bcdedit.exe

  • File Path: C:\windows\system32\bcdedit.exe
  • Description: Boot Configuration Data Editor

Hashes

Type Hash
MD5 D5F797FC4D5434EB677A09C143962231
SHA1 FF829D4F431715B27547E862A9D4D65764E5C35E
SHA256 85A43C95BC60213353BE0960CC2947B8F458B6470C683FE18F35E0469C47D2D1
SHA384 F7A33EE386436669C413EA476E125472EA67D92909B7F8F1A3BE37032496BC86925E648982F08E9E43A1111CD947EF6E
SHA512 188DBF3DD6EB171FF60634FEAC855D1DF1801230BF96C06D39BFE1196AADA4385F9BA4BDC48FDBBD8A31E7C8A60F5A6F9999E91E95199B33001CC76C858AAC80
SSDEEP 3072:322q+HRw3etMbIFb9qYRDsxc8XDwHLFIEf9Ox2tV0uRhdNV/ysXo3HD62xKe1P/z:3K3etM8FbvDsxlz+5l0m

Signature

  • Status: The file C:\windows\system32\bcdedit.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: bcdedit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of bcdedit.exe being misused. While bcdedit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bootconf_mod.yml description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. DRL 1.0
sigma proc_creation_win_bootconf_mod.yml Image\|endswith: \bcdedit.exe DRL 1.0
sigma proc_creation_win_malware_wannacry.yml - 'bcdedit' DRL 1.0
sigma proc_creation_win_susp_bcdedit.yml description: Detects, possibly, malicious unauthorized usage of bcdedit.exe DRL 1.0
sigma proc_creation_win_susp_bcdedit.yml - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set DRL 1.0
sigma proc_creation_win_susp_bcdedit.yml Image\|endswith: '\bcdedit.exe' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \bcdedit.exe DRL 1.0
atomic-red-team T1490.md * bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1490.md bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures MIT License. © 2018 Red Canary
atomic-red-team T1490.md bcdedit.exe /set {default} recoveryenabled no MIT License. © 2018 Red Canary
atomic-red-team T1490.md bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1490.md bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1 MIT License. © 2018 Red Canary
signature-base apt_olympic_destroyer.yar $x1 = “/set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no” fullword wide CC BY-NC 4.0
signature-base apt_turbo_campaign.yar $sc_1 = “bcdedit -set testsigning” wide ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


bcdedit

Boot Configuration Data (BCD) files provide a store that is used to describe boot applications and boot application settings. The objects and elements in the store effectively replace Boot.ini.

BCDEdit is a command-line tool for managing BCD stores. It can be used for a variety of purposes, including creating new stores, modifying existing stores, adding boot menu parameters, and so on. BCDEdit serves essentially the same purpose as Bootcfg.exe on earlier versions of Windows, but with two major improvements:

  • Exposes a wider range of boot parameters than Bootcfg.exe.

  • Has improved scripting support.

[!NOTE] Administrative privileges are required to use BCDEdit to modify BCD.

BCDEdit is the primary tool for editing the boot configuration of Windows Vista and later versions of Windows. It is included with the Windows Vista distribution in the %WINDIR%\System32 folder.

BCDEdit is limited to the standard data types and is designed primarily to perform single common changes to BCD. For more complex operations or nonstandard data types, consider using the BCD Windows Management Instrumentation (WMI) application programming interface (API) to create more powerful and flexible custom tools.

Syntax

bcdedit /command [<argument1>] [<argument2>] ...

Parameters

General BCDEdit Command-Line Options

Option Description
/? Displays a list of BCDEdit commands. Running this command without an argument displays a summary of the available commands. To display detailed help for a particular command, run bcdedit /? <command>, where <command> is the name of the command you are searching for more information about. For example, bcdedit /? createstore displays detailed help for the Createstore command.
Parameters that Operate on a Store
Option Description
/createstore Creates a new empty boot configuration data store. The created store is not a system store.
/export Exports the contents of the system store into a file. This file can be used later to restore the state of the system store. This command is valid only for the system store.
/import Restores the state of the system store by using a backup data file previously generated by using the /export option. This command deletes any existing entries in the system store before the import takes place. This command is valid only for the system store.
/store This option can be used with most BCDedit commands to specify the store to be used. If this option is not specified, then BCDEdit operates on the system store. Running the bcdedit /store command by itself is equivalent to running the bcdedit /enum active command.
Parameters that Operate on Entries in a Store
Parameter Description
/copy Makes a copy of a specified boot entry in the same system store.
/create Creates a new entry in the boot configuration data store. If a well-known identifier is specified, then the /application, /inherit, and /device parameters cannot be specified. If an identifier is not specified or not well known, an /application, /inherit, or /device option must be specified.
/delete Deletes an element from a specified entry.
Parameters that Operate on Entry Options
Parameter Description
/deletevalue Deletes a specified element from a boot entry.
/set Sets an entry option value.
Parameters that Control Output
Parameter Description
/enum Lists entries in a store. The /enum option is the default value for BCEdit, so running the bcdedit command without parameters is equivalent to running the bcdedit /enum active command.
/v Verbose mode. Usually, any well-known entry identifiers are represented by their friendly shorthand form. Specifying /v as a command-line option displays all identifiers in full. Running the bcdedit /v command by itself is equivalent to running the bcdedit /enum active /v command.
Parameters that Control the Boot Manager
Parameter Description
/bootsequence Specifies a one-time display order to be used for the next boot. This command is similar to the /displayorder option, except that it is used only the next time the computer starts. Afterwards, the computer reverts to the original display order.
/default Specifies the default entry that the boot manager selects when the timeout expires.
/displayorder Specifies the display order that the boot manager uses when displaying boot parameters to a user.
/timeout Specifies the time to wait, in seconds, before the boot manager selects the default entry.
/toolsdisplayorder Specifies the display order for the boot manager to use when displaying the Tools menu.
Parameters that Control Emergency Management Services
Parameter Description
/bootems Enables or disables Emergency Management Services (EMS) for the specified entry.
/ems Enables or disables EMS for the specified operating system boot entry.
/emssettings Sets the global EMS settings for the computer. /emssettings does not enable or disable EMS for any particular boot entry.
Parameters that Control Debugging
Parameter Description
/bootdebug Enables or disables the boot debugger for a specified boot entry. Although this command works for any boot entry, it is effective only for boot applications.
/dbgsettings Specifies or displays the global debugger settings for the system. This command does not enable or disable the kernel debugger; use the /debug option for that purpose. To set an individual global debugger setting, use the bcdedit /set <dbgsettings> <type> <value> command.
/debug Enables or disables the kernel debugger for a specified boot entry.

Additional References

For examples of how to use BCDEdit, see the BCDEdit Options Reference article.

To see the notation used to indicate command-line syntax, see Command-Line Syntax Key.


MIT License. Copyright (c) 2020-2021 Strontic.