\Boot\BCD Windows Internals

Hi,

I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
such file.
All the documentation states that it must reside there but it doesn’t.

I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
forensic tools such as Encase
but wasn’t able to find the file.

Windows Internals 5 states that (p1078) :

“Some options that are included in the BCD save to the registry value
HKLM\SYSTEM\
CurrentControlSet\Control\SystemStartOptions if they correspond to
command-line switches;
otherwise, they are kept only in the BCD.”

Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.

Does it mean “BCD file will only be created when default options are
(command line) modified, else look into SYSTEM hive”?

Any ideas?

Thanks,
Emre

Did you look in both partitions that are created in a default setup?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Emre Tinaztepe
Sent: Thursday, April 26, 2012 4:26 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] \Boot\BCD Windows Internals

Hi,

I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no such
file.
All the documentation states that it must reside there but it doesn’t.

I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
forensic tools such as Encase
but wasn’t able to find the file.

Windows Internals 5 states that (p1078) :

“Some options that are included in the BCD save to the registry value
HKLM\SYSTEM\
CurrentControlSet\Control\SystemStartOptions if they correspond to
command-line switches;
otherwise, they are kept only in the BCD.”

Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.

Does it mean “BCD file will only be created when default options are
(command line) modified, else look into SYSTEM hive”?

Any ideas?

Thanks,
Emre

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hi Martin,

Thanks for your help. Shouldn’t it reside in Primary Partition (Boot
Partition)?

Emre

On Thu, Apr 26, 2012 at 2:29 PM, Martin O’Brien <
xxxxx@gmail.com> wrote:

Did you look in both partitions that are created in a default setup?****

** **

** **

mm****

** **

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *Emre Tinaztepe
*Sent:* Thursday, April 26, 2012 4:26 AM
*To:* Windows File Systems Devs Interest List
*Subject:* [ntfsd] \Boot\BCD Windows Internals****

** **

Hi,

I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
such file.
All the documentation states that it must reside there but it doesn’t.

I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
forensic tools such as Encase
but wasn’t able to find the file.

Windows Internals 5 states that (p1078) : ****

“Some options that are included in the BCD save to the registry value
HKLM\SYSTEM\
CurrentControlSet\Control\SystemStartOptions if they correspond to
command-line switches;
otherwise, they are kept only in the BCD.”****

Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.

Does it mean “BCD file will only be created when default options are
(command line) modified, else look into SYSTEM hive”?

Any ideas?

Thanks,
Emre****

— NTFSD is sponsored by OSR For our schedule of debugging and file
system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer\*\*\*\*

---

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

No problem.

Hmm. This gets into wonky Windows terminology. ‘Boot Partition’ as in what
any normal person would consider the boot partition, or ‘boot partition’ as
in the one that doesn’t (necessarily) have the windows bootmgr on it?

That is, the drive that Windows puts the bootmgr on is called the system
partition; the one with the operating system on it is called the boot
partition. No idea of why.

In any case, it should be on the one with bootmgr on it.

I’m not sure if all editions of Windows 7 work this way, but at least in the
case of those editions that support BitLocker, by default, setup will create
a 100MB hidden (no drive letter) partition that will have the bcd stuff on
it.

It doesn’t have to be setup like this, but it usually is.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Emre Tinaztepe
Sent: Thursday, April 26, 2012 4:36 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] \Boot\BCD Windows Internals

Hi Martin,

Thanks for your help. Shouldn’t it reside in Primary Partition (Boot
Partition)?

Emre

On Thu, Apr 26, 2012 at 2:29 PM, Martin O’Brien
wrote:

Did you look in both partitions that are created in a default setup?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Emre Tinaztepe
Sent: Thursday, April 26, 2012 4:26 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] \Boot\BCD Windows Internals

Hi,

I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no such
file.
All the documentation states that it must reside there but it doesn’t.

I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
forensic tools such as Encase
but wasn’t able to find the file.

Windows Internals 5 states that (p1078) :

“Some options that are included in the BCD save to the registry value
HKLM\SYSTEM<br>CurrentControlSet\Control\SystemStartOptions if they correspond to
command-line switches;
otherwise, they are kept only in the BCD.”

Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.

Does it mean “BCD file will only be created when default options are
(command line) modified, else look into SYSTEM hive”?

Any ideas?

Thanks,
Emre

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hi Martin,

I?m not sure if all editions of Windows 7 work this way, but at least in
the case of those editions that support BitLocker, by default, setup will
create a 100MB hidden (no drive letter) partition that will have the bcd
stuff on it.

This was the answer I was looking for. BCD is hiding there:)

Thank you very much.

Emre

On Thu, Apr 26, 2012 at 2:42 PM, Martin O’Brien <
xxxxx@gmail.com> wrote:

No problem.****

** **

Hmm. This gets into wonky Windows terminology. ?Boot Partition? as in
what any normal person would consider the boot partition, or ?boot
partition? as in the one that doesn?t (necessarily) have the windows
bootmgr on it?****

** **

That is, the drive that Windows puts the bootmgr on is called the system
partition; the one with the operating system on it is called the boot
partition. No idea of why.****

** **

In any case, it should be on the one with bootmgr on it.****

** **

I?m not sure if all editions of Windows 7 work this way, but at least in
the case of those editions that support BitLocker, by default, setup will
create a 100MB hidden (no drive letter) partition that will have the bcd
stuff on it.****

** **

It doesn?t have to be setup like this, but it usually is.****

** **

** **

mm****

** **

** **

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *Emre Tinaztepe
*Sent:* Thursday, April 26, 2012 4:36 AM

*To:* Windows File Systems Devs Interest List
*Subject:* Re: [ntfsd] \Boot\BCD Windows Internals****

** **

Hi Martin,

Thanks for your help. Shouldn’t it reside in Primary Partition (Boot
Partition)?

Emre****

On Thu, Apr 26, 2012 at 2:29 PM, Martin O’Brien <
xxxxx@gmail.com> wrote:****

Did you look in both partitions that are created in a default setup?****

****

****

mm****

****

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *Emre Tinaztepe
*Sent:* Thursday, April 26, 2012 4:26 AM
*To:* Windows File Systems Devs Interest List
*Subject:* [ntfsd] \Boot\BCD Windows Internals****

****

Hi,

I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
such file.
All the documentation states that it must reside there but it doesn’t.

I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
forensic tools such as Encase
but wasn’t able to find the file.

Windows Internals 5 states that (p1078) : ****

“Some options that are included in the BCD save to the registry value
HKLM\SYSTEM\
CurrentControlSet\Control\SystemStartOptions if they correspond to
command-line switches;
otherwise, they are kept only in the BCD.”****

Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.

Does it mean “BCD file will only be created when default options are
(command line) modified, else look into SYSTEM hive”?

Any ideas?

Thanks,
Emre****

— NTFSD is sponsored by OSR For our schedule of debugging and file
system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer\*\*\*\*

---

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer ****

** **

— NTFSD is sponsored by OSR For our schedule of debugging and file
system seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer\*\*\*\*

---

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

No problem.

Good luck,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Emre Tinaztepe
Sent: Thursday, April 26, 2012 5:00 AM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] \Boot\BCD Windows Internals

Hi Martin,

I’m not sure if all editions of Windows 7 work this way, but at least in
the case of those editions that support BitLocker, by default, setup will
create a 100MB hidden (no drive letter) partition that will have the bcd
stuff on it.

This was the answer I was looking for. BCD is hiding there:)

Thank you very much.

Emre

On Thu, Apr 26, 2012 at 2:42 PM, Martin O’Brien
wrote:

No problem.

Hmm. This gets into wonky Windows terminology. ‘Boot Partition’ as in what
any normal person would consider the boot partition, or ‘boot partition’ as
in the one that doesn’t (necessarily) have the windows bootmgr on it?

That is, the drive that Windows puts the bootmgr on is called the system
partition; the one with the operating system on it is called the boot
partition. No idea of why.

In any case, it should be on the one with bootmgr on it.

I’m not sure if all editions of Windows 7 work this way, but at least in the
case of those editions that support BitLocker, by default, setup will create
a 100MB hidden (no drive letter) partition that will have the bcd stuff on
it.

It doesn’t have to be setup like this, but it usually is.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Emre Tinaztepe
Sent: Thursday, April 26, 2012 4:36 AM

To: Windows File Systems Devs Interest List

Subject: Re: [ntfsd] \Boot\BCD Windows Internals

Hi Martin,

Thanks for your help. Shouldn’t it reside in Primary Partition (Boot
Partition)?

Emre

On Thu, Apr 26, 2012 at 2:29 PM, Martin O’Brien
wrote:

Did you look in both partitions that are created in a default setup?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Emre Tinaztepe
Sent: Thursday, April 26, 2012 4:26 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] \Boot\BCD Windows Internals

Hi,

I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no such
file.
All the documentation states that it must reside there but it doesn’t.

I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
forensic tools such as Encase
but wasn’t able to find the file.

Windows Internals 5 states that (p1078) :

“Some options that are included in the BCD save to the registry value
HKLM\SYSTEM<br>CurrentControlSet\Control\SystemStartOptions if they correspond to
command-line switches;
otherwise, they are kept only in the BCD.”

Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.

Does it mean “BCD file will only be created when default options are
(command line) modified, else look into SYSTEM hive”?

Any ideas?

Thanks,
Emre

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

\boot directory resides on the partition which is declared as a boot one in BIOS. Usually this is the drive’s first partition.

If you have several OSes installed, then the SystemRoot partition (which contains \WINDOWS) is usually not the BIOS’s boot partition.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

Hi Maxim,

Thanks for the input. Eventhough I have single OS installed, I think the
reason is BitLocker as Martin pointed out??

Emre

On Thu, Apr 26, 2012 at 3:36 PM, Maxim S. Shatskih
wrote:

> \boot directory resides on the partition which is declared as a boot
> one in BIOS. Usually this is the drive’s first partition.
>
> If you have several OSes installed, then the SystemRoot partition
> (which contains \WINDOWS) is usually not the BIOS’s boot partition.
>
> –
> Maxim S. Shatskih
> Windows DDK MVP
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

>Thanks for the input. Eventhough I have single OS installed, I think the reason is BitLocker as Martin

pointed out??

I think so too.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

mycomputer -> right click -> manage -> disk management -> select
system reserved -> right click assign drive letter (sy e or default)
ok

now you can browse the assigned drive and you will
find bcd \ boot (will not accessible in live condition )

On 4/26/12, Emre Tinaztepe wrote:
> Hi,
>
> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
> such file.
> All the documentation states that it must reside there but it doesn’t.
>
> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
> forensic tools such as Encase
> but wasn’t able to find the file.
>
> Windows Internals 5 states that (p1078) :
>
>> “Some options that are included in the BCD save to the registry value
>> HKLM\SYSTEM<br>>> CurrentControlSet\Control\SystemStartOptions if they correspond to
>> command-line switches;
>> otherwise, they are kept only in the BCD.”
>>
>
> Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.
>
> Does it mean “BCD file will only be created when default options are
> (command line) modified, else look into SYSTEM hive”?
>
> Any ideas?
>
> Thanks,
> Emre
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

Or you could use mountvol.exe on the command line.

Thanks,
Alex.

E:\>dir /a | dir boot\bc*
Volume in drive E is System Reserved
Volume Serial Number is AC46-2B24

Directory of E:\boot

04/23/2012 09:13 PM 32,768 BCD
1 File(s) 32,768 bytes
0 Dir(s) 75,345,920 bytes free

E:\>

On 4/27/12, raj_r wrote:
> mycomputer -> right click -> manage -> disk management -> select
> system reserved -> right click assign drive letter (sy e or default)
> ok
>
> now you can browse the assigned drive and you will
> find bcd \ boot (will not accessible in live condition )
>
>
>
> On 4/26/12, Emre Tinaztepe wrote:
>> Hi,
>>
>> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
>> such file.
>> All the documentation states that it must reside there but it doesn’t.
>>
>> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low
>> level
>> forensic tools such as Encase
>> but wasn’t able to find the file.
>>
>> Windows Internals 5 states that (p1078) :
>>
>>> “Some options that are included in the BCD save to the registry value
>>> HKLM\SYSTEM<br>>>> CurrentControlSet\Control\SystemStartOptions if they correspond to
>>> command-line switches;
>>> otherwise, they are kept only in the BCD.”
>>>
>>
>> Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.
>>
>> Does it mean “BCD file will only be created when default options are
>> (command line) modified, else look into SYSTEM hive”?
>>
>> Any ideas?
>>
>> Thanks,
>> Emre
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>

thanks alex for bringing up mountvol
playing with mountvol was pending for a long time your answer triggered it

C:\>mountvol r:\ \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}\

C:\>dir /a r:\boot\bc*
Volume in drive R is System Reserved
Volume Serial Number is AC46-2B24

Directory of r:\boot

04/23/2012 09:13 PM 32,768 BCD
04/23/2012 09:13 PM 29,696 BCD.LOG
04/23/2012 09:36 AM 0 BCD.LOG1
04/23/2012 09:36 AM 0 BCD.LOG2
4 File(s) 62,464 bytes
0 Dir(s) 75,345,920 bytes free

C:\>mountvol r:\ /L
\?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}\

C:\>mountvol r:\ /D

C:\>

btw mountvol /d doesnt show the your partition will be accessible
until you reboot popup ?

if i remove the assigned drive letter in diskmgmt i get that popup

are thay different ?

On 4/27/12, raj_r wrote:
> E:&gt;dir /a | dir boot\bc*
> Volume in drive E is System Reserved
> Volume Serial Number is AC46-2B24
>
> Directory of E:\boot
>
> 04/23/2012 09:13 PM 32,768 BCD
> 1 File(s) 32,768 bytes
> 0 Dir(s) 75,345,920 bytes free
>
> E:&gt;
>
> On 4/27/12, raj_r wrote:
>> mycomputer -> right click -> manage -> disk management -> select
>> system reserved -> right click assign drive letter (sy e or default)
>> ok
>>
>> now you can browse the assigned drive and you will
>> find bcd \ boot (will not accessible in live condition )
>>
>>
>>
>> On 4/26/12, Emre Tinaztepe wrote:
>>> Hi,
>>>
>>> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
>>> such file.
>>> All the documentation states that it must reside there but it doesn’t.
>>>
>>> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low
>>> level
>>> forensic tools such as Encase
>>> but wasn’t able to find the file.
>>>
>>> Windows Internals 5 states that (p1078) :
>>>
>>>> “Some options that are included in the BCD save to the registry value
>>>> HKLM\SYSTEM<br>>>>> CurrentControlSet\Control\SystemStartOptions if they correspond to
>>>> command-line switches;
>>>> otherwise, they are kept only in the BCD.”
>>>>
>>>
>>> Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.
>>>
>>> Does it mean “BCD file will only be created when default options are
>>> (command line) modified, else look into SYSTEM hive”?
>>>
>>> Any ideas?
>>>
>>> Thanks,
>>> Emre
>>>
>>> —
>>> NTFSD is sponsored by OSR
>>>
>>> For our schedule of debugging and file system seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>
>

As long as we’re enumerating options, I think you might be able to this
with “mklink” as well.

At least you can mount vss snapshots with it.

Mm
On Apr 26, 2012 12:59 PM, “raj_r” wrote:

> thanks alex for bringing up mountvol
> playing with mountvol was pending for a long time your answer triggered it
>
>
> C:&gt;mountvol r:\ \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}<br>>
> C:&gt;dir /a r:\boot\bc*
> Volume in drive R is System Reserved
> Volume Serial Number is AC46-2B24
>
> Directory of r:\boot
>
> 04/23/2012 09:13 PM 32,768 BCD
> 04/23/2012 09:13 PM 29,696 BCD.LOG
> 04/23/2012 09:36 AM 0 BCD.LOG1
> 04/23/2012 09:36 AM 0 BCD.LOG2
> 4 File(s) 62,464 bytes
> 0 Dir(s) 75,345,920 bytes free
>
> C:&gt;mountvol r:\ /L
> \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}<br>>
> C:&gt;mountvol r:\ /D
>
> C:&gt;
>
> btw mountvol /d doesnt show the your partition will be accessible
> until you reboot popup ?
>
> if i remove the assigned drive letter in diskmgmt i get that popup
>
> are thay different ?
>
>
>
>
>
> On 4/27/12, raj_r wrote:
> > E:&gt;dir /a | dir boot\bc*
> > Volume in drive E is System Reserved
> > Volume Serial Number is AC46-2B24
> >
> > Directory of E:\boot
> >
> > 04/23/2012 09:13 PM 32,768 BCD
> > 1 File(s) 32,768 bytes
> > 0 Dir(s) 75,345,920 bytes free
> >
> > E:&gt;
> >
> > On 4/27/12, raj_r wrote:
> >> mycomputer -> right click -> manage -> disk management -> select
> >> system reserved -> right click assign drive letter (sy e or default)
> >> ok
> >>
> >> now you can browse the assigned drive and you will
> >> find bcd \ boot (will not accessible in live condition )
> >>
> >>
> >>
> >> On 4/26/12, Emre Tinaztepe wrote:
> >>> Hi,
> >>>
> >>> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
> >>> such file.
> >>> All the documentation states that it must reside there but it doesn’t.
> >>>
> >>> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low
> >>> level
> >>> forensic tools such as Encase
> >>> but wasn’t able to find the file.
> >>>
> >>> Windows Internals 5 states that (p1078) :
> >>>
> >>>> “Some options that are included in the BCD save to the registry value
> >>>> HKLM\SYSTEM<br>> >>>> CurrentControlSet\Control\SystemStartOptions if they correspond to
> >>>> command-line switches;
> >>>> otherwise, they are kept only in the BCD.”
> >>>>
> >>>
> >>> Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.
> >>>
> >>> Does it mean “BCD file will only be created when default options are
> >>> (command line) modified, else look into SYSTEM hive”?
> >>>
> >>> Any ideas?
> >>>
> >>> Thanks,
> >>> Emre
> >>>
> >>> —
> >>> NTFSD is sponsored by OSR
> >>>
> >>> For our schedule of debugging and file system seminars visit:
> >>> http://www.osr.com/seminars
> >>>
> >>> To unsubscribe, visit the List Server section of OSR Online at
> >>> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Yeah, I think the popup is a diskmgmt thing.

Of course, you should be able to just use the NT name instead of the drive letter in any properly written application:

C:\Users\alex>dir /a \?\Volume{0d5759d1-429c-11df-8e0f-806e6f6e6963}\boot\bc*
Volume in drive \?\Volume{0d5759d1-429c-11df-8e0f-806e6f6e6963} is System Reserved
Volume Serial Number is A680-2572

Directory of \?\Volume{0d5759d1-429c-11df-8e0f-806e6f6e6963}\boot

04/26/2012 09:10 AM 24,576 BCD
04/26/2012 09:10 AM 21,504 BCD.LOG
04/07/2010 05:18 PM 0 BCD.LOG1
04/07/2010 05:18 PM 0 BCD.LOG2
4 File(s) 46,080 bytes
0 Dir(s) 73,003,008 bytes free

Thanks,
Alex.

it is same as mounting it in an empty ntfs folder from diskmgmt option
(this option will create a junction)

C:\>mklink /J c:\foo \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}\
Junction created for c:\foo <<===>> \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6
963}\

C:\>cd foo

C:\foo>dir /a
Volume in drive C has no label.
Volume Serial Number is 7050-0784

Directory of C:\foo

04/27/2012 12:59 AM

$RECYCLE.BIN
04/23/2012 09:36 AM Boot
07/14/2009 07:08 AM 383,562 bootmgr
04/23/2012 09:36 AM 8,192 BOOTSECT.BAK
04/23/2012 08:39 AM System Volume Information
2 File(s) 391,754 bytes
3 Dir(s) 75,345,920 bytes free

C:\foo>cd ..

C:\>rd /s /q foo

C:\>

On 4/27/12, Martin O'Brien wrote:
> As long as we're enumerating options, I think you might be able to this
> with "mklink" as well.
>
> At least you can mount vss snapshots with it.
>
> Mm
> On Apr 26, 2012 12:59 PM, "raj_r" wrote:
>
>> thanks alex for bringing up mountvol
>> playing with mountvol was pending for a long time your answer triggered
>> it
>> :)
>>
>> C:\>mountvol r:\ \\?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}\
>>
>> C:\>dir /a r:\boot\bc*
>> Volume in drive R is System Reserved
>> Volume Serial Number is AC46-2B24
>>
>> Directory of r:\boot
>>
>> 04/23/2012 09:13 PM 32,768 BCD
>> 04/23/2012 09:13 PM 29,696 BCD.LOG
>> 04/23/2012 09:36 AM 0 BCD.LOG1
>> 04/23/2012 09:36 AM 0 BCD.LOG2
>> 4 File(s) 62,464 bytes
>> 0 Dir(s) 75,345,920 bytes free
>>
>> C:\>mountvol r:\ /L
>> \\?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}\
>>
>> C:\>mountvol r:\ /D
>>
>> C:\>
>>
>> btw mountvol /d doesnt show the your partition will be accessible
>> until you reboot popup ?
>>
>> if i remove the assigned drive letter in diskmgmt i get that popup
>>
>> are thay different ?
>>
>>
>>
>>
>>
>> On 4/27/12, raj_r wrote:
>> > E:\>dir /a | dir boot\bc*
>> > Volume in drive E is System Reserved
>> > Volume Serial Number is AC46-2B24
>> >
>> > Directory of E:\boot
>> >
>> > 04/23/2012 09:13 PM 32,768 BCD
>> > 1 File(s) 32,768 bytes
>> > 0 Dir(s) 75,345,920 bytes free
>> >
>> > E:\>
>> >
>> > On 4/27/12, raj_r wrote:
>> >> mycomputer -> right click -> manage -> disk management -> select
>> >> system reserved -> right click assign drive letter (sy e or default)
>> >> ok
>> >>
>> >> now you can browse the assigned drive and you will
>> >> find bcd \ boot (will not accessible in live condition )
>> >>
>> >>
>> >>
>> >> On 4/26/12, Emre Tinaztepe wrote:
>> >>> Hi,
>> >>>
>> >>> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is
>> >>> no
>> >>> such file.
>> >>> All the documentation states that it must reside there but it
>> >>> doesn't.
>> >>>
>> >>> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low
>> >>> level
>> >>> forensic tools such as Encase
>> >>> but wasn't able to find the file.
>> >>>
>> >>> Windows Internals 5 states that (p1078) :
>> >>>
>> >>>> "Some options that are included in the BCD save to the registry
>> >>>> value
>> >>>> HKLM\SYSTEM\
>> >>>> CurrentControlSet\Control\SystemStartOptions if they correspond to
>> >>>> command-line switches;
>> >>>> otherwise, they are kept only in the BCD."
>> >>>>
>> >>>
>> >>> Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.
>> >>>
>> >>> Does it mean "BCD file will only be created when default options are
>> >>> (command line) modified, else look into SYSTEM hive"?
>> >>>
>> >>> Any ideas?
>> >>>
>> >>> Thanks,
>> >>> Emre
>> >>>
>> >>> ---
>> >>> NTFSD is sponsored by OSR
>> >>>
>> >>> For our schedule of debugging and file system seminars visit:
>> >>> http://www.osr.com/seminars
>> >>>
>> >>> To unsubscribe, visit the List Server section of OSR Online at
>> >>> http://www.osronline.com/page.cfm?name=ListServer
>> >>
>> >
>>
>> ---
>> NTFSD is sponsored by OSR
>>
>> For our schedule of debugging and file system seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> ---
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

I have read so many useful information, thanks everyone for their input.

Emre

On Fri, Apr 27, 2012 at 12:03 AM, raj_r wrote:

> it is same as mounting it in an empty ntfs folder from diskmgmt option
> (this option will create a junction)
>
> C:&gt;mklink /J c:\foo \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}<br>> Junction created for c:\foo <<===>>
> \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6
> 963}<br>>
> C:&gt;cd foo
>
> C:\foo>dir /a
> Volume in drive C has no label.
> Volume Serial Number is 7050-0784
>
> Directory of C:\foo
>
> 04/27/2012 12:59 AM $RECYCLE.BIN
> 04/23/2012 09:36 AM Boot
> 07/14/2009 07:08 AM 383,562 bootmgr
> 04/23/2012 09:36 AM 8,192 BOOTSECT.BAK
> 04/23/2012 08:39 AM System Volume Information
> 2 File(s) 391,754 bytes
> 3 Dir(s) 75,345,920 bytes free
>
> C:\foo>cd …
>
> C:&gt;rd /s /q foo
>
> C:&gt;
>
>
>
>
> On 4/27/12, Martin O’Brien wrote:
> > As long as we’re enumerating options, I think you might be able to this
> > with “mklink” as well.
> >
> > At least you can mount vss snapshots with it.
> >
> > Mm
> > On Apr 26, 2012 12:59 PM, “raj_r” wrote:
> >
> >> thanks alex for bringing up mountvol
> >> playing with mountvol was pending for a long time your answer triggered
> >> it
> >>
> >>
> >> C:&gt;mountvol r:\ \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}<br>> >>
> >> C:&gt;dir /a r:\boot\bc*
> >> Volume in drive R is System Reserved
> >> Volume Serial Number is AC46-2B24
> >>
> >> Directory of r:\boot
> >>
> >> 04/23/2012 09:13 PM 32,768 BCD
> >> 04/23/2012 09:13 PM 29,696 BCD.LOG
> >> 04/23/2012 09:36 AM 0 BCD.LOG1
> >> 04/23/2012 09:36 AM 0 BCD.LOG2
> >> 4 File(s) 62,464 bytes
> >> 0 Dir(s) 75,345,920 bytes free
> >>
> >> C:&gt;mountvol r:\ /L
> >> \?\Volume{6724b9c3-8cf1-11e1-9be5-806e6f6e6963}<br>> >>
> >> C:&gt;mountvol r:\ /D
> >>
> >> C:&gt;
> >>
> >> btw mountvol /d doesnt show the your partition will be accessible
> >> until you reboot popup ?
> >>
> >> if i remove the assigned drive letter in diskmgmt i get that popup
> >>
> >> are thay different ?
> >>
> >>
> >>
> >>
> >>
> >> On 4/27/12, raj_r wrote:
> >> > E:&gt;dir /a | dir boot\bc*
> >> > Volume in drive E is System Reserved
> >> > Volume Serial Number is AC46-2B24
> >> >
> >> > Directory of E:\boot
> >> >
> >> > 04/23/2012 09:13 PM 32,768 BCD
> >> > 1 File(s) 32,768 bytes
> >> > 0 Dir(s) 75,345,920 bytes free
> >> >
> >> > E:&gt;
> >> >
> >> > On 4/27/12, raj_r wrote:
> >> >> mycomputer -> right click -> manage -> disk management -> select
> >> >> system reserved -> right click assign drive letter (sy e or default)
> >> >> ok
> >> >>
> >> >> now you can browse the assigned drive and you will
> >> >> find bcd \ boot (will not accessible in live condition )
> >> >>
> >> >>
> >> >>
> >> >> On 4/26/12, Emre Tinaztepe wrote:
> >> >>> Hi,
> >> >>>
> >> >>> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is
> >> >>> no
> >> >>> such file.
> >> >>> All the documentation states that it must reside there but it
> >> >>> doesn’t.
> >> >>>
> >> >>> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low
> >> >>> level
> >> >>> forensic tools such as Encase
> >> >>> but wasn’t able to find the file.
> >> >>>
> >> >>> Windows Internals 5 states that (p1078) :
> >> >>>
> >> >>>> “Some options that are included in the BCD save to the registry
> >> >>>> value
> >> >>>> HKLM\SYSTEM<br>> >> >>>> CurrentControlSet\Control\SystemStartOptions if they correspond to
> >> >>>> command-line switches;
> >> >>>> otherwise, they are kept only in the BCD.”
> >> >>>>
> >> >>>
> >> >>> Also p267 states that HKLM\BCD0000000 is mapped to file \Boot\BCD.
> >> >>>
> >> >>> Does it mean “BCD file will only be created when default options are
> >> >>> (command line) modified, else look into SYSTEM hive”?
> >> >>>
> >> >>> Any ideas?
> >> >>>
> >> >>> Thanks,
> >> >>> Emre
> >> >>>
> >> >>> —
> >> >>> NTFSD is sponsored by OSR
> >> >>>
> >> >>> For our schedule of debugging and file system seminars visit:
> >> >>> http://www.osr.com/seminars
> >> >>>
> >> >>> To unsubscribe, visit the List Server section of OSR Online at
> >> >>> http://www.osronline.com/page.cfm?name=ListServer
> >> >>
> >> >
> >>
> >> —
> >> NTFSD is sponsored by OSR
> >>
> >> For our schedule of debugging and file system seminars visit:
> >> http://www.osr.com/seminars
> >>
> >> To unsubscribe, visit the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

“Emre Tinaztepe” wrote in message
news:xxxxx@ntfsd…
> Hi,
>
> I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
> such file.
> All the documentation states that it must reside there but it doesn’t.
>
> I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low level
> forensic tools such as Encase
> but wasn’t able to find the file.
>

You can get its exact location from
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist which contains
the list of registry hives that are backed by a file.

//Daniel

Thanks for the path Daniel. I was going to ask this to get them dynamically
rather than hardcoding the list into code.

Emre
On Apr 28, 2012 3:46 PM, wrote:

> “Emre Tinaztepe” wrote in message
> news:xxxxx@ntfsd…
> > Hi,
> >
> > I am trying to find \Boot\BCD in a Windows 7 x64 system but there is no
> > such file.
> > All the documentation states that it must reside there but it doesn’t.
> >
> > I have even inspected \Boot and %SystemRoot%\System32\Boot\ with low
> level
> > forensic tools such as Encase
> > but wasn’t able to find the file.
> >
>
>
> You can get its exact location from
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist which contains
> the list of registry hives that are backed by a file.
>
> //Daniel
>
>
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>