4.6 Changing Data Execution Prevention and physical address extension options
Data Execution Prevention (DEP) is a memory-protection technology. With DEP enabled, the computer’s processor marks all memory locations in an application as nonexecutable unless the location explicitly contains executable code. If code is executed from a memory page marked as nonexecutable, the processor can raise an exception and prevent the code from executing. This behavior prevents malicious application code, such as virus code, from inserting itself into most areas of memory.
For computers with processors that support the nonexecute page protection (NX) feature, you can configure the operating system to opt in to NX protection by setting the nx parameter to OptIn or opt out of NX protection by setting the nx parameter to OptOut. Here is an example:
bcdedit /set {current} nx optout
When you configure NX protection to OptIn, DEP is turned on only for essential Windows programs and services. This is the default. When you configure NX protection to OptOut, all programs and services—not just standard Windows programs and services—use DEP. Programs that shouldn’t use DEP must be specifically opted out. You can also configure NX protection to be always on or always off using AlwaysOn or AlwaysOff, such as:
bcdedit /set {current} nx alwayson
Processors that support and opt in to NX protection must be running in PAE mode. You can configure PAE by setting the PAE parameter to Default, ForceEnable, or ForceDisable. When you set paeState to Default, the operating system will use the default configuration for PAE. When you set paeState to ForceEnable, the operating system will use PAE. When you set paeState to ForceDisable, the operating system will not use PAE. You can set DebugOptionEnabled to true or false. Here is an example:
bcdedit /set {current} pae default
4.7 Changing the operating system display order
You can change the display order of boot managers associated with a particular Windows Vista, Windows Server 2008, or later operating system using the /Displayorder command. The syntax is
bcdedit /displayorder id1 id2 ... idn
Here id1 is the operating system identifier of the first operating system in the display order, id2 is the identifier of the second, and so on. Thus, you could change the display order of the operating systems identified in these BCD entries:
Windows Boot Loader
-------------------
identifier {5824ba7f-acee-11e1-ba52-cfa3fef36259}
Windows Boot Loader
-------------------
identifier {16b857b4-9e02-11e0-9c17-b7d085eb0682}
You can do this by using the following command:
bcdedit /displayorder {16b857b4-9e02-11e0-9c17-b7d085eb0682}
{5824ba7f-acee-11e1-ba52-cfa3fef36259}
You can set a particular operating system as the first entry using /addfirst with /displayorder, such as:
bcdedit /displayorder {5824ba7f-acee-11e1-ba52-cfa3fef36259} /addfirst
You can set a particular operating system as the last entry using /addlast with /displayorder, such as:
bcdedit /displayorder {5824ba7f-acee-11e1-ba52-cfa3fef36259} /addlast
4.8 Changing the default operating system entry
You can change the default operating system entry using the /Default command. The syntax for this command is
bcdedit /default id
Here id is the operating system ID in the boot loader entry. Thus, you could set the operating system identified in this BCD entry as the default:
Windows Boot Loader
-------------------
identifier {5824ba7f-acee-11e1-ba52-cfa3fef36259}
You can do this using the following command:
bcdedit /default {5824ba7f-acee-11e1-ba52-cfa3fef36259}
If you want to use a pre–Windows Server 2008 operating system as the default, you’d use the identifier for the Windows Legacy OS Loader. The related BCD entry looks like this:
Windows Legacy OS Loader
------------------------
identifier {466f5a88-0af2-4f76-9038-095b170dc21c}
device partition=C:
path \ntldr
description Earlier Microsoft Windows Operating System
Following this, you could set Ntldr as the default by entering the following:
bcdedit /default {466f5a88-0af2-4f76-9038-095b170dc21c}
4.9 Changing the default timeout
You can change the timeout value associated with the default operating system using the /timeout command. Set the /timeout command to the desired wait time in seconds, such as:
bcdedit /timeout 30
To boot automatically to the default operating system, set the timeout to zero seconds.
4.10 Changing the boot sequence temporarily
Occasionally, you might want to boot to a particular operating system one time and then revert to the default boot order. To do this, you can use the /bootsequence command. Follow the command with the identifier of the operating system to which you want to boot after restarting the computer, such as:
bcdedit /bootsequence {14504de-e96b-11cd-a51b-89ace9305d5e}
When you restart the computer, the computer will set the specified operating system as the default for that restart only. Then, when you restart the computer again, the computer will use the original default boot order.
