The Boot Status Data Log

Windows has long provided for its loader to detect that the previous Windows session did not start satisfactorily and to offer the Advanced Options menu automatically, especially to suggest choosing the Last Known Good Configuration. At least since Windows XP, this work is done by maintaining a boot status in a file. For Windows Vista, the first steps for booting Windows have been revised substantially and there are now two types of Boot Status Data (BSD) log file, one for the Boot Manager and one for each installation of Windows. The one for the Boot Manager is new for Windows Vista, but for both there is scarcely any documentation from Microsoft.

Boot Manager

When booting a machine on which Windows Vista is installed, the first loader to execute is BOOTMGR, here called the Boot Manager. This binary reads the Boot Configuration Data (BCD) store to discover which Windows versions are installed and with which startup options. If there’s a choice, then it is presented as the Windows Boot Manager menu.

The Boot Manager has its own BSD log file. This is ordinarily named “bootstat.dat” in the “\boot” directory of the system partition. This is a natural location for a record of events from before it is known which Windows system will start (or even which Windows systems are available). However, the location is configurable in the BCD store:

BCD Element Format Value
0x11000043 device the device that contains the BSD file
0x12000044 string a pathname to the BSD file
0x16000045 boolean if true, BSD entries from previous sessions are preserved;
if false, the BSD file is reset on each session

The relevant BCD elements have no friendly names for use with BCDEDIT and must be worked with as custom types. For example, the typical configuration can be specified explicitly with the BCDEDIT commands

bcdedit /set {bootmgr} custom:0x11000043 partition=C:
bcdedit /set {bootmgr} custom:0x12000044 \boot\bootstat.dat 
bcdedit /set {bootmgr} custom:0x16000045 off 

File Format

The file is acceptable to BOOTMGR only if it is exactly 64KB. The first 0x10 bytes are a header:

Offset Size Value
0x00 dword always 2, apparently a version number
0x04 dword always 0x10, apparently the size of the header
0x08 dword always 0x00010000, apparently the size of the file
0x0C dword size of valid data, in bytes

The valid data includes the file header and any number of logged entries that follow.

Entries

Each entry consists of an entry header followed immediately by entry data:

Offset Size Value
0x00 dword time stamp, in seconds
0x04 dword always zero, significance unknown
0x08 0x10 bytes GUID of event source;
but empty if event source is BOOTMGR
0x18 dword size of entry, in bytes
0x1C dword severity code
0x20 dword always 2, apparently a version number
0x24 dword event identifier
0x28 varies entry data; size depends on event identifier 

The time stamp in this header is calculated from BIOS interrupt 0x1A function 0x00, to be a number of seconds since the start of the day on which the machine started. On a PC/AT machine booted from a hard disk, the event source is necessarily BOOTMGR and so the GUID in this header is empty.

The severity code is 0x01 for events that are apparently informational and 0x03 for events that are errors. Known values of the event identifier are:

Identifier Event Data
0x01 log file initialised see below
0x11 boot application launched see below
0x12 boot application returned see below
0x13 failed to load boot application NT status code, followed by pathname of boot application
0x14 BCD failure NT status code, followed by pathname of BCD store
0x15 no valid boot application entries in BCD store NT status code, followed by pathname of BCD store
0x16 general failure NT status code

For many of the events, the accompanying data is an NT status code followed immediately by a pathname. The NT status code is 4 bytes. The pathname is a null-terminated Unicode string. For general failure, there is just the 4-byte status code.

Initialisation Event

The entry data for the initialisation event has the form:

Offset Size Value
0x00 0x10 bytes time as structure (see below)
0x10 dword always 1, significance unknown
0x14 dword always 0, significance unknown

The first 0x10 bytes record the time from BIOS interrupt 0x1A functions 0x02 and 0x04:

Offset Size Value
0x00 word year
0x02 word month
0x04 word day
0x06 word hour
0x08 word minute
0x0A word second
0x0C word always 0, significance unknown
0x0E word always 7, significance unknown

Note that this time has the forensic value of establishing when the computer was most recently booted, but with the time in plain sight without having to start the computer and risk changing anything.

Launch Event

Each entry on the Windows Boot Manager menu corresponds to a boot application. The entry data for launching a boot application has the form:

Offset Size Value
0x00 0x10 bytes GUID of boot application
0x10 dword type of start
0x14 varies pathname of boot application, as null-terminated Unicode string

The type of start is 0 normally, including for a custom boot sequence, but may be 1 or 2 when launching boot applications in a recovery sequence.

Return Event

When a boot application returns, whether because of success, failure or cancellation (e.g., at its Advanced Boot Options or Edit Boot Options menu), the entry data is

Offset Size Value
0x00 0x10 bytes GUID of boot application
0x10 dword always 0, significance unknown

Windows Loader

A separate BSD file is maintained by each Windows system that starts. Details are presently beyond the scope of this article.