Geoff Chappell - Software Analyst
The nx option specifies a behaviour for Data Execution Prevention.
To have the BCDEDIT tool set the nx option for the currently running operating system, run the command
bcdedit /set nx value
where value is either a decimal number from the first column of the following table or a string from the second:
| 0 | OptIn | /NOEXECUTE=OPTIN |
| 1 | OptOut | /NOEXECUTE=OPTOUT |
| 2 | AlwaysOff | /EXECUTE /NOEXECUTE=ALWAYSOFF |
| 3 | AlwaysOn | /NOEXECUTE=ALWAYSON |
The third column shows the command-line switch to use if setting this option at the Edit Boot Options Menu. This is also the syntax for the option as a BOOT.INI switch in earlier Windows versions.
The nx option governs how Windows defends against attempts to execute data. It depends on a relatively recent CPU feature which Intel names Execute Disable and Microsoft calls Data Execution Prevention (DEP). Support for DEP is established by executing the cpuid instruction with 0x80000001 in eax and testing for the Execute Disable bit (0x00100000) in the feature flags that are returned in edx.
DEP requires the use of 64-bit page table entries as supported by the Physical Address Extension (PAE) feature. Support for PAE is established by executing the cpuid instruction with 1 in eax and testing for the PAE bit (0x40) in the feature flags that are returned in edx. If PAE and DEP are both supported, then the loader may enable PAE in order to enable DEP, even if this means overriding the pae option.
The nx option can be changed at the Edit Boot Options Menu except in one case. If DEP is supported but disabled (by setting nx to AlwaysOff), then the loader may have disabled PAE, depending mostly on the pae option. If so, changing nx at the Edit Boot Options Menu is too late to enable PAE and is therefore also too late to enable DEP.
The nx option passes to the kernel as the corresponding command-line switch. Its treatment in the kernel is presently beyond the scope of this note.