Geoff Chappell, Software Analyst
The SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemBootEnvironmentInformation (0x5A).
The SYSTEM_BOOT_ENVIRONMENT_INFORMATION structure is not documented.
The SYSTEM_BOOT_ENVIRONMENT_INFORMATION is 0x20 bytes in both 32-bit and 64-bit Windows 10. There is also a SYSTEM_BOOT_ENVIRONMENT_V1 structure that reaches only up to and including the FirmwareType.
The kernel learns the BootIdentifier from the loader via the BootIdentifier member of the LOADER_PARAMETER_EXTENSION. Its retrieval through the SYSTEM_BOOT_ENVIRONMENT_INFORMATION is how BCDEDIT knows which of the installed Windows systems actually got booted.
The FIRMWARE_TYPE enumeration is defined in WINNT.H for user-mode programming. Its retrieval through the SYSTEM_BOOT_ENVIRONMENT_INFORMATION is how NTDLL supports FIRMWARE_TYPE as a fake environment variable. Programmers who think to use this structure and NtQuerySystemInformation just to get the firmware type would better use the documented KERNEL32 function GetFirmwareType instead.
The BootFlags are what the loader passes to the kernel via the BootFlags member of the LOADER_PARAMETER_EXTENSION. The 0x01 bit is understood well enough to describe here. It is set when Windows booted with the following combination of BCD options: