AI finds undocumented system configuration options by analyzing kernel source, firmware binaries, and boot loader code. Here's how Claude Code uncovers boot arguments that never made it to the docs.
Every operating system has a layer of configuration that exists between the bootloader and the kernel. Boot arguments, kernel parameters, NVRAM variables. These settings control fundamental system behavior: memory management policies, driver initialization order, debugging features, and performance tuning knobs.
Some of these arguments are well-documented. Linux's kernel parameters are listed in the official documentation. macOS has a handful of documented boot-args in Apple's developer resources. But many more exist only in source code, buried in if (getenv("boot-arg-name")) checks scattered across thousands of files. These undocumented arguments are the hidden control panel of your operating system, and AI is remarkably good at finding them.
Developers add boot arguments for several reasons, and documentation is rarely a priority for any of them.
Debugging aids. A kernel developer adds a boot argument to enable verbose logging for a subsystem they're debugging. The argument works, helps diagnose the issue, and stays in the code. It was never intended for end users, so it was never documented.
Feature flags. New kernel features are often gated behind boot arguments during development. The feature ships disabled by default, enabled by a boot argument for testing. When the feature graduates to default-on, the boot argument stays in the code as a kill switch but is never listed in public documentation.
Hardware workarounds. Specific hardware configurations require specific kernel behaviors. A boot argument disables a memory optimization that causes corruption on certain chipsets. The argument is documented in the hardware team's internal wiki but not in public kernel documentation.
Performance tuning. Kernel developers experiment with different algorithm parameters and expose them as boot arguments for benchmarking. The default values are well-tuned for general use, so the arguments are never publicized, but they remain available for workloads that benefit from non-default settings.
The most reliable method is scanning kernel source code for patterns that read boot arguments. On Linux, this means searching for calls to functions like get_option, strstr on the command line, and module_param. On macOS/XNU, it means searching for PE_parse_boot_argn and related functions.
Claude Code excels at this because it can scan thousands of source files, extract every boot argument reference, and cross-reference each one against the official documentation to identify undocumented ones. The output is a structured list of arguments, their types, their default values, and what code uses them.
Finding the argument name is only half the job. Understanding what it does requires reading the surrounding code. AI performs this contextual analysis automatically.
For each undocumented argument, Claude Code reads the function that checks it, traces the variable it sets, follows that variable through the code to see how it affects behavior, and produces a plain-English explanation. A boot argument that sets kern.hv_vmm_present is meaningless without context. The explanation "forces the kernel to behave as though it's running inside a hypervisor, disabling certain direct hardware access optimizations" is actionable.
When source code isn't available (proprietary firmware, closed-source drivers), AI can analyze binaries to find boot argument references. The approach is less precise but still valuable. AI identifies string literals that match boot argument naming conventions, traces cross-references to those strings, and infers behavior from the surrounding assembly.
This technique is particularly useful for UEFI firmware, which often contains configuration options not documented by the hardware manufacturer.
These arguments control virtual memory behavior, page sizes, memory mapping strategies, and cache policies. Examples include arguments that force a specific page replacement algorithm, disable transparent huge pages for debugging, or override the kernel's memory zone sizing.
These arguments are valuable for workloads with unusual memory patterns. Database servers, scientific computing applications, and AI training workloads often benefit from non-default memory management settings that kernel developers exposed via boot arguments but never publicized.
Arguments that control driver probe order, disable specific drivers, or force fallback driver implementations. These are especially useful when diagnosing boot failures caused by misbehaving drivers.
On macOS, several undocumented boot arguments control IOKit driver loading behavior, including arguments that force verbose logging for specific driver families and arguments that disable driver matching for specific hardware classes.
The largest category. These arguments enable verbose logging for kernel subsystems, activate internal consistency checks, force synchronous I/O for debugging, and enable kernel debugging protocols.
Many of these arguments impose significant performance penalties because they enable checks that are too expensive for production use. But when you need to diagnose a kernel issue, the ability to turn on detailed tracing for a specific subsystem without recompiling the kernel is invaluable.
Some boot arguments control security features: enabling or disabling specific mitigations, configuring ASLR behavior, controlling code signing enforcement. These are sensitive because disabling them reduces system security. AI should always flag these arguments with clear warnings about security implications.
Arguments that control scheduler behavior, interrupt coalescing, timer resolution, and I/O scheduling parameters. These are the hidden performance knobs that kernel developers use for benchmarking and that system administrators wish they knew about.
Here's how a discovery session works with Claude Code on a Linux kernel source tree:
Step 1: Ask Claude Code to find all boot argument references in the kernel source.
The AI scans the source tree and finds hundreds of references. It categorizes them by subsystem: memory management, networking, storage, scheduler, security, debugging.
Step 2: Ask for undocumented arguments only.
The AI cross-references its findings against Documentation/admin-guide/kernel-parameters.txt and filters to arguments that aren't listed. The result is typically 30-60 undocumented arguments per major kernel version.
Step 3: Request detailed analysis of specific arguments.
For arguments that look relevant to your use case, ask the AI for deep analysis. It reads the surrounding code, explains the behavior change, identifies side effects, and assesses stability (whether the argument has been in the source for multiple versions or was recently added).
Step 4: Test safely.
Undocumented arguments are undocumented for a reason. They may be unstable, they may interact badly with other configuration, and they may disappear in the next kernel version. Test in a non-production environment first, and document your findings for your team.
For related system-level work with AI assistance, see Kernel-Level Debugging With AI Help and Core Dump Analysis Using AI.
Teams that regularly work with kernel internals should consider building a boot argument discovery skill. The skill encodes:
The skill composability patterns article covers how to build modular skills that can be extended for different kernel targets.
Discovering undocumented boot arguments raises ethical questions. Some arguments disable security features. Some enable access to debugging interfaces that could be exploited. Some expose hardware capabilities that manufacturers deliberately restrict.
The responsible approach is to treat undocumented arguments like any other security-relevant finding: document them, assess their impact, and share findings through appropriate channels. For open-source kernels, this means contributing documentation patches. For proprietary systems, this means following responsible disclosure practices.
AI should be configured to flag security-sensitive arguments prominently and include warnings about the risks of using them. A skill that discovers these arguments should include clear guidance about what's safe to experiment with and what could compromise system security.
Generally not. Because they're undocumented, the kernel team has no obligation to maintain backward compatibility. Arguments can be renamed, removed, or have their behavior changed between versions. Always verify that an argument still exists and does what you expect on the specific kernel version you're running.
Potentially yes. Hardware and OS vendors may decline to support configurations using undocumented parameters. If you use an undocumented argument in production, document your reasoning and ensure you can reproduce any issues without the argument set.
It varies by OS. The Linux kernel typically has 30-60 undocumented arguments per major version, depending on how strictly you define "undocumented." macOS/XNU has approximately 80-120. The numbers change with each release as arguments are added and removed.
Yes, but with reduced precision. Firmware analysis requires working with binary code rather than source, which means the AI infers argument purposes from disassembly context rather than readable source code. The results are valuable but should be verified through testing.
Explore production-ready AI skills at aiskill.market/browse or submit your own skill to the marketplace.
Teaches Claude how to use the linear-CLI tool for issue tracking
Lab environment for experimenting with Claude superpowers and capabilities.
Automate git operations and repository interactions.
Windows 11 system management and update automation.