Edit Boot Options in Windows Vista

A machine on which Windows Vista is installed may present a Windows Boot Manager menu in text mode at start up to offer a choice of operating systems or of configurations in which to start an operating system. When the current selection in this menu corresponds to an installation of Windows Vista, the menu advises that the F8 key may be pressed to “specify an advanced option for this choice”. Doing so calls up an Advanced Boot Options menu. There is also an Edit Boot Options menu, reachable by pressing F10, but Microsoft scarcely documents it.

The Edit Boot Options menu can also be made to persist for an operating system. Set the BCD element optionsedit to true in the corresponding osloader application object. Once done, whenever this object is selected from the Windows Boot Manager menu, the WINLOAD.EXE that runs for the selected operating system starts by presenting the Edit Boot Options menu.

It seems safe to say that Microsoft offers no formal documentation of the Edit Boot Options menu. For instance, a search of microsoft.com for pages containing both “edit boot options” and “F10” produces no matches (today, 25th May 2007). But neither is this new feature buried in the binary code: its existence is shown in more or less plain text, in the HTML resources embedded in the BOOTMGR and WINLOAD.EXE files.

Though users ordinarily interact with boot options as Boot Configuration Data (BCD) to be manipulated with the BCDEDIT.EXE tool, the Edit Boot Options menu works with boot options in the style of the old BOOT.INI switches, with additions for Windows Vista. BCD elements are understood only by boot applications such as BOOTMGR and WINLOAD, not by the kernel, which continues to work with command-line switches as if from a BOOT.INI file.

The Edit Boot Options menu indicates the selected boot entry by showing its friendly name (from the description element), the path to its loader (from the path element), and some identifiers for the boot device. Beneath this is an area in which options for the selected boot entry are reported and can be edited.

Reported Options

What the Edit Boot Options menu shows for the options is the string of simulated BOOT.INI switches that the loader will eventually convert to upper case and pass to the kernel. In many cases, one BCD element with one value translates to one simulated BOOT.INI switch. In some cases, translation of a BCD element depends on its combination with other BCD elements. Some of the translated boot options are not described by any bcdedit /? command and are highlighted yellow as this site’s usual indication of being undocumented.

BCD Element Value Additional Conditions Representation in Edit Boot Options Menu
baudrate num debug is true
and debugtype is Serial (0)
/BAUDRATE=num
bootdebug true   /BOOTDEBUG
bootlog true   /BOOTLOG
channel num debug is true
and debugtype is 1394 (1)
/CHANNEL=num
clustermodeaddressing num   /MAXPROCSPERCLUSTER=num
configaccesspolicy DisallowMmConfig (1)   /CONFIGACCESSPOLICY=DISALLOWMMCONFIG
anything else   /CONFIGACCESSPOLICY=DEFAULT
configflags num   /CONFIGFLAG=num
debug false   /NODEBUG
true debugstart is AutoEnable (1)
and noumex is true
/DEBUG=AUTOENABLE,NOUMEX
debugstart is AutoEnable (1) /DEBUG=AUTOENABLE
debugstart is Disable (2)
and noumex is true
/DEBUG=DISABLE,NOUMEX
debugstart is Disable (2) /DEBUG=DISABLE
noumex is true /DEBUG=NOUMEX
otherwise /DEBUG
debugport num debug is true
and debugtype is Serial (0)
/DEBUGPORT=COMnum
debugtype 1394 (1) debug is true /DEBUGPORT=1394
USB (2) debug is true /DEBUGPORT=USB
detecthal true   /DETECTHAL
ems true   /REDIRECT
exportascd true   /RDEXPORTASCD
firstmegabytepolicy UseAll (1)   /FIRSTMEGABYTEPOLICY=USEALL
UsePrivate (2)   /FIRSTMEGABYTEPOLICY=USEPRIVATE
anything else   /FIRSTMEGABYTEPOLICY=USENONE
hal str   /HAL=str
halbreakpoint true   /BREAK
increaseuserva num   /USERVA=num
kernel str   /KERNEL=str
keyringaddress num   /FVEBOOT=num
loadoptions options   options
maxproc true   /MAXPROC
msi ForceDisable (1)   /MSIPOLICY=FORCEDISABLE
anything else   /MSIPOLICY=DEFAULT
nointegritychecks true   /DISABLE_INTEGRITY_CHECKS 
nolowmem true   /NOLOWMEM
novesa true   /NOVESA
numproc num   /NUMPROC=num
nx OptIn (0)   /NOEXECUTE=OPTIN
OptOut (1)   /NOEXECUTE=OPTOUT
AlwaysOff (2)   /EXECUTE /NOEXECUTE=ALWAYSOFF
AlwaysOn (3)   /NOEXECUTE=ALWAYSON
onecpu true   /ONECPU
oslnointegritychecks true   /DISABLE_INTEGRITY_CHECKS 
osltestsigning true   /TESTSIGNING
pae ForceEnable (1)   /PAE
ForceDisable (2)   /NOPAE
pciexpress ForceDisable (1)   /PCIEXPRESSPOLICY=FORCEDISABLE
anything else   /PCIEXPRESSPOLICY=DEFAULT
perfmem num   /PERFMEM=num
quietboot true   /NOGUIBOOT /BOOTLOGO
removememory num   /BURNMEMORY=num
restrictapiccluster num   /MAXAPICCLUSTER=num
safeboot Minimal (0) safebootalternateshell is true /SAFEBOOT:MINIMAL(ALTERNATESHELL)
otherwise /SAFEBOOT:MINIMAL
Network (1)   /SAFEBOOT:NETWORK
DsRepair (2)   /SAFEBOOT:DSREPAIR
sos true   /SOS
targetname str debug is true
and debugtype is USB (2)
/TARGETNAME=str
testsigning true   /TESTSIGNING
truncatememory  num   /MAXMEM=num
usefirmwarepcisettings true   /PCILOCK
usephysicaldestination true   /USEPHYSICALAPIC
vga true   /BASEVIDEO
winpe true   /MININT

For all BCD elements that hold a boolean value, any non-zero value is interpreted as true. The integer value for firstmegabytepolicy, debugtype, configaccesspolicy and safeboot is interpreted modulo 32 bits. For debugtype, any value other than 0, 1 or 2 is an error.

The options string may also contain switches to describe a RAM disk, but their derivation is not so easily described and is presently beyond the scope of this article. The affected switches are:

Not all BCD elements are translated. Many don’t need to be, since they matter only to boot applications. Some that are translated, such as pae, do not matter to the kernel (or to any known HAL).

The Edit Boot Options menu shows the options as WINLOAD holds them in memory. Although they are loaded from the BCD store, there can have been changes already. Most notably, any nointegritychecks or oslnointegritychecks option in the BCD store will already have been removed from consideration and every occurrence of DISABLE_INTEGRITY_CHECKS in the value of the loadoptions option is overwritten by spaces unless it has something other than a space or forward slash immediately before or after. This is surely for the protection of users, who might otherwise get integrity checks disabled for session after session without ever realising, but the thoroughness of this defence means that /DISABLE_INTEGRITY_CHECKS never can appear in the Edit Boot Options menu except by being edited in, as discussed below.

Editable Options

The active options, presented as simulated BOOT.INI switches, may be removed or added to. Note however that some options may have been acted on already, so that an option that is changed through the Edit Boot Options menu need not work exactly as if it had been determined from the BCD store. Indeed, it need not work at all. For example, WINLOAD decides very early whether to enable the Physical Address Extension (PAE) feature and have 64-bit page table entries, and sticks with its decision regardless of any /PAE or /NOPAE that is added or removed at the menu.

Some of the BOOT.INI options in the edited string are translated back to BCD options for WINLOAD. Mostly, one BOOT.INI option translates to one BCD option, but a few are more complex. The whole string is set as the updated value of loadoptions. Some, perhaps even many, details remain to be worked out.

Edited Option BCD Elements Value
3GB increaseuserva num from USERVA=num; else 3072
BAUDRATE=num baudrate num
BOOTDEBUG bootdebug true
CHANNEL=num channel num
CMDCONS bpbstring cmdcons
CONFIGACCESSPOLICY=DEFAULT configaccesspolicy Default (0)
CONFIGACCESSPOLICY=DISALLOWMMCONFIG configaccesspolicy DisallowMmConfig (1)
DEBUG debug true
DEBUGPORT=COMn debugtype Serial (0)
debugport n
DEBUGPORT=1394 debugtype 1394 (1)
DEBUGPORT=USB debugtype USB (2)
DETECTHAL detecthal true
DISABLE_INTEGRITY_CHECKS nointegritychecks true
EXECUTE nx AlwaysOff (2)
HAL=str hal str
KERNEL=str kernel str
MAXMEM=num truncatememory num
MSIPOLICY=DEFAULT msi Default (0)
MSIPOLICY=FORCEDISABLE msi ForceDisable (1)
NODEBUG debug false
NOEXECUTE=ALWAYSOFF nx AlwaysOff (2)
NOEXECUTE=ALWAYSON nx AlwaysOn (3)
NOEXECUTE=OPTIN nx OptIn (0)
NOEXECUTE=OPTOUT nx OptOut (1)
NOEXECUTE nx OptIn (0)
NOPAE pae ForceDisable (2)
PAE pae ForceEnable (1)
PCIEXPRESSPOLICY=DEFAULT pciexpress Default (0)
PCIEXPRESSPOLICY=FORCEDISABLE pciexpress ForceDisable (1)
REDIRECT=COMn emsport n
bootems true
ems true
REDIRECTBAUDRATE=num emsbaudrate num
ROLLBACK bpbstring undo
TARGETNAME=str targetname str
TESTSIGNING testsigning true
TIMEOUT=num timeout num

Text is case-insensitive. An option is considered present at its first occurrence only. Also, an option need not be preceded by a forward slash or even by white space.

In each of the following sets, only one member is accepted, in decreasing order of precedence:

The n placeholder (only in the DEBUGPORT and REDIRECT options) stands specifically for 1, 2, 3 or 4. The num placeholder stands for an uninterrupted sequence of decimal digits. An empty num is permitted, and evaluates as zero. In the MAXMEM option, num is rejected if it is not less than 2 to the power of 44. The str placeholder stands for any number of characters up to but not including the first space.

Where an equals sign is shown for the BAUDRATE option, any single character is in fact acceptable. Behaviour is undefined if BAUDRATE ends the input. Where an equals sign is shown for the DEBUGPORT options, any one or more characters are in fact acceptable. Behaviour is undefined if DEBUGPORT ends the input. The equals sign is required for the REDIRECT option, but it may be followed by any number, including zero, of characters before the first occurrence of COMn. If there is no such occurrence, the bootems and ems elements are added without emsport.