bcdedit.exe

bcdedit.exe reads and modifies the Boot Configuration Data store, the database that tells the Windows boot loader what to start and how. It can add or change boot entries, set safe-boot and recovery options, and toggle features like driver-signature enforcement. It requires administrative rights and lives at C:\Windows\System32\bcdedit.exe.

Legitimately, bcdedit is run by administrators during boot repair, OS installs, or driver debugging, which is infrequent on most machines. The setting it changes is what gives an instance meaning.

bcdedit.exe is a fixture of ransomware (T1490). Before or during encryption, operators run bcdedit /set {default} recoveryenabled no and bcdedit /set {default} bootstatuspolicy ignoreallfailures to stop Windows from booting into the recovery environment that could repair or roll back the machine. These commands almost never appear in normal use, and seeing them, especially next to shadow-copy deletion with vssadmin or wbadmin, is close to a confirmed recovery-inhibition step.

Because bcdedit is a legitimate administrative tool, the specific setting and the parent are what matter. A boot-repair session by an administrator looks nothing like a recoveryenabled no issued by a script host in the middle of mass file changes.