This is an incomplete specification for the data structures used to convey information between stages of the Windows NT6 (Vista, Server 2008 and later) boot process.
BOOTAPP programs are 32-bit PE executables. At entry, the CPU is using flat 32-bit addressing with paging disabled, and interrupts are disabled.
A single parameter is passed on the stack: a pointer to a BOOTAPP structure.
| Offset | Type | Contents |
|---|---|---|
| 0x00 | char[8] | “BOOT APP” signature |
| 0x08 | dword | Version? |
| 0x0c | dword | Total length of all structures |
| 0x10 | dword | Machine architecture |
| 0x14 | dword | Zero |
| 0x18 | dword | Pointer to PE header |
| 0x1c | dword | Zero |
| 0x20 | dword | Length of PE in memory |
| 0x24 | dword | Offset to memory descriptor structure |
| 0x28 | dword | Offset to BTAPENT structure |
| 0x2c | dword | Offset to BTAPENT-duplicate-fragment structure |
| 0x30 | dword | Offset to callback structure |
| 0x34 | dword | Offset to pointless structure |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | Version? |
| 0x04 | dword | Length of this header |
| 0x08 | dword | Number of memory region descriptors |
| 0x0c | dword | Length of each memory region descriptor |
| 0x10 | dword | 0x00000008 ? |
| 0x14 | array | Array of memory region descriptors |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | Zero |
| 0x04 | dword | Zero |
| 0x08 | qword | Start page address |
| 0x10 | dword | Zero |
| 0x14 | dword | Zero |
| 0x18 | qword | Number of pages |
| 0x20 | dword | Zero |
| 0x24 | dword | Flags ? |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | char[8] | “BTAPENT” signature |
| 0x08 | dword | 0x00000021 ? |
| 0x0c | guid | GUID of boot entry |
| 0x1c | dword | Zero |
| 0x20 | dword | Zero |
| 0x24 | dword | Zero |
| 0x28 | dword | Zero |
| 0x2c | struct | BTAPENT-0x2c structure |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | 0x11000001 ? |
| 0x04 | dword | Length of this header |
| 0x08 | dword | Total length of following structures within BTAPENT |
| 0x0c | dword | Zero |
| 0x10 | dword | Zero |
| 0x14 | dword | Zero |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | Zero |
| 0x04 | dword | Zero |
| 0x08 | dword | Zero |
| 0x0c | dword | Zero |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | 0x00000004 ? |
| 0x04 | dword | Zero |
| 0x08 | dword | Length of this structure |
| 0x0c | dword | Zero |
| 0x10 | dword | 0x00000100 ? |
| 0x14-0x45 | byte | Zero |
Copy of BTAPENT-0x2c-0x18-0x10 structure
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | Pointer to pointer to callback entry points |
| 0x04 | dword | Zero |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | Version? |
| 0x04 | dword | Zero |
| 0x08 | dword | Zero |
| 0x0c | dword | Zero |
| 0x10 | dword | Zero |
| 0x14 | dword | Zero |
| 0x18 | dword | Zero |
| Offset | Type | Contents |
|---|---|---|
| 0x00 | dword | INT number or segment:offset address to call |
| 0x04 | dword | %eax value |
| 0x08 | dword | %ebx value |
| 0x0c | dword | %ecx value |
| 0x10 | dword | %edx value |
| 0x14 | dword | Ignored (%esp placeholder?) |
| 0x18 | dword | Ignored (%ebp placeholder?) |
| 0x1c | dword | %esi value |
| 0x20 | dword | %edi value |
| 0x24 | dword | Ignored (%cs placeholder?) |
| 0x28 | dword | %ds value |
| 0x2c | dword | Ignored (%ss placeholder?) |
| 0x30 | dword | %es value |
| 0x34 | dword | %fs value |
| 0x38 | dword | %gs value |
| 0x3c | dword | eflags value (return only) |