The BCD Store

The Boot Configuration Data (BCD) Store contains all boot menu options and settings for Windows Vista (and later) operating systems. The BCD store is in a binary format and cannot be edited with a text editor - it can however be edited with the command-line BCDEdit tool (included with Windows Vista, Windows 2008, Windows 7, Windows 2012, Windows 8, Windows 8.1 and Windows 10).

A BCD store includes multiple entries - allowing for multiboot operating system setups. Even a basic setup with one Windows Operating System will have more than one entry, though they might not all be visible to the end user during the boot process. Entries in a BCD store (e.g. boot menu options) are classed as objects. Each object in the store will have its own globally unique identifier (GUID) value. All GUID values use the format {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} - where x is a hexadecimal digit. These values all contain 38 characters (including the braces ({ and }) and dashes (-)).

Each object in a BCD store will contain elements, which in turn contain data. See here for an example from a (BIOS) system with Windows 7 installed - this is displayed as bcdedit output. The following is one of the objects within this same BCD store (the operating system entry) -

In this case the object has a guid of {4c1174e2-f3bc-11e4-b7bb-c026b235ee25} - the identifier. Each of the other entries are elements within the object -

Entries within a BCD store are far more complex than the bcdedit output might indicate. As an example the data in the device element within the object above is displayed as partition=C:. The entry within the BCD store itself includes information about the disk signature and partition offset. The following REG_BINARY value illustrates this - the blue data is the partition offset (in bytes) and the red data is the disk signature -

00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,06,00,00,00,00,00,00,00,48,00,00,00,00,00,00,00,00,00,50,06,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,6f,8f,63,c3,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

BCD stores use the same format as Windows registry hives and can be mounted using regedit. When a BCD store is loaded as a registry hive we can see that each Object (identifiable by its GUID value) has its own Description and Elements subkeys. The Elements key contains further subkeys relating to different datatypes - e.g. the 12000004 subkey contains the Description for the object (the text that will appear in the boot menu).