BOOTAPP specification
This is an incomplete specification for the data structures used to convey information between stages of the Windows NT6 (Vista, Server 2008 and later) boot process.
Entry point
BOOTAPP programs are 32-bit PE executables. At entry, the CPU is using flat 32-bit addressing with paging disabled, and interrupts are disabled.
A single parameter is passed on the stack: a pointer to a BOOTAPP structure.
BOOTAPP structure
Offset | Type | Contents |
0x00 | char[8] | “BOOT APP” signature |
0x08 | dword | Version? |
0x0c | dword | Total length of all structures |
0x10 | dword | Machine architecture |
0x14 | dword | Zero |
0x18 | dword | Pointer to PE header |
0x1c | dword | Zero |
0x20 | dword | Length of PE in memory |
0x24 | dword | Offset to memory descriptor structure |
0x28 | dword | Offset to BTAPENT structure |
0x2c | dword | Offset to BTAPENT-duplicate-fragment structure |
0x30 | dword | Offset to callback structure |
0x34 | dword | Offset to pointless structure |
Memory descriptor structure
Offset | Type | Contents |
0x00 | dword | Version? |
0x04 | dword | Length of this header |
0x08 | dword | Number of memory region descriptors |
0x0c | dword | Length of each memory region descriptor |
0x10 | dword | 0x00000008 ? |
0x14 | array | Array of memory region descriptors |
Memory region descriptor
Offset | Type | Contents |
0x00 | dword | Zero |
0x04 | dword | Zero |
0x08 | qword | Start page address |
0x10 | dword | Zero |
0x14 | dword | Zero |
0x18 | qword | Number of pages |
0x20 | dword | Zero |
0x24 | dword | Flags ? |
BTAPENT structure
Offset | Type | Contents |
0x00 | char[8] | “BTAPENT” signature |
0x08 | dword | 0x00000021 ? |
0x0c | guid | GUID of boot entry |
0x1c | dword | Zero |
0x20 | dword | Zero |
0x24 | dword | Zero |
0x28 | dword | Zero |
0x2c | struct | BTAPENT-0x2c structure |
BTAPENT-0x2c structure
Offset | Type | Contents |
0x00 | dword | 0x11000001 ? |
0x04 | dword | Length of this header |
0x08 | dword | Total length of following structures within BTAPENT |
0x0c | dword | Zero |
0x10 | dword | Zero |
0x14 | dword | Zero |
BTAPENT-0x2c-0x18 structure
Offset | Type | Contents |
0x00 | dword | Zero |
0x04 | dword | Zero |
0x08 | dword | Zero |
0x0c | dword | Zero |
BTAPENT-0x2c-0x18-0x10 structure
Offset | Type | Contents |
0x00 | dword | 0x00000004 ? |
0x04 | dword | Zero |
0x08 | dword | Length of this structure |
0x0c | dword | Zero |
0x10 | dword | 0x00000100 ? |
0x14-0x45 | byte | Zero |
BTAPENT-duplicate-fragment structure
Copy of BTAPENT-0x2c-0x18-0x10 structure
Callback structure
Offset | Type | Contents |
0x00 | dword | Pointer to pointer to callback entry points |
0x04 | dword | Zero |
Pointless structure
Offset | Type | Contents |
0x00 | dword | Version? |
0x04 | dword | Zero |
0x08 | dword | Zero |
0x0c | dword | Zero |
0x10 | dword | Zero |
0x14 | dword | Zero |
0x18 | dword | Zero |
Real-mode callback parameters
Offset | Type | Contents |
0x00 | dword | INT number or segment:offset address to call |
0x04 | dword | %eax value |
0x08 | dword | %ebx value |
0x0c | dword | %ecx value |
0x10 | dword | %edx value |
0x14 | dword | Ignored (%esp placeholder?) |
0x18 | dword | Ignored (%ebp placeholder?) |
0x1c | dword | %esi value |
0x20 | dword | %edi value |
0x24 | dword | Ignored (%cs placeholder?) |
0x28 | dword | %ds value |
0x2c | dword | Ignored (%ss placeholder?) |
0x30 | dword | %es value |
0x34 | dword | %fs value |
0x38 | dword | %gs value |
0x3c | dword | eflags value (return only) |