How are system events connected to the System Reserved Partition recorded so that failures get logged?

Question

I've been reading up on the System Reserved Partition and understand that it holds all the boot required items for a Windows PC to start. I am trying to understand how its interaction with the main OS partition works in a situation where Bit Locker is used.

The way I understand it, the computer uses the partition to boot and then once a user successfully logs in the OS can start decrypting the main drive for use.

My confusion comes in when I consider the things that have to occur for Windows to function normally such as event logging of log in attempts.

In the event of a successful log in I would assume that they would be dropped in the appropriate event log after decrypt, but in the case of a failed log in, that file isn't available yet. For Windows to log it, the event record has to go somewhere permanent and the only place I can think of is the system reserve partition because it is the only partition available that isn't encrypted at the time.

Is this the case? If so I would like an answer that elaborates on where and how these events get stored on the partition. If not, I would like to know what actually happens.

Answer 1

The reserved partition has no involvement with logging. There is no need.

"The way I understand it, the computer uses the partition to boot and then once a user successfully logs in the OS can start decrypting the main drive for use."

BitLocker doesn't work that way, although there is some documentation that may imply that it does. It just isn't workable for multiple reasons, and there is a better way.

Data on the drive is encrypted and decrypted only as it it is read or written. The data is decrypted as it is read from the disk and encrypted as it is written. This allows the data on the drive to remain encrypted at all times, prior to, during, and after bootup. Only a small part of the OS is involved with BitLocker with the rest having no knowledge of it at all. During bootup and login the OS has full read-write access to the drive as needed. Login failures are written by the event log software without difficulty or knowledge of BitLocker.