Utility to interpret BCD.LOG and BOOTSTAT.DAT binary files (W7 Boot hangs)

I don't know about BOOTSTAT.DAT but BCD is a registry hive, same format as all the others. The BCD.LOG* files are the transaction journal(s) for the hive, for recovery purposes.

If you have a Windows machine you can mount the hive from regedit: click on HKEY_LOCAL_MACHINE, go to File->Load Hive and browse to the BCD file. The BCD that was used to boot windows is normally already mounted as BCD00000000. There is some documentation out there on the format of Windows NT registry hive files.

For your dual booting project, hardware profiles may help with the different configurations for the native and virtual hardware-- try using one profile for each.

I've made a small python utility to parse the BOOTSTAT.DAT file on Windows 10. There is also instructions for using it on the BOOTSTAT.DAT generated by Windows 7. The minimal version of python that this script has been tested with is python 3.6.

https://gitlab.com/rhave/bootstat.dat-efi-parser

The output can be either JSON or semi-CSV.

The program's main source of file format information is the Geoff Chappell site mentioned by Chris Smith previously in another answer.

Running it on Windows 10 files

The program can be run the following way:

python bootstat.dat-efi-parser.py json BOOTSTAT.DAT

where python is the python interpreter installed on your system, bootstat.dat-efi-parser.py is a copy of the script from gitlab, json is the output type (can also be csv) and BOOTSTAT.DAT is a file you want analyzed.

The output from the above example usage would be similar to the following:

{
  "version": 4,
  "header_size": 24,
  "file_size": 65536,
  "valid_data_size": 208,
  "unknown_header_dword_0": 24,
  "unknown_header_dword_1": 0,
  "events": [
    {
      "event_name": "Log file initialised",
      "timestamp": 6176,
      "zero_field": 0,
      "source_guid": "2C86EA9DDD5C704EACC1F32B344D4795",
      "size_of_entry": 64,
      "severity_code": 1,
      "entry_version": 2,
      "event_identifier": 1,
      "event_time_struct": "2018-01-01 12:00:00",
      "event_zero_field_0": 0,
      "event_seven": 7,
      "event_one": 1,
      "event_zero_field_1": 0
    },
    {
      "event_name": "Boot application launch",
      "timestamp": 6177,
      "zero_field": 0,
      "source_guid": "2C86EA9DDD5C704EACC1F32B344D4795",
      "size_of_entry": 120,
      "severity_code": 1,
      "entry_version": 2,
      "event_identifier": 17,
      "event_app_guid": "80A054721015854EAC0FE7FB3D444736",
      "event_type_of_start": 0,
      "event_app_pathname": "\\windows\\system32\\winload.efi"
    }
  ]
}

Running it on Windows 7 files

On Windows 7 the BOOTSTAT.DAT file has an extra 2048 bytes header. Cutting this away from the file makes the script able to parse the rest of the file. On linux the dd command can be used to cut away the first 2048 bytes the following way:

dd if=bootstat.dat of=bootstat.dat.cut bs=1 skip=2048

Here bootstat.dat is the original Windows 7 file and the bootstat.dat.cut file is the file that should be given as last argument to the python script. A Windows equivalent to dd or a hexeditor could be used to do the same cutting on Windows.