Utility to interpret BCD.LOG and BOOTSTAT.DAT binary files (W7 Boot hangs)

boot virtualbox windows-7 bcd

The main question is : "Are there any utility that can interpret these two binary files:

  1. BCD.LOG
  2. BOOTSTAT.DAT

both of them updated during the Vista/W7 boot process ?

I already know of EasyBCD and I have found this page about the BOOTSTAT.DAT format, but I would prefer not to re-invent the wheel.

Background Info.

I am in the uncomfortable position whereby my native Windows 7 partition declines to complete the boot process (even in safe mode with prompt).

This happened after having successfully booted it from VirtualBox through raw device access. As a matter of fact, the VB boot works consistently well. However, each time I attempt to boot natively, the boot process attempts to "repair" the configuration. In effect from the outside, it spins the disks for ages and ends up stalled somwehere. Before I use the PQService partition to return to the factory configuration (it's a new machine anyway), I'd like to have a look at these 2 files which I can access without any problem from the Ubuntu disk.

As an aside, if there are other files that could be of any help in diagnosing the root of the problem, please let me know. Does winload.exe produce a log for instance (that's a secondary question) ?

Please note that I am plainly aware that Windows 7 is quite touchy about the HW config it finds after the initial installation. However I'd like to understand in more detail on which snag I stumbled before I decide whether to give up or to carry on experimenting with native/virtual boot.

Thanks for the help.


I don't know about BOOTSTAT.DAT but BCD is a registry hive, same format as all the others. The BCD.LOG* files are the transaction journal(s) for the hive, for recovery purposes.

If you have a Windows machine you can mount the hive from regedit: click on HKEY_LOCAL_MACHINE, go to File->Load Hive and browse to the BCD file. The BCD that was used to boot windows is normally already mounted as BCD00000000. There is some documentation out there on the format of Windows NT registry hive files.

For your dual booting project, hardware profiles may help with the different configurations for the native and virtual hardware-- try using one profile for each.


I've made a small python utility to parse the BOOTSTAT.DAT file on Windows 10. There is also instructions for using it on the BOOTSTAT.DAT generated by Windows 7. The minimal version of python that this script has been tested with is python 3.6.

https://gitlab.com/rhave/bootstat.dat-efi-parser

The output can be either JSON or semi-CSV.

The program's main source of file format information is the Geoff Chappell site mentioned by Chris Smith previously in another answer.

Running it on Windows 10 files

The program can be run the following way:

python bootstat.dat-efi-parser.py json BOOTSTAT.DAT

where python is the python interpreter installed on your system, bootstat.dat-efi-parser.py is a copy of the script from gitlab, json is the output type (can also be csv) and BOOTSTAT.DAT is a file you want analyzed.

The output from the above example usage would be similar to the following:

{
  "version": 4,
  "header_size": 24,
  "file_size": 65536,
  "valid_data_size": 208,
  "unknown_header_dword_0": 24,
  "unknown_header_dword_1": 0,
  "events": [
    {
      "event_name": "Log file initialised",
      "timestamp": 6176,
      "zero_field": 0,
      "source_guid": "2C86EA9DDD5C704EACC1F32B344D4795",
      "size_of_entry": 64,
      "severity_code": 1,
      "entry_version": 2,
      "event_identifier": 1,
      "event_time_struct": "2018-01-01 12:00:00",
      "event_zero_field_0": 0,
      "event_seven": 7,
      "event_one": 1,
      "event_zero_field_1": 0
    },
    {
      "event_name": "Boot application launch",
      "timestamp": 6177,
      "zero_field": 0,
      "source_guid": "2C86EA9DDD5C704EACC1F32B344D4795",
      "size_of_entry": 120,
      "severity_code": 1,
      "entry_version": 2,
      "event_identifier": 17,
      "event_app_guid": "80A054721015854EAC0FE7FB3D444736",
      "event_type_of_start": 0,
      "event_app_pathname": "\\windows\\system32\\winload.efi"
    }
  ]
}

Running it on Windows 7 files

On Windows 7 the BOOTSTAT.DAT file has an extra 2048 bytes header. Cutting this away from the file makes the script able to parse the rest of the file. On linux the dd command can be used to cut away the first 2048 bytes the following way:

dd if=bootstat.dat of=bootstat.dat.cut bs=1 skip=2048

Here bootstat.dat is the original Windows 7 file and the bootstat.dat.cut file is the file that should be given as last argument to the python script. A Windows equivalent to dd or a hexeditor could be used to do the same cutting on Windows.

Related

How to disable form value persistence on page reload for Firefox
scp protocol error: bad mode
Disable CISCO VPN client routing for selected subnet on Mac OS X
Grub rescue, unknown file system. Can't boot into Windows 7
ChromeOS: kill a hung ssh session
How to remove unwanted noise peaks in sound files in Windows?
My Motherboard has 3 display outputs. Can I use 3 Screens?
Disable KDE sounds in GNOME Ubuntu
How to backup a 500gb server to my home computer?
Video encoding: How much does the video file size increase with fps?
How can I normalize the volume of a single video file?
Directory invisible until I cd into it