FIRMWARE_INFORMATION_LOADER_BLOCK

The FIRMWARE_INFORMATION_LOADER_BLOCK is a structure within the LOADER_PARAMETER_BLOCK, which is in turn the structure through which the kernel and HAL learn the initialisation data that was gathered by the loader. It was appended for Windows Vista, apparently as part of the reworking of the loader and especially because the loader now could use the Extensible Firmware Interface (EFI). It has grown since: the following changes of size are known:

Versions Size (x86) Size(x64)
6.0 to 6.1 0x14 0x20
6.2 0x1C 0x30
6.3 to 10.0 0x28 0x40

These sizes, and the offsets, names and types in the table that follows are from type information in public symbol files for occasional Windows versions: first for Windows Vista and Windows 7; and most recently for the 1803 release of Windows 10. How the type information gets into symbol files for some versions but not others is not known. A C-language definition has been published in a header named ARC.H from the Enterprise edition of the Windows Driver Kit (WDK) for Windows 10 Version 1511.

Offset (x86) Offset (x64) Definition Versions
0x00 0x00
/*  bit flags, see below  */
6.0 and higher
0x04 0x08
union {
    EFI_FIRMWARE_INFORMATION EfiInformation;
    PCAT_FIRMWARE_INFORMATION PcatInformation;
} u;
6.0 and higher

The first of the bit flags selects from the union u according to the firmware type. Windows 10 adds more bit flags to support Isolated User Mode (IUM) and the security of memory that is saved during hibernation (and whose protection is thus dependent on firmware).

Mask Definition Versions
0x00000001
ULONG FirmwareTypeEfi : 1;
6.0 to some 10.0
ULONG FirmwareTypeUefi : 1;
some 10.0 and higher
0x00000002
ULONG EfiRuntimeUseIum : 1;
10.0 and higher
0x00000004 (10.0 to 1511)
ULONG EfiRuntimePageProtectionEnabled : 1;
10.0 to 1511
0x00000008 (10.0 to 1511);
0x00000004
ULONG EfiRuntimePageProtectionSupported : 1;
10.0 and higher
 
ULONG Reserved : 31;
6.0 to 6.3
ULONG Reserved : 28;
10.0 to 1511
ULONG Reserved : 29;
1607 and higher

Which build of Windows 10 is the one for which Microsoft renamed FirmwareTypeEfi to FirmwareTypeUefi is not known: after the ARC.H that Microsoft published for 1511 but before the type information from the 1803 symbol files.

The PCAT_FIRMWARE_INFORMATION structure has just the one member: a ULONG named PlaceHolder, which does look to be unused. The business of the  FIRMWARE_INFORMATION_LOADER_BLOCK has always been to provide EFI_FIRMWARE_INFORMATION. The latter is known only within the former. That the bit flag for distinguishing whether the former contines as PCAT_FIRMWARE_INFORMATION or as EFI_FIRMWARE_INFORMATION is now joined with EFI-specific flags is here taken as suggesting that the PCAT_FIRMWARE_INFORMATION is retained just as a formality. For the following layout of the EFI_FIRMWARE_INFORMATION, the offsets are from the start of the FIRMWARE_INFORMATION_LOADER_BLOCK.

Offset (x86) Offset (x64) Definition Versions
0x04 0x08
ULONG FirmwareVersion;
6.0 and higher
0x08 0x10
VIRTUAL_EFI_RUNTIME_SERVICES *VirtualEfiRuntimeServices;
6.0 and higher
0x0C 0x18
NTSTATUS SetVirtualAddressMapStatus;
6.0 and higher
0x10 0x1C
ULONG MissedMappingsCount;
6.0 and higher
0x14 0x20
LIST_ENTRY FirmwareResourceList;
6.2 and higher
0x1C 0x30
PVOID EfiMemoryMap;
6.3 and higher
0x20 0x38
ULONG EfiMemoryMapSize;
6.3 and higher
0x24 0x3C
ULONG EfiMemoryMapDescriptorSize;
6.3 and higher