Geoff Chappell - Software Analyst
The kernel option specifies an executable to load as the Windows kernel.
To have the BCDEDIT tool set the kernel option for the currently running operating system, run the command
bcdedit /set kernel filename
where filename names the proposed kernel.
To set this option at the Edit Boot Options Menu, add
which is also the syntax for the option as a BOOT.INI switch in earlier Windows versions.
The BCD option kernel is number 0x22000011 in osloader objects. It is effective in version 6.0 and higher.
The kernel option is documented. The bcdedit /? types osloader command summarises it as “Defines the file name for a private kernel.”
The kernel option overrides the loader’s default selection of the kernel, but is itself overridden by detecthal in Windows Vista:
|if detecthal evaluates as true||6.0 only||ntkrnlpa.exe or ntoskrnl.exe (x86);
|if kernel evaluates as filename||6.1 and higher||filename|
|32-bit loader translating physical memory addresses using PAE||6.0 to 6.1||ntkrnlpa.exe|
|6.0 and higher||ntoskrnl.exe|
Whether the loader uses Physical Address Extension (PAE) is influenced by the pae and nx options. Versions 6.0 and 6.1 are supplied with two 32-bit kernels: ntkrnlpa.exe, which uses PAE; and ntoskrnl.exe, which does not. Versions 6.2 and higher have only the PAE kernel but name it ntoskrnl.exe.
What the loader for 32-bit Windows Vista chooses for the kernel as its detecthal result is anyway what it chooses in default of a specified kernel. This seems plausible as some of the reason that detecthal is ignored by later loaders.
Whether a filename is specified for the kernel or is chosen by the loader, it gets appended to the path for the “system32” subdirectory of the systemroot directory for the selected operating system. However, it seems that the file is required to be in the directory, as opposed to being on some deeper path. The mechanisms are indirect and are presently beyond the scope of this note.
The selected kernel must be loadable as an executable (with code-signing and other validation expected for the Windows kernel). If PAE is enabled, the IMAGE_FILE_LARGE_ADDRESS_AWARE (0x0020) bit in the Characteristics field of the executable’s IMAGE_FILE_HEADER must be set. If PAE is disabled, this same bit must be clear. A mismatch is fatal to starting Windows.