Skip to main content
Start a Conversation

Unsolved

redxps630

9 Legend

 • 

15.5K Posts

46

April 9th, 2026 22:15

where is secure boot db (database) stored

The Windows 10 installer writes to the UEFI NVRAM (Non-Volatile RAM) by invoking UEFI runtime services during the final stages of installation. Specifically, it uses bcdboot.exe to update boot entries, creating a new Boot#### variable to point to the \EFI\Microsoft\Boot\Bootmgfw.efi loader. 
How Windows Writes to NVRAM:

EFI Variable Services: The installer calls standard UEFI firmware services (SetVariable) while in specialized Windows setup mode to modify NVRAM, which includes adding "Windows Boot Manager" to the boot order and creating entries in the db (Signature Database) for secure boot.

BCD Boot Tool: The bcdboot.exe utility is primarily responsible for writing the configuration data into the NVRAM, creating, or updating BootOrder and BootNext.

Secure Boot Keys: During initialization or updates, Windows can update Secure Boot keys (PK, KEK, DB) by writing to the respective firmware NVRAM variables

I was confused about this because I thought the system partition on boot drive has the db file.  there is also a Windows copy in C:\Windows\EFI

redxps630

9 Legend

 • 

15.5K Posts

April 9th, 2026 22:17

it makes sense, after Windows 10 install you begin to see Windows boot manager appear in a bios that was previously reset to factory default.

and sometimes if you remove the boot drive ssd and install a new one, pc still thinks it needs to boot from the old Windows boot manager from the ghost ssd that is not there any more

redxps630

9 Legend

 • 

15.5K Posts

April 9th, 2026 23:01

when I reset 4 keys in a Dell bios>secure boot>custom mode, I can not boot into Windows 11 on ssd any more.  it said the boot loader failed secure boot signature check.  makes sense?  I had to do a clean install of Win 11 on the ssd again to inject trust in the bios db again.   proves the point.  so this kind of write to bios is like editing NVRAM but not as drastic as flash the ROM which erases every bit and rewrites it (as in BIOS update).  there is also Intel ME update in flash but Windows 10 installer does not mess around with.

(edited)

redxps630

9 Legend

 • 

15.5K Posts

April 11th, 2026 01:49

further proof.  after I added 2023 Windows UEFI key, I did a clean install of Win 11 on ssd which wiped it, but it still shows the 2023 certificate present, proving the cert is stored in db of nvram.

Was this post helpful?

View All

0 events found

No Events found!

Top