Detailed Notes on the

"Dirty Shutdown Flag"

under MS-Windows
Written in 2001
First, note that the data shown below is fro the beginning
of a F!"#2 file syste$s F!" %File !llo&ation "able'( whi&h is
used by the Windows )*$+$%,S-2', Windows )./Win).S0 and WinM0
,Ss, and will also be used by Windows 2000 or Windows 12 when
they a&&ess a F!"#2 3olue4
When o5erating under real %16-bit' D,S 741 %the Windows
)./).S0 +oot Dis8' or at any tie before one of the Windows
,5erating Systes has loaded itself into Meory %using the F.
8ey, for e9a5le, to sele&t :oand 2ro5t only', the .th byte
%se&tor offset 007' of a #2-bit F!"$s first se&tor should be a
0Fh %or an FFh'4 ;nder the Windows ,Ss listed abo3e, it a55ears
%fro dis8 editor obser3ations <$3e ade' that Mi&rosoft uses the
0Fh byte only for the 3olue that &ontains the running ,5erating
Syste, and the FFh byte for any other 3olue that it is
a&&essing4 as seen in this e9a5le 5artial dis8 editor 3iew of
the F!"$s first se&tor=
!bsolute se&tor )* %&ylinder 0, head 1, Se&tor ## '
0 1 2 # > * 6 7 . ) ! + : D 0 F
0000= F. FF FF 0F FF FF FF 0F 0# 00 00 00 0> 00 00 00
0010= FF FF FF 0F 06 00 00 00 07 00 00 00 0. 00 00 00
0020= 0) 00 00 00 0! 00 00 00 0+ 00 00 00 0: 00 00 00
?our F!" ight loo8 li8e this instead=
!bsolute se&tor )* %&ylinder 0, head 1, Se&tor ## '
0 1 2 # > * 6 7 . ) ! + : D 0 F
0000= F. FF FF FF FF FF FF FF 0# 00 00 00 0> 00 00 00
0010= FF FF FF 0F 06 00 00 00 07 00 00 00 0. 00 00 00
0020= 0) 00 00 00 0! 00 00 00 0+ 00 00 00 0: 00 00 00
%Note= ,nly the first . bytes are i5ortant for this dis&ussion@'
,n&e Windows starts booting u5, the eigth byte is &hanged to a
07h %or an F7h A' whi&h will be set ba&8 to a 0Fh %or FFh' only
if Windows is 5ro5erly shut down4 <f there$s a 5ower failure, or
the syste$s 2ower swit&h is a&&identally turned ,FF or the
syste ust be anually rebooted be&ause the Windows ,S gets
$lo&8ed u5$ %&rashes' due to soe software 5roble, then this
byte will reain a 07h %or F7h' whi&h tells the Windows ,S %ne9t
tie it is booted' that there was soe 8ind of i5ro5er shut
down@ <f the syste had been in the 5ro&ess of downloading a file
fro the Net or writing to the hard dri3e for any reason, then
it$s li8ely one or ore errors will e9ist in the file stru&ture
of the dri3e, so Windows iediately runs S&anDis8 when it sees
that it wasn$t shut down &orre&tly the last tie4
<f for soe reason you wish to te5orarily 8ee5 Windows fro
autoati&ally running S&anDis8 after a &rash, Windows ). has a
sele&tion in its Syste :onfiguration 5rogra for doing so( in
Windows )*, the line !utoS&anB0 ust be added to the Cidden,
Syste file, MSD,S4S?S4
-----------------------------------------------------------------
---------------
-eferen&es
"he following inforation is ta8en fro 5age 17 of the wor8, F!"=
Deneral ,3er3iew of ,n-Dis8 Forat % Eersion 1402, May *, 1)))' !
Cardware White 2a5er by Mi&rosoft :or5oration4 %2DF Forat' <t
has been slightly re3ised and edited for the forat of this web
5age4
" What are the two reser3ed &luster FfieldsG at the start of
the F!" for H "
"he first reser3ed &luster, F!"F0G, &ontains the +2+IMedia
byte 3alue in its low . bits, and all other bits are set to 14
For e9a5le, if the +2+IMedia 3alue is 09F., then
for F!"16, F!"F0G B 09FFF., and FF.FF on dis84G
for F!"#2, F!"F0G B 090FFFFFF.4 FF.FFFF0F on dis84G
%or= F!"#2, F!"F0G B 09FFFFFFF.4 FF.FFFFFF on dis84G'
"he se&ond reser3ed &luster, F!"F1G, is set by F,-M!" to the 0,:
ar84 ,n F!"12 3olues, it is not used and si5ly always &ontains
an 0,: ar84 For F!"16 and F!"#2, the file syste dri3er ay use
the high two bits of the F!"F1G entry for dirty 3olue flags %all
other bits, are always left set to 1'4 Note that the bit lo&ation
is different for F!"16 and F!"#2, be&ause they are the high 2
bits of the entry4 F"his is a 3ery 5oor way to state the
differen&es here@G
For F!"16=
:lnShut+itMas8 B 09.000(
Crd0rr+itMas8 B 09>000(
For F!"#2=
:lnShut+itMas8 B 090.000000(
Crd0rr+itMas8 B 090>000000(
+it :lnShut+itMas8 - <f bit is 1, 3olue is "&lean"4
<f bit is 0, 3olue is "dirty"4 "his
indi&ates that
the file syste dri3er did not disount the 3olue 5ro5erly
the last
tie it had the 3olue ounted4 <t would be a good idea to
run a
:h8ds8/S&andis8 dis8 re5air utility on it, be&ause it ay be
daaged4
F F!"#2 09a5le= 09FFFFFFFF 1,- 090.000000 B 09F7FFFFFF
1111 0111 B F7h
J
K --- "his is the $:lnShut+it$G
+it Crd0rr+itMas8 - <f this bit is 1, no dis8 read/write errors
were
en&ountered4
<f this bit is 0, the file syste dri3er
en&ountered a
dis8 </, error on the Eolue the last tie it was ounted,
whi&h is an
indi&ator that soe se&tors ay ha3e gone bad on the 3olue4
<t would
be a good idea to run a :h8ds8/S&andis8 dis8 re5air utility
that does
surfa&e analysis on it to loo8 for new bad se&tors4
F F!"#2 09a5le= 09FFFFFFFF 1,- 090>000000 B 09F+FFFFFF
1111 1011 B F+h
J
K --- "his is the $Crd0rr+it$G
-----------------------------------------------------------------
---------------
Notes
A <t a55ears that soe utility 5rograers %5erha5s e3en soe at
Mi&rosoftH@' were isguided into a8ing the wrong assu5tions
about the words highlighted abo3e %in yellow' fro the original
Mi&rosoft White 2a5er4 0lsewhere in this sae 5a5er %5age 1*',
the author infors us that=
"! F!"#2 F!" entry is a&tually only a 2.-bit entry4 "he high >
bits of a F!"#2 F!" entry are reser3ed4 "he only tie that the
high > bits of F!"#2 F!" entries should e3er be &hanged is when
the 3olue is foratted, at whi&h tie the whole #2-bit F!" entry
should be Leroed, in&luding the high > bits4
! bit ore e95lanation is in order here, be&ause this 5oint
about F!"#2 F!" entries sees to &ause a great deal of
&onfusion4"
Well, it ight not ha3e if the author had also entioned this
fa&t when &oenting on the F!"#2$s F!" signature bytes@