ntoskrnl.exeT1542.003T1082T1542

NtEnumerateBootEntries

Returns a packed array of BOOT_ENTRY structures describing every registered firmware boot option.

Prototype

NTSTATUS NtEnumerateBootEntries(
  PVOID  Buffer,
  PULONG BufferLength
);

Arguments

Name	Type	Dir	Description
Buffer	PVOID	out	Caller-allocated buffer that receives a packed sequence of BOOT_ENTRY_LIST records (each containing a NextEntryOffset and an inline BOOT_ENTRY). May be NULL to query required size.
BufferLength	PULONG	in/out	On input: size of Buffer in bytes. On output: bytes written, or required size when STATUS_BUFFER_TOO_SMALL is returned.

Syscall IDs by Windows version

Windows version	Syscall ID	Build
Win10 1507	0xCF	win10-1507
Win10 1607	0xD2	win10-1607
Win10 1703	0xD5	win10-1703
Win10 1709	0xD6	win10-1709
Win10 1803	0xD7	win10-1803
Win10 1809	0xD8	win10-1809
Win10 1903	0xD9	win10-1903
Win10 1909	0xD9	win10-1909
Win10 2004	0xDE	win10-2004
Win10 20H2	0xDE	win10-20h2
Win10 21H1	0xDE	win10-21h1
Win10 21H2	0xDF	win10-21h2
Win10 22H2	0xDF	win10-22h2
Win11 21H2	0xE4	win11-21h2
Win11 22H2	0xE5	win11-22h2
Win11 23H2	0xE5	win11-23h2
Win11 24H2	0xE7	win11-24h2
Server 2016	0xD2	winserver-2016
Server 2019	0xD8	winserver-2019
Server 2022	0xE3	winserver-2022
Server 2025	0xE7	winserver-2025

Kernel module

ntoskrnl.exe → NtEnumerateBootEntries

Related APIs

BcdEnumerateObjects (bcd.dll)bcdedit.exe /enum FIRMWAREGetFirmwareEnvironmentVariableW (BootOrder / Boot####)NtQueryBootEntryOrderNtAddBootEntry

Syscall stub

4C 8B D1            mov r10, rcx
B8 E7 00 00 00      mov eax, 0xE7
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Classic two-call pattern: invoke with `Buffer = NULL` to retrieve the required size, allocate, and call again. The output is a chained linked list — each `BOOT_ENTRY_LIST.NextEntryOffset` is a byte delta from the start of the current record to the next (zero terminates). Behind the scenes the kernel walks the firmware-side list: NVRAM `BootOrder` + `Boot####` variables on UEFI, BCD hive enumeration on legacy BIOS. SeSystemEnvironmentPrivilege is required even for *read*.

Common malware usage

Enumeration is the reconnaissance step of every BCD-persistence kill chain: malware needs the existing `{bootmgr}` ID before it can call NtModifyBootEntry, and it needs the current ordering before NtSetBootEntryOrder. TrickBoot's UEFI module famously starts with a survey pass that calls the equivalent of `BcdEnumerateObjects` + `NtEnumerateBootEntries` to fingerprint the firmware (vendor, vulnerable bootmgr versions, presence of recovery entries) and report back to the C2 before deciding whether to deploy the bootkit stage.

TrickBoot BlackLotus ESPecter MosaicRegressor / LoJax

Detection opportunities

Read-only enumeration is rarely interesting in isolation — legitimate tools (`bcdedit`, Windows Update, BitLocker setup) call it routinely. Suspicion comes from **context**: a non-installer, non-system-context process that opens a handle requesting SeSystemEnvironmentPrivilege *and* immediately enumerates BCD entries is anomalous. Hook detection: query 4673 audit events for SeSystemEnvironmentPrivilege use, then correlate with process image path. EDRs that telemeter NtSetInformationToken / NtAdjustPrivilegesToken transitions to SE_PRIVILEGE_ENABLED for SeSystemEnvironment can catch the privilege-acquisition step that precedes any write call.

Direct syscall examples

asmx64 direct stub (Win11 24H2, SSN 0xE7)

NtEnumerateBootEntries PROC
    mov  r10, rcx          ; PVOID Buffer
    mov  eax, 0E7h         ; Win11 24H2
    syscall
    ret
NtEnumerateBootEntries ENDP

cTwo-call size query + walk

// Enumerate every firmware boot entry, print FriendlyName.
extern NTSTATUS NTAPI NtEnumerateBootEntries(PVOID, PULONG);

void dump_entries(void) {
    ULONG size = 0;
    NtEnumerateBootEntries(NULL, &size);     // STATUS_BUFFER_TOO_SMALL
    if (size == 0) return;
    PBYTE buf = (PBYTE)HeapAlloc(GetProcessHeap(), 0, size);
    if (NT_SUCCESS(NtEnumerateBootEntries(buf, &size))) {
        PBYTE p = buf;
        while (p < buf + size) {
            PBOOT_ENTRY_LIST list = (PBOOT_ENTRY_LIST)p;
            PBOOT_ENTRY be = &list->BootEntry;
            wprintf(L"id=%08X name=%s\n", be->Id,
                    (LPCWSTR)((PBYTE)be + be->FriendlyNameOffset));
            if (!list->NextEntryOffset) break;
            p += list->NextEntryOffset;
        }
    }
    HeapFree(GetProcessHeap(), 0, buf);
}

MITRE ATT&CK mappings

Last verified: 2026-05-20