. 6 instances, aligned to 4 mod 8 bytes) of the old byte address with the new byte address.
Check that the correct values, and all
values, were replaced (diff output of regdump.pl
-r -v).
Booting with GRUB:
GRUB 2 can find \bootmgr, but cannot chainload it (“invalid signature”). Forcing chainloading results in a system hang.
chainload +1 works, even if the partition is at
the end of the disk.