Sneaky Boot Tricks (PC Magazine Vol 5 No 4 Feb 25, 1986 User-to-User) The technique for patching COMMAND.COM to execute a file other than AUTOEXEC.BAT on boot-up was discussed in Vol 4 No 24 User-to-User. You can give this trick a twist by dropping the .BAT extension. This way, COMMAND.COM will execute the boot batch file only on boot-up. Attempts to run the file a second time will resulte in the "Bad command or filename" message. This is ideal for using those programs that stay resident but crash the system if you run them twice. Put the run-once-only programs in a hidden directory. You can access a directory using CD or CHDIR although it is hidden from normal display using DIR or TREE. For DOS 2.x, patch a copy of COMMAND.COM with DEBUG as follows: A>DEBUG COMMAND.COM -E 1078 "ONCE " -W -Q The added blanks are to erase the string "AUTOEXEC.BAT completely. Then create a file named ONCE (but without the .BAT extension) containing your initialization programs or whatever in the usual batch file format. You might even make the last entry a branch to an AUTOEXEC.BAT file to mislead the uninformed. At this point it is unlikely a casual user will spot your secrets. While patches of this sort are usually done with DEBUG, the Norton Utilities Sector Modify (SM.COM) program, or equivalent program, PC- Write by Quicksoft is quite capable of editing machine code files. PC- Write searches through the machine code rubbish to find specified ASCII strings with astonishing speed. If care is taken to use the overwrite mode, the altered program will run normally (except, of course, for your change). PC-Write can also be used to customize program logos and rewrite menu screens and help and message overlays. Patching may also be possible with other editors that use the declared file length rather than an end-of-file mark and allow the use of the full 256-character IBM character set. Editor's Note: It's true that COMMAND.COM will run both an AUTOEXEC program that lacks a BAT extension, as well as normal BAT, COM or EXE programs in hidden subdirectories. The best way to execute this trick is to change the AUTOEXEC.BAT reference in COMMAND.COM so it reflects the hidden path. The following technique is for floppies only -- playing with your hard disk directory in DEBUG can be very dangerous. In fact, be sure to type everything exactly as shown -- if you read a directory off a floppy disk and write it back to a hard disk, well, that's what backups are for. And these instructions are also expressly for DOS 3.1, although the same fundamental technique will work for other versions. First, put a blank floppy into drive B: and format it with the /S option. Next, create a subdirectory on this floppy called simply \A (by typing MD\A). Then, with this floppy still in drive B:, get into 3.1 DEBUG (if you don't have a hard disk with DEBUG already PATHed to, put a disk with DEBUG on it in drive A: and type A:DEBUG), and at the DEBUG prompt, type: -L 100 1 5 5 to load the beginning of the directory on drive B:. This is very important -- DEBUG refers to drive A: as 0, drive B: as 1, drive C: as 2, etc. Be very careful in using DEBUG to write to a disk. Avoid writing to drive 2, which is drive C:. To hide the \A subdirectory (or any unhidden file), all you have to do is add 2 to the value of the 12th byte (which is actually byte 11, since the first byte is byte 0). Since subdirectory names are really just files, the \A subdirectory will be the fourth file on your disk (after IBMBIO.COM, IBMDOS.COM and COMMAND.COM). Type D to see all four directory entries. The listing for \A will begin at address 160. Byte 11 (which is really the 12th byte) has a value of &H10. Adding 2 to it yields a value of &H12. So to hide the subdirectory, at the prompt, type: -E 16B 12. Then write the new directory back to disk by typing: -W 100 1 5 5. (This is exactly what you typed to load the directory, except that the L is replaced by a W.) You'll find the \A subdirectory is invisible to such DOS commands as DIR and TREE (but not to CHKDSK /V or CD). When finished, type Q to quit DEBUG. Once you've hidden the subdirectory, you have to change COMMAND.COM so it knows where to look for your boot file. Since AUTOEXEC.BAT takes up 12 characters, there's plenty of room for both a path and a secret filename for your boot program. Call the AUTOEXEC.BAT substitute program \A\SECRET. In DOS 3.1, \AUTOEXEC.BAT begins at address 130E, but since the hidden subdirectory is called \A, leave the first two characters "\A" alone. The remaining UTOEXEC.BAT begins at address 1310, so change that to \SECRET by typing: -E 1310 "\SECRET " followed by the usual W to write the file and Q to quit. Note there are four spaces at the end to pad out the unused characters, since \SECRET is shorter than UTOEXEC.BAT. Then copy the normal AUTOEXEC.BAT routine to b:\A\SECRET, and you're all set. Obviously, if you want to do this right, you'll use a name other than SECRET, which would provoke unnecessary curiosity. ----------------------------------------------------------------- Accelerating 2.1 The information contained below is courtesy of PC Tech Journal March 1986 by Robin Rodabaugh. Different versions of DOS have different values for head settle time. After seeking from one track to another, diskette drive heads tend to oscillate before they stabilize enough to be able to read or write data. In DOS 1.0, the head settle time default is 25 milliseconds. For DOS 1.1 and 2.0, this default is corrected to 0, which is one reason that these later versions run faster than 1.0. Upon introducing half- height drive support in DOS 2.1, this default inflated to 15 m-seconds. The patches presented below can reduce head settle time in 2.1 The FORMAT feature exhibits the most noticeable difference. A FORMAT of a double-sided, nin-sector diskette normally runs 65 seconds under DOS 2.1, but with the patches it takes 41 seconds. Tests on PCjr and PC Portable show no problems using the faster parameters (the reason given for the increase in head settle time in DOS 2.1 was to accomodate the half-height drives of PCjr and the Portable). To customize DOS 2.1 so it will run at the speed of versions 1.1 and 2.0, the reset diskette default parameters must be modified. They are contained in four locations: one in the bootstrap, two in the hidden file IBMBIO.COM, and one in the FORMAT command. The bootstrap parameters are in control momentarily at boot time. The IBMBIO.COM parameters are in control most of the time. The FORMAT.COM parameters are simply placed in the bootstrap of diskettes that are formatted; changing FORMAT.COM is a convenient way to implement the faster parameters for all diskettes to be formatted in the future, without having to run DEBUG for each one. With the patches, all disks formatted from the customized diskette or hard disk will have the faster parameters. A hard disk must have a single partition. All disk drives have a finite head settle time. The implementation of these modifications may cause data to be sent to the disk drive before the drive is ready. Most applications successfully perform a retry not visible to the user. The critical value for the head settle time is 0. Changes up to 65 m-seconds do not significantly alter the time required to format a diskette. To accomplish the customization, insert a double-sided boot diskette in drive A: or a hard disk in drive C:. Use DEBUG to change the head settle time defaults, as shown below. (Comments are shown in parentheses.) These same modifications cannot be made with DOS 3.1 as the bootstrap, because IBMBIO.COM and FORMAT.COM do not have the same string of instructions that reset the diskette default parameters. For Bootstrap: A>DEBUG -L 100 0 0 1 (Read in bootstrap) (If patching a hard disk, use "L 100 2 0 1") -D 100 (Confirm that location 12A contains 0F02CD18H) -E 12A 00 (Change 15 milliseconds to zero) -D 100 (Confirm that location 12A contains 00H) -W 100 0 0 1 (Write out the modified bootstrap) (If patching a hard disk, use "W 100 2 0 1") -Q (Exit DEBUG) For IBMBIO.COM: A>DEBUG -L 100 0 F 1 (Read in sector 4 of IBMBIO.COM) (If patching a hard disk, use "L 100 2 34 1") -D 100 (Confirm that location 177 contains 0F9C1E50H) -E 177 00 (Change 15 milliseconds to zero) -D 100 (Confirm that location 177 contains 00H) -W 100 0 F 1 (Write out sector 4 of IBMBIO.COM) (If patching a hard disk, use "W 100 2 34 1") -L 100 0 10 1 (Read in sector 5 of IBMBIO.COM) (If patching a hard disk, use "L 100 2 35 1") -D 100 (Confirm that location 154 contains 0FABB002H) -E 154 00 (Change 15 milliseconds to zero) -D 100 (Confirm that location 154 contains 00H) -W 100 0 10 1 (Write out sector 5 of IBMBIO.COM) (If patching a hard disk, use "W 100 2 35 1") -Q (Quit DEBUG) For FORMAT.COM: A>DEBUG -N FORMAT.COM (Name FORMAT.COM as the target file) -L (Read in FORMAT.COM) -D 1A00 (Confirm that location 1A22 contains 0F02CD19H) -E 1A22 00 (Change 15 milliseconds to zero) -D 1A00 (Confirm that location 1A22 contains 00H) -W (Write out the modified FORMAT.COM) -Q (Quit DEBUG) ----------------------------------------------------------------- Fast Reboots (PC Magazine Vol 5 No 7 Apr 15, 1986 User-to-User) An previous submission suggested a complicated method to reboot a system that redirected a text script through DEBUG. This method required two files and numerous disk accesses that are not necessary. The exact same procedure can be accomplished with a short .COM file. Use DEBUG to create a file, called REBOOT.COM: A>debug -n reboot.com -rcx -5 -e 100 ea f0 ff 00 f0 -w -q You can then reboot at any time in DOS simply by typing REBOOT. Editor's Note: This short program simply jumps to the reboot routine stored in ROM BIOS (at address F000:FFF0). There's an even more efficient way to reboot a system by using BIOS Interrupt 19. Use DEBUG and type: A>debug -n reboot.com -rcx -2 -e 100 cd 19 -w -q (This won't work if SideKick is loaded.) You can adapt this 2-byte program to jump to BASIC by using Interrupt 18 rather than 19. Simply change the second line of the above to: -n gobasic.com Then change the third line from the end to: -e 100 cd 18 After you create this file, typing GOBASIC will jump to Cassette BASIC. This can be used as a primitive security measure. ----------------------------------------------------------------- Custom Boot Records (PC Magazine Vol 5 No 9 May 13, 1986 User-to-User) There are two ways to use DEBUG to customize boot records. The first is to patch FORMAT.COM, which writes the boot message to disks that it formats. Get into DOS and type: DEBUG FORMAT.COM E YYYY "Put DOS system diskette in Drive A:" D A E ZZZZ "Press any key to start DOS ...." W Q substituting the message addresses for the YYYY and ZZZZ as follows: DOS 2.1 -- YYYY=1915 ZZZZ=193A DOS 3.1 -- YYYY=2498 ZZZZ=24BD The new message will then appear on every disk formatted with this customized version of FORMAT.COM You can also patch the boot record directly. Get into DOS and type: DEBUG L 0 N 0 1 E YYY "Put the DOS system diskette in Drive A:" D A E ZZZ "Press any key to start DOS ...." W 0 N 0 1 Q substituting the message addresses for the YYY and ZZZ as follows: DOS 2.1 -- YYY=182 ZZZ=1A7 DOS 3.1 -- YYY=161 ZZZ=186 and substituting the number of the drive for the N as follows: N=0 for drive A: N=1 for drive B: N=2 for drive C: N=3 for drive D: Editor's Note: These two techniques are valuable for expert users who are preparing disks for less expert users. FORMAT.COM writes the same confusing "Non-system disk or disk error/Replace and strike any key when ready" message to every diskette, even those formatted with the /S option. It's better to substitute your own friendly message. Changing FORMAT.COM probably makes more sense, since you can make one patch and have the new boot record written to every diskette you format afterward. However, customizing individual boot records can be useful when you want to add a special message for a particular user. And patching a program like FORMAT.COM is far safer than playing with a boot record where you're writing to an absolute sector, especially on hard disk systems. When you use DEBUG's W(rite) command, you specify the target drive somewhat counter-intuitively: A is 0, not 1; B is 1, not 2, etc. If you're not careful, you may thing you're writing to drive B: by specifying a 2, when 2 actually tells DEBUG to write to your hard disk C: with potentially horrendous results. This method uses DEBUG to L(oad) the contents of sector 0 into memory address 0. Most DEBUG users are accustomed to loading programs at address &H100. Both ways work but if you do load the information at 100 instead of 0, add 100 to the DEBUG YYY and ZZZ addresses (so 161 becomes 261, etc.). Make sure that all the sector and address information following the L and W commands is identical. And if you're not very familiar with the process, it's a good idea when patching something like a boot record to use the D(ump) command to make sure you're in the right place. After entering DEBUG, load the information (and watch the drive lights to make sure you're reading the proper disk) and then hit D a few times to make sure you're in the area with the "Non-system disk ..." messages. If you're not, immediately hit Q and then the Enter key to quit and start again. It's easy to find the location of such messages for other versions of DOS. If you're patching FORMAT.COM, after typing DEBUG FORMAT.COM, type RCX to find out low long the file is (then just hit the Enter key to return to the DEBUG hyphen prompt). Add 100 to the hex number printed on the screen, and then substitute it for the XXXX below and type: S 100 XXXX "Non-system disk" to S(earch) for every occurrence of "Non-system disk" in the file. DEBUG will print out the starting address for each piece of identical text it finds. If it finds several addresses, you can use the D command followed by these addresses to examine which one(s) you want to change. Finally, remember that your new message can't be longer than the original one. If it's shorter, be sure to pad it out with blank spaces before the final quotation mark to overwrite the old text completely.