Windows Security

UEFI/GPT Lab Part 2
14.  Enter: 
 
	Format-Volume -FileSystem NTFS -NewFileSystemLabel "WINDOWS" -DriveLetter "W" -Force
to format the partition as NTFS and label it WINDOWS. 
	DriveLetter FriendlyName FileSystemType DriveType HealthStatus OperationalStatus SizeRemaining     Size
	----------- ------------ -------------- --------- ------------ ----------------- -------------     ----
	W           WINDOWS      NTFS           Removable Healthy      OK                     57.08 GB 57.17 GB
With our drive partitioned and formatted we now need to copy the system boot files. 15.  Enter: 
 
	bcdboot $env:SystemRoot /s S: /f UEFI
To copy the system boot files for UEFI to the EFI partition. 
	Boot files successfully created.
Notice we used the powershell environment variable $env:SystemRoom to substitue for C:\Windows. This will work even if Windows was installed to D:\Windows or C:\Win.

16.  Enter: 
 
	S:
To switch to our system partition.
17.  Enter: 
 
	dir
To view a directory listing. 
    Directory: S:\


	Mode                 LastWriteTime         Length Name
	----                 -------------         ------ ----
	d-----          2/5/2022   1:36 PM                EFI
Notice the EFI partition was created.
18.  Enter: 
 
	cd EFI
To change to the EFI directory.

19.  Enter: 
 
	dir
To view a directory listing. 
    Directory: S:\EFI


	Mode                 LastWriteTime         Length Name
	----                 -------------         ------ ----
	d-----          2/5/2022   1:36 PM                Microsoft
	d-----          2/5/2022   1:36 PM                Boot

Notice two directories: Boot which is the default UEFI path and Microsoft which is unique to Windows.
20.  Enter: 
 
	dir Boot
To view the Boot directory contents. 
    Directory: S:\EFI\BOOT


	Mode                 LastWriteTime         Length Name
	----                 -------------         ------ ----
	-a----          2/1/2022   3:22 PM        1559920 bootx64.efi
Notice bootx64.efi which is the default UEFI boot loader.
21.  Enter: 
 
	dir Microsoft\Boot
To view the Microsoft EFI Boot directory. 
	*** LANGUAGE FOLDERS OMITTED ***
	d-----          2/5/2022   1:36 PM                Fonts
	d-----          2/5/2022   1:36 PM                Resources
	-a----         10/6/2021   6:51 AM           5145 boot.stl
	-a----          2/1/2022   3:22 PM        1559920 bootmgfw.efi
	-a----          2/1/2022   3:22 PM        1542472 bootmgr.efi
	-a----         12/7/2019   1:09 AM          17720 kdnet_uart16550.dll
	-a----         10/6/2021   6:51 AM          27464 kdstub.dll
	-a----         12/7/2019   1:09 AM          31544 kd_02_10df.dll
	-a----         12/7/2019   1:09 AM         379192 kd_02_10ec.dll
	-a----         12/7/2019   1:09 AM          26424 kd_02_1137.dll
	-a----         12/7/2019   1:09 AM         239928 kd_02_14e4.dll
	-a----         12/7/2019   1:09 AM          44344 kd_02_15b3.dll
	-a----         12/7/2019   1:09 AM          44344 kd_02_1969.dll
	-a----         12/7/2019   1:09 AM          31544 kd_02_19a2.dll
	-a----         12/7/2019   1:09 AM          20280 kd_02_1af4.dll
	-a----         12/7/2019   1:09 AM         298296 kd_02_8086.dll
	-a----         12/7/2019   1:09 AM          18960 kd_07_1415.dll
	-a----         12/7/2019   1:09 AM          48952 kd_0C_8086.dll
	-a----          2/1/2022   3:22 PM        1349432 memtest.efi
	-a----         12/7/2019   1:08 AM           9796 winsipolicy.p7b
	-a----          2/5/2022   1:36 PM          20480 BCD
Notice bootmgfw.efi which is the default Boot Manager for Windows 10 has the same file size as bootx64.efi.
22.  Enter: 
 
	get-filehash .\Boot\bootx64.efi
To get a SHA256 hash of the file.

23.  Enter: 
 
	get-filehash .\Microsoft\Boot\bootmgfw.efi
To get a SHA256 hash as well. 
	PS S:\EFI> get-filehash .\Boot\bootx64.efi

	Algorithm       Hash                                                                   Path
	---------       ----                                                                   ----
	SHA256          46748BCAC9F362133158176E31AE1431BC9D2DAB57A65CBD9A54979C6BDE4C95       S:\EFI\Boot\bootx64.efi


	PS S:\EFI> get-filehash .\Microsoft\Boot\bootmgfw.efi

	Algorithm       Hash                                                                   Path
	---------       ----                                                                   ----
	SHA256          46748BCAC9F362133158176E31AE1431BC9D2DAB57A65CBD9A54979C6BDE4C95       S:\EFI\Microsoft\Boot\bootmgfw.efi

They are the same file. Windows just makes of copy of its Boot Manager and puts it in the default \EFI\Boot\bootx64.efi file. Notice the BCD registry is also in this directory. Let's look at its contents.
24.  Enter: 
 
	bcdedit /store .\Microsoft\Boot\BCD /enum /v
To view the BCD entries. 
	Windows Boot Manager
	--------------------
	identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
	device                  partition=S:
	path                    \EFI\Microsoft\Boot\bootmgfw.efi
	description             Windows Boot Manager
	locale                  en-us
	inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
	default                 {bd73a7a0-86cb-11ec-8657-525400febabb}
	resumeobject            {bd73a79f-86cb-11ec-8657-525400febabb}
	displayorder            {bd73a7a0-86cb-11ec-8657-525400febabb}
	toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
	timeout                 30

	Windows Boot Loader
	-------------------
	identifier              {bd73a7a0-86cb-11ec-8657-525400febabb}
	device                  partition=C:
	path                    \Windows\system32\winload.efi
	description             Windows 10
	locale                  en-us
	inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
	isolatedcontext         Yes
	allowedinmemorysettings 0x15000075
	osdevice                partition=C:
	systemroot              \Windows
	resumeobject            {bd73a79f-86cb-11ec-8657-525400febabb}
	nx                      OptIn
	bootmenupolicy          Standard

Note that since we copied the configuration files from our system drive, the Windows Boot Loader is set to the C:\Windows\system32\winload.efi path. Let's compare this BCD registry to the one on our host system.

25.  Enter: 
 
	bcdedit /enum /v  
To view the BCD entries on the host machine. Excluding the /store switch will default to loading the system BCD file. 
	Windows Boot Manager
	--------------------
	identifier              {9dea862c-5cdd-4e70-acc1-f32b344d4795}
	device                  partition=\Device\HarddiskVolume1
	description             Windows Boot Manager
	locale                  en-US
	inherit                 {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
	default                 {0fefbebb-83ca-11ec-b344-a67ff87d56db}
	resumeobject            {0fefbeba-83ca-11ec-b344-a67ff87d56db}
	displayorder            {0fefbebb-83ca-11ec-b344-a67ff87d56db}
	toolsdisplayorder       {b2721d73-1db4-4c62-bf78-c548a880142d}
	timeout                 30

	Windows Boot Loader
	-------------------
	identifier              {0fefbebb-83ca-11ec-b344-a67ff87d56db}
	device                  partition=C:
	path                    \Windows\system32\winload.exe
	description             Windows 10
	locale                  en-US
	inherit                 {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
	recoverysequence        {0fefbebc-83ca-11ec-b344-a67ff87d56db}
	displaymessageoverride  Recovery
	recoveryenabled         Yes
	allowedinmemorysettings 0x15000075
	osdevice                partition=C:
	systemroot              \Windows
	resumeobject            {0fefbeba-83ca-11ec-b344-a67ff87d56db}
	nx                      OptIn
	bootmenupolicy          Standard

  • What are the differences in this entry?
  • Is this system configured to use UEFI booting or MBR?
  • How can you tell?
  • BONUS research question: What is bootmgr.efi used for?

It should be noted that while BCDedit allows you to change Windows Boot Loader settings, it does not allow users to change EFI NVRAM settings. Linux provides an efibootmgr utility which can edit EFI NVRAM settings directly.