Course 3, module 5, we're going to talk about the GUID partition table schema throughout this module. The GUID partition table is what you're going to see on most of your modern disk today. It works through globally unique identifiers called GUIDs. A GUID is 128-bit value and its use to uniquely identify something. It's expressed in an 8-4-4-4-12 format and we can see an example of that below. This will overcome the two terabyte restriction that Master Boot Record has. Because remember when we talked about Master Boot Record, we talked about our maximum values. We only have four bytes to address them and we can address them at FF FF FF. But that restricts us to two terabytes of addressing. This will overcome that two terabyte restriction. You will still see a protective Master Boot Record in sector 0, and that is there so Windows does not try to format the disk because there is nothing in sector 0, your file system, a Windows file system we'll try to format the drive. The partition table contains up to 128 partition entries. Each of these entries is 128 bytes long. Now you might remember back when we talked about MBR, we only had 16 bytes to describe and address our partitions. Here we have 128 bytes. That gives us a lot more room. Our partition table header is located in physical sector 1. There is a backup copy at the end of the disk and it uses quiz to identify each partition, the type, and also to uniquely identify the partition. It's in physical sector 1 because in physical sector 0 we have that protective aster Boot Record. This is a visual layout of how a GPT formatted disk will look. You can see right up in sector 0 we have our protective Master Boot Record. In sector 1, we have our GPT header. In sector 2, we have our GUID partition table entries starting in sector 2. Starting in sector 34, is where you're going to see your first actual partition, your first data partition that will contain data and then you'll see below that the remaining partitions and then at the end of the drive we have a backup copy of the GPT, the GUID partition table, and a backup copy of the GPT header. The protective master boot record, like I said, prevents the operating system from formatting the drive. There will be a single entry in there that will span the entire drive. It will account for all data on the drive, you'll see a partition type of EE and it will start with 1, showing us sector 1, and then showing us the maximum value, FF FF FF. This is what you'll see in the protective master boot record. The GPT header, remember, is much larger and we have a signature at the start of the header and it's eight bytes long and it's going to say and ask you EFI part. So if you're looking at a disk and you look in sector 1, and you see this EFI part, you know you're looking at a quick partition schema. You know you're looking at a GPT disk. Now, a logical doubt it hexadecimal 2, 0, we're going to see the location of the backup copy of the GPT. How we do this in hex is we start here, we got out two and we can see this is the address of the backup copy of the GPT. It's used for recovery purposes. Now at offset 2, 8 so you go down 1, 2 and over 8. We can see the start of the partition area. This is going to tell us where the partition area starts. At offset 3, 0, this is going to tell us where the partition area ends. These are the actual partitions around the drive. Now, down at offset 3, 8, we see our disk GUID. This GUID uniquely identifies this particular disk. It is 16 bytes long. It starts here and goes down. It's outlined in green. That's our disk GUID and it is a unique identifier for a particular disk. At offset 48, we see where the partition table starts and we can see if we, all these values are read little-endian. Just want to let you know that we talked about endianness back at the beginning of this path. We can see that that's going to be two, which says sector 2. Each entry, like I said, is a 128 bytes long. The beginning of the entry starting at offset 00 is going to be the partition type GUID. What that means is, what type of partition is it? Is it a basic data partition? Is it an EFI system partition? Is it a reserved partition? What type of partition is it? Then down at offset 10 we're going to see the partitioning GUID. This GUID uniquely identifies that partition. So you'll see partition type GUIDs which are not unique. They'll be consistent from disk to disk and they'll identify the type of partition you're looking at, but the partition GUID is a unique identifier and that will become important. Then at offset to 20, you're going to see the start of the partition where the partition starts and then at offset 28, you're going to see the address of where the partition ends. At offset 30, we're going to see partition flags such as read-only or hidden, or other attributes of the file of that partition. Then at offset 38, you're going to see the name of the partition in Unicode. Let's take a look here. These are some common GUID partition types and this is shown in hex as you'll see them on this. These are converted to GUIDs. This is in hexadecimal as you will see it on the disk. This particular GUID would be an unused entry. You can see we have different types of Linux Swap, Microsoft Reserved, Microsoft EFI System partition and then different types of partitions depending on what partition is on there. Basic data partition, this shows the partition types converted to GUIDs. We can see we have Microsoft Reserved, basic data, Windows Recovery Environment, just different types of partitions. Like I said, the type GUID is not a unique identifier, these GUIDS will be consistent across operating systems. This slide shows us an example of a partition table entry. This would be in single entry in the GUID partition table. We can see we have the first 16 bytes, and this is the type GUID. You can see it starts with A2 and ends down here with C7. This tells us what type of partition we're looking at. If we go down one line, we can now see the volume GUID and it starts with 2C and ends with 2A. This is that unique identifier that identifies that volume, that identifies that individual partition on the drive. If we go down another line to 30, we see the logical block address, the start of the partition where those particular partitioning starts. We can see it's down here and it starts at LBA 32,768. Remember these are read little-endian, so up here we can see we've converted to little-endian and we've translated that hexadecimal value to a decimal value and now we know where the start of this particular partition is. The next eight bytes, we can see down here on disk starts with FF and ends with 00 for a length them eight bytes. This is telling us the end of that partition, where the partition ends. Again, we would convert it to little-endian, like we've done up here and you can see, and this is the ending LBA and when we translate that hex to decimal, we get the address of the end of the logical block address for that particular partition. We have the startup where the partition starts and we also have where the partition ends, which is something we did not have when we looked at our MBR partition entries. Now we can see the flags. This particular one, you can see down here starts with 00, ends with hexadecimal 80. That is the flags. In this particular case, we would again read it Little Indian. This particular flag says, "No drive letter." It could say, "Hidden." It could say, "No drive letter." It could say any other type of attribute attributed to that particular partition. The remainder here shows us the name of the partition in hexadecimal, and if we were to translate that to ASCII, we would see that that was a basic data partition. What I'd like you to do now if you haven't already done so, is please download the GPT VHD from the class drive. Please go ahead and attach that through disk management and open up Active Disk Editor. We're going to take a look at that particular disk which is formatted GPT, that VHD in Active Disk Editor, so we can see what this all looks like on disk. We are going to go ahead and bring up disk management. I want to make sure that everybody has attached the VHD, so if you have not, go to "Actions", "Attach VHD", navigate out to where you saved your GPT VHD for this class. Select the VHD, select "Open", and then you'd go ahead and attach the VHD. Once the VHD is attached, note the drive, note the disk number, so when we go to attach it, we can see it in Active Disk Editor so we can select the right disk. Mine is 15, yours will probably have a different number. If we do that one more time for everybody, we're going to go to "Actions", "Attach VHD", navigate out to where we saved our class, "GPT VHD", select it, select "Open", and we'll be able to attach it and just hit "Okay", and it will attach. Once you've done that, note the disk number so we can find it when we're using Active Disk Editor. Let's go ahead and open up Active Disk Editor now. Once Active Disk Editor opens, we're going to select from the menu here, "Open Disk", and we're going to go ahead and select physical drive, whatever number your particular GPT VHD was in Disk Management, and we're going to click "Open". Once it opens up, you can see it here in physical sector 0, and you can see that we're in physical sector 0. This is our protective master boot record. We're going to go ahead and change our template to master boot record for a minute so we can look at that. Go back in, make sure you're on offset 0, right-click, set template position. If you don't set it right from the beginning, you set it in the middle, it will not read correctly. Once we set our template, we're going to go ahead and look at our protective master boot record. We have one partition entry which is what we expect to see, it is not bootable. Then we would have our legacy cylinder head sector and we have our partition type flag here, which we can see is EE, which is what we expect to see because we know that a partition type of EE stands for GUID partition schema. We're looking at a GPT disk. Then we would have our following three bytes of legacy cylinder head sector, and we can see the first sector, like we said, this will span the whole disk. It'll go from sector 1 all the way out until the absolute maximum sectors it can address using four bytes, which would be FF, FF, FF. This is telling me that this is accounting for the whole disk. Remember, we only have four bytes to address using master boot record schema. With GUID partition table schema, we have eight bytes to use for sector addressing, which will allow us to address a lot more sectors. Now, we're going to look at our EFI part, sector 1. This is the GPT header is in sector 1. We do not have a template for this. We're going to go ahead and go with no template. We're going to navigate through here. In the header, we see our signature for a length of eight bytes. We can see it says EFI part, and that lets us know that we're looking at a GPT partition disk. Starting down at 20, and remember, we count one, two, 20, for a length of eight bytes. We're going to open up our Data Inspector here and we're going to expand our window up so we can see our Data Inspector. This value is read little-endian, and we can see right here, we get the location of our backup copy of the GPT. This tells us where our backup copy of our grid partition table will be located at, which sector? This is the sector that the backup copy is located in. If we look at offset 28, and again, we're starting from the top of the partition header, the GPT header, going down two and over eight. This is going to be the start of where the GUID partition area is. This is where our partitions are located. We can see that it's 34, which is what we expect because 34 is where we're going to see the start of our partition area, where the actual partitions are out on the drive. Partition 34 would be the start of our partition area. Now we're going to look at offset 30 from the start of the GPT header, one, two three. Again, we're going to look at a length of eight bytes. This is going to be the end of where our partitions are, the end of the partition area. Now, we're going to look at our disk GUID, which is at offset 38 for a length of 16 bytes. This is the disk GUID, this disk GUID uniquely identifies this physical disk, it's the disk GUID. Now we're going to look at our next eight bytes and this tells us the start of our partition table. The start of our partition table is located at sector number 2, we're going to see the start of the partition table. That's what we're going to look at next. Remember, we're looking at eight bytes of data, 8 times 8 is 64, this is a 64-bit unsigned value. Looking down at sector 2, we can see what sector we're in down here on the corner, sector 2. This is the start of our GUID partition table. We're going to go to templates, and we're going to go to GPT table. We can see this is the start of our GUID partition table, and each of these is a GUID partition table entry. They're all 128 bytes long, and if we were to scroll down, I could show you there are a 128 of them. We're just going to take a look at the first one. This tells us what we're looking at. This is the partition type GUID and this is going to be a length of 16 bytes and that's our partition type GUID. It tells us what type of partition we're looking at. Again, it is also red little-endian. If we look at that, we can see it translates it for us, it is a Microsoft Reserved Partition. If we look here, this is our unique partition GUID and again, this is also 16 bytes long and it is the unique partition GUID. The first one is the type GUID, which is a Microsoft Reserved Partition and the second one is the unique identifier, which is the unique partition GUID. Continuing down, we can see where it starts and it starts in Sector 34, which is what we would expect to see where our first partition is. Now, we can see where it ends. It ends in Sector 32,767. That's the start of our partition and the end of our partition. These would be our attributes. We really don't have any attribute flags here to see and then we have the name of our partition. We can see that it is a Microsoft Reserved Partition. Just point out right here that the type GUID and the partition name will not always match because this is a system partition and Microsoft Reserved Partition, in this case, they just happened to match, but they won't always match. Moving down to our next entry, we see the type GUID and we can see it's a basic data partition. This is again a unique GUID. It uniquely identifies this partition on the drive. No other partition on the drive or subsequently any other drive should have the same GUID. This is where our partition starts. This is the starting LBA or starting sector of this partition and you can see out here 32,768 and we see the end of our partition over here. We're getting some big numbers, 2,093,055 and then we see our attributes which we do not have any attribute flag set. We could have hidden, we could have different types of attributes over here but we do not have any attribute flags set in this case and then we have the name of our partition, and it's a basic data partition. Our first partition here started at Sector 34. We'll go to "Sector" and we're going to say 34, and we'll say "Okay". We don't really have anything out here at this point in time. The next one was our basic data partition, which started at 32,768 and we do see something here. We can see that our basic data partition has a volume boot record. It is formatted NTFS and you can see here tells you sector we are in and that number matches the number for our starting sector. We have our volume boot record, we don't as of yet have any data on here, but we do have a volume boot record and we can see that the file system is NTFS.
