Utility to interpret BCD.LOG and BOOTSTAT.DAT binary files (W7 Boot hangs)
Solution 1
I don't know about BOOTSTAT.DAT but BCD is a registry hive, same format as all the others. The BCD.LOG* files are the transaction journal(s) for the hive, for recovery purposes.
If you have a Windows machine you can mount the hive from regedit: click on HKEY_LOCAL_MACHINE, go to File->Load Hive and browse to the BCD file. The BCD that was used to boot windows is normally already mounted as BCD00000000. There is some documentation out there on the format of Windows NT registry hive files.
For your dual booting project, hardware profiles may help with the different configurations for the native and virtual hardware-- try using one profile for each.
Solution 2
I've made a small python utility to parse the BOOTSTAT.DAT file on Windows 10. There is also instructions for using it on the BOOTSTAT.DAT generated by Windows 7. The minimal version of python that this script has been tested with is python 3.6.
https://gitlab.com/rhave/bootstat.dat-efi-parser
The output can be either JSON or semi-CSV.
The program's main source of file format information is the Geoff Chappell site mentioned by Chris Smith previously in another answer.
Running it on Windows 10 files
The program can be run the following way:
python bootstat.dat-efi-parser.py json BOOTSTAT.DAT
where python is the python interpreter installed on your system, bootstat.dat-efi-parser.py is a copy of the script from gitlab, json is the output type (can also be csv) and BOOTSTAT.DAT is a file you want analyzed.
The output from the above example usage would be similar to the following:
{
"version": 4,
"header_size": 24,
"file_size": 65536,
"valid_data_size": 208,
"unknown_header_dword_0": 24,
"unknown_header_dword_1": 0,
"events": [
{
"event_name": "Log file initialised",
"timestamp": 6176,
"zero_field": 0,
"source_guid": "2C86EA9DDD5C704EACC1F32B344D4795",
"size_of_entry": 64,
"severity_code": 1,
"entry_version": 2,
"event_identifier": 1,
"event_time_struct": "2018-01-01 12:00:00",
"event_zero_field_0": 0,
"event_seven": 7,
"event_one": 1,
"event_zero_field_1": 0
},
{
"event_name": "Boot application launch",
"timestamp": 6177,
"zero_field": 0,
"source_guid": "2C86EA9DDD5C704EACC1F32B344D4795",
"size_of_entry": 120,
"severity_code": 1,
"entry_version": 2,
"event_identifier": 17,
"event_app_guid": "80A054721015854EAC0FE7FB3D444736",
"event_type_of_start": 0,
"event_app_pathname": "\\windows\\system32\\winload.efi"
}
]
}
Running it on Windows 7 files
On Windows 7 the BOOTSTAT.DAT file has an extra 2048 bytes header. Cutting this away from the file makes the script able to parse the rest of the file. On linux the dd command can be used to cut away the first 2048 bytes the following way:
dd if=bootstat.dat of=bootstat.dat.cut bs=1 skip=2048
Here bootstat.dat is the original Windows 7 file and the bootstat.dat.cut file is the file that should be given as last argument to the python script. A Windows equivalent to dd or a hexeditor could be used to do the same cutting on Windows.
Related videos on Youtube
10 : 39
02 : 59
02 : 48
12 : 28
08 : 42
Comments
-
Alain Pannetier almost 2 years
The main question is : "Are there any utility that can interpret these two binary files:
- BCD.LOG
- BOOTSTAT.DAT
both of them updated during the Vista/W7 boot process ?
I already know of EasyBCD and I have found this page about the BOOTSTAT.DAT format, but I would prefer not to re-invent the wheel.
Background Info.
I am in the uncomfortable position whereby my native Windows 7 partition declines to complete the boot process (even in safe mode with prompt).
This happened after having successfully booted it from VirtualBox through raw device access. As a matter of fact, the VB boot works consistently well. However, each time I attempt to boot natively, the boot process attempts to "repair" the configuration. In effect from the outside, it spins the disks for ages and ends up stalled somwehere. Before I use the PQService partition to return to the factory configuration (it's a new machine anyway), I'd like to have a look at these 2 files which I can access without any problem from the Ubuntu disk.
As an aside, if there are other files that could be of any help in diagnosing the root of the problem, please let me know. Does winload.exe produce a log for instance (that's a secondary question) ?
Please note that I am plainly aware that Windows 7 is quite touchy about the HW config it finds after the initial installation. However I'd like to understand in more detail on which snag I stumbled before I decide whether to give up or to carry on experimenting with native/virtual boot.
Thanks for the help.
-
Admin over 13 yearsHow can you be sure you're even on the right track? I've had the repair wizard run three times before booting Windows successfully. Have some patience. It's Windows. -
Admin over 13 yearsYou're right: certainty is a luxury here. For now, I feel like the time spent on the investigation of the root cause of this is worth the benefit of being able to boot the same W7 partition both in virtualbox and natively (it used to be so easy in XP with HW profiles... But making geek's life easier is not today's trend at Redmond. Future will tell if this is the best strategy; for now Windows is still relevant).
-
Admin almost 13 yearsDid you get your "dual boot" to work properly? It sounds fantastic if you manage to get it working! Blog it up?
-
Admin almost 13 years@stolsvik, sorry no progress. I actually shelved my original W7 disk and replaced it with a new one on which I installed Linux Mint Katya. Whatever little windows stuff I still need to do today is done within a windows XP virtual machine living in its VDI (same regime as for OSX, Android and other curiosities actually).
-
James McLaughlin over 6 yearsCorrect information, but shouldn't be an accepted answer; google is bringing me here trying to find out about bootstat.dat.
-
Chris Smith over 6 yearsgeoffchappell.com/notes/windows/boot/bsd.htm has some information on the format of bootstat.dat
-
Burgi over 4 yearsCould you include a short tutorial here, just in case the link is unavailable for whatever reason? Please see this meta topic on software recommendations.
-
Rasmus Have over 4 years@Burgi thanks for the feedback, this was my first attempt on an answer on superuser. Is the edited version better?
-
Burgi over 4 yearsExcellent, welcome to Super User!
-
I.Ivanov about 3 yearshow do we edit this bootstat.dat file ? im trying to set "time to display recovery options when needed" but couldn't find any method
-
Rasmus Have about 3 years@ikel: The bootstat.dat file is not a file meant to be user editable, it is a log file that is written upon boot.
-
I.Ivanov about 3 yearsthen if i want to change "time to display recovery options" with command, how could i do it? @RasmusHave I googled some time but no result works
