BOOTAPP specification
This is an incomplete specification for the data structures used to convey information between stages of the Windows NT6 (Vista, Server 2008 and later) boot process.
Entry point
BOOTAPP programs are 32-bit PE executables. At entry, the CPU is using flat 32-bit addressing with paging disabled, and interrupts are disabled.
A single parameter is passed on the stack: a pointer to a BOOTAPP structure.
BOOTAPP structure
| Offset | Type | Contents |
| 0x00 | char[8] | “BOOT APP” signature |
| 0x08 | dword | Version? |
| 0x0c | dword | Total length of all structures |
| 0x10 | dword | Machine architecture |
| 0x14 | dword | Zero |
| 0x18 | dword | Pointer to PE header |
| 0x1c | dword | Zero |
| 0x20 | dword | Length of PE in memory |
| 0x24 | dword | Offset to memory descriptor structure |
| 0x28 | dword | Offset to BTAPENT structure |
| 0x2c | dword | Offset to BTAPENT-duplicate-fragment structure |
| 0x30 | dword | Offset to callback structure |
| 0x34 | dword | Offset to pointless structure |
Memory descriptor structure
| Offset | Type | Contents |
| 0x00 | dword | Version? |
| 0x04 | dword | Length of this header |
| 0x08 | dword | Number of memory region descriptors |
| 0x0c | dword | Length of each memory region descriptor |
| 0x10 | dword | 0x00000008 ? |
| 0x14 | array | Array of memory region descriptors |
Memory region descriptor
| Offset | Type | Contents |
| 0x00 | dword | Zero |
| 0x04 | dword | Zero |
| 0x08 | qword | Start page address |
| 0x10 | dword | Zero |
| 0x14 | dword | Zero |
| 0x18 | qword | Number of pages |
| 0x20 | dword | Zero |
| 0x24 | dword | Flags ? |
BTAPENT structure
| Offset | Type | Contents |
| 0x00 | char[8] | “BTAPENT” signature |
| 0x08 | dword | 0x00000021 ? |
| 0x0c | guid | GUID of boot entry |
| 0x1c | dword | Zero |
| 0x20 | dword | Zero |
| 0x24 | dword | Zero |
| 0x28 | dword | Zero |
| 0x2c | struct | BTAPENT-0x2c structure |
BTAPENT-0x2c structure
| Offset | Type | Contents |
| 0x00 | dword | 0x11000001 ? |
| 0x04 | dword | Length of this header |
| 0x08 | dword | Total length of following structures within BTAPENT |
| 0x0c | dword | Zero |
| 0x10 | dword | Zero |
| 0x14 | dword | Zero |
BTAPENT-0x2c-0x18 structure
| Offset | Type | Contents |
| 0x00 | dword | Zero |
| 0x04 | dword | Zero |
| 0x08 | dword | Zero |
| 0x0c | dword | Zero |
BTAPENT-0x2c-0x18-0x10 structure
| Offset | Type | Contents |
| 0x00 | dword | 0x00000004 ? |
| 0x04 | dword | Zero |
| 0x08 | dword | Length of this structure |
| 0x0c | dword | Zero |
| 0x10 | dword | 0x00000100 ? |
| 0x14-0x45 | byte | Zero |
BTAPENT-duplicate-fragment structure
Copy of BTAPENT-0x2c-0x18-0x10 structure
Callback structure
| Offset | Type | Contents |
| 0x00 | dword | Pointer to pointer to callback entry points |
| 0x04 | dword | Zero |
Pointless structure
| Offset | Type | Contents |
| 0x00 | dword | Version? |
| 0x04 | dword | Zero |
| 0x08 | dword | Zero |
| 0x0c | dword | Zero |
| 0x10 | dword | Zero |
| 0x14 | dword | Zero |
| 0x18 | dword | Zero |
Real-mode callback parameters
| Offset | Type | Contents |
| 0x00 | dword | INT number or segment:offset address to call |
| 0x04 | dword | %eax value |
| 0x08 | dword | %ebx value |
| 0x0c | dword | %ecx value |
| 0x10 | dword | %edx value |
| 0x14 | dword | Ignored (%esp placeholder?) |
| 0x18 | dword | Ignored (%ebp placeholder?) |
| 0x1c | dword | %esi value |
| 0x20 | dword | %edi value |
| 0x24 | dword | Ignored (%cs placeholder?) |
| 0x28 | dword | %ds value |
| 0x2c | dword | Ignored (%ss placeholder?) |
| 0x30 | dword | %es value |
| 0x34 | dword | %fs value |
| 0x38 | dword | %gs value |
| 0x3c | dword | eflags value (return only) |
