How does \EFI\MICROSOFT\BOOT\BOOTMGFW.EFI interpret the "optional data" payload passed to it by EFI?

Question

My computer currently has two EFI bootNNNN entries for Windows:

Boot0004  Windows Boot Manager  HD(1,GPT,[redacted],0x800,0x1ff800)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000000120100000010000000040000007fff0400
Boot0009  Windows Boot Manager  HD(1,GPT,[redacted],0x800,0x1ff800)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)0000424f

As you can see, they are identical except for the "optional data" payload -- the hexadecimal string after each path. I am troubleshooting the boot process and would like to understand what each of these payloads means. The EFI spec only says that this data is passed verbatim to the program being booted (BOOTMGFW.EFI in this case), so I presume if this is documented anywhere it'll be in low-level Windows docs. I tried to look through MSDN but found only instructions for how to configure the boot loader, nothing about how that maps to what it writes to EFI variables.

The longer one of the payloads has one ASCII and one UTF-16 string embedded in it. Here's a partially decoded version:

WINDOWS\0
01 00 00 00
88 00 00 00
78 00 00 00
BCDOBJECT={9dea862c-5cdd-4e70-acc1-f32b344d4795}
00 00 00 12
01 00 00 00
10 00 00 00
04 00 00 00
7f ff 04 00

The last four bytes, 7f ff 04 00, are an EFI "end entire device path" marker, but the byte sequence in between the BCDOBJECT= string and that marker does not appear to be an EFI device path. (It's possible that the first two bytes of that sequence actually belong to the BCDOBJECT= string, being a U+0000 string terminator, but neither 00 00 nor 00 12 can be the beginning of a valid EFI device path.)

The GUID in the BCDOBJECT= string is not the GUID of the main Windows partition (i.e. the one that stores C:\WINDOWS).

---

The shorter "optional data" payload contains two ASCII characters, "BO" in that order, preceded by what I presume are two bytes of NUL padding.

Answer 1

The larger structure is a BL_WINDOWS_LOAD_OPTIONS structure: [1]

WINDOWS\0      # Signature
01 00 00 00    # Version
88 00 00 00    # Structure size
78 00 00 00    # Offset to BL_FILE_PATH_DESCRIPTOR structure
BCDOBJECT={9dea862c-5cdd-4e70-acc1-f32b344d4795}    # Command line
00 00          # Null terminator
00 12          # Unknown, probably padding
               # BL_FILE_PATH_DESCRIPTOR structure
01 00 00 00    # Version
10 00 00 00    # BL_FILE_PATH_DESCRIPTOR structure size
04 00 00 00    # Path type (4=EFI path)
7f ff 04 00    # EFI path (END_DEVICE_PATH_TYPE/END_ENTIRE_DEVICE_PATH_SUBTYPE)

The BCDOBJECT GUID refers to a BCD boot entry, which can be listed using the following command: bcdedit /enum /v.

[1] https://github.com/reactos/reactos/blob/fd9666630eea1e1d8d482e9458654b193cb6b8b0/boot/environ/include/bl.h#L995