Geoff Chappell - Software Analyst
The SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure (formally _SYSTEM_BOOT_ENVIRONMENT_INFORMATION) is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemBootEnvironmentInformation (0x5A).
The SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure is not documented.
Microsoft does publish the practical equivalent of a C-language definition as type information in symbol files—not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for a handful of higher-level DLLs that might ordinarily be thought very distant from any involvement with the structure. Perhaps only by oversight, but starting as long ago as Windows 8, Microsoft’s downloadable packages of public symbols have included a smattering of private symbol files and these continue to be available through the public symbol server. Precisely which DLLs have the type information varies between versions. COMBASE.DLL is among the more reliable nowadays. Disclosure in symbol files for URLMON.DLL stopped for the 1803 release of Windows 10 but is specially notable because of this DLL’s origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use (including by the programmers of competing web browsers).
The SYSTEM_BOOT_ENVIRONMENT_INFORMATION is 0x20 bytes in both 32-bit and 64-bit Windows 8 and higher, but is only 0x18 bytes in earlier versions. The older, smaller structure is retained in Windows 8 and higher as SYSTEM_BOOT_ENVIRONMENT_V1.
Offset | Definition | Versions |
---|---|---|
0x00 |
GUID BootIdentifier; |
6.0 and higher |
0x10 |
FIRMWARE_TYPE FirmwareType; |
6.0 and higher |
0x18 |
ULONGLONG BootFlags; |
6.2 and higher |
The kernel learns the BootIdentifier from the loader via the BootIdentifier member of the LOADER_PARAMETER_EXTENSION. Its retrieval through the SYSTEM_BOOT_ENVIRONMENT_INFORMATION is how BCDEDIT knows which of the installed Windows systems actually got booted.
The FIRMWARE_TYPE enumeration is defined in WINNT.H for user-mode programming. Its retrieval through the SYSTEM_BOOT_ENVIRONMENT_INFORMATION is how NTDLL supports FIRMWARE_TYPE as a fake environment variable. Programmers who think to use this structure and NtQuerySystemInformation just to get the firmware type would better use the documented KERNEL32 function GetFirmwareType instead.
The BootFlags are what the loader passes to the kernel via the BootFlags member of the LOADER_PARAMETER_EXTENSION.