In a word: permissions.
To elaborate…
Location
The BCD is stored on the boot drive (usually a ~100MB NTFS volume). It is hidden by default, but you can assign a drive-letter to it with the Disk Management MMC snap-in (diskmgmt.msc
). Then you can look in the Boot
directory and see the file BCD
which is a regular registry-hive–format file that contains the boot configuration data.
Rationale
Obviously boot data is very sensitive and is the first line of failure. Messing up system files can be fixed with relative ease, but that requires something to run to do the repairs. If the boot files are messed up, then nothing will run, and it’s lights out. (Well it’s still fixable, but not automatically; it will require purposeful, manual intervention like using a boot- or install-disc.)
Since boot data is critical, Windows doesn’t make it easy to mess around in there. Using the registry editor to directly edit the boot data would make it possible to set invalid or conflicting values, add invalid or illegal entires, remove mandatory entries, etc. Limiting the modification of the BCD to bcdedit
allows it restrict the changes to valid values which helps to limit the damage that can be done (it doesn’t completely eliminate problems; you can still kill a system, but at least it cuts out a big chunk of possible problems).
Method
If you examine the permissions of the BCD00000000
branch, you’ll see that it has Full Control
set for the SYSTEM account, but the administrators group has Special
permissions which is just Read-Only
plus WriteDac
which grants the ability to set permissions. (You may need to click the [Advanced]
button because the basic dialog indicates that SYSTEM has Special
access as well, but the Advanced Security Settings dialog shows it correctly set to Full Control
.)
When you run Regedit (which requires elevated privileges), it runs under the context of your user-account and gets the administrator-group permissions, thus you cannot write to it. When you use the bcdedit
command, it runs under the SYSTEM account context which has write permissions. If you enable the User Name column in the Task Manager, you can see that Regedit is run by your user account and bcdedit
is run by SYSTEM.
Work-arounds
It is inadvisable to directly edit the BCD with Regedit and rarely necessary, but if you really must, then one way is to grant yourself write access to the BCD00000000
branch. Of course that is not recommended because you need to remember to revoke the permission later. An easier way is to simply run Regedit under the SYSTEM context.
1Oh man, I typed this up last night, but just before I clicked
[Post]
, SNL started and I got distracted. I almost shutdown for bed before clicking posting. ಠ_ಠ – Synetech – 2013-10-06T06:00:56.730