x86 Instruction Set Reference

MOV - Move to/from Control Registers

Opcode Mnemonic Description
0F 22 /r MOV CR0,r32 Move r32 to CR0.
0F 22 /r MOV CR2,r32 Move r32 to CR2.
0F 22 /r MOV CR3,r32 Move r32 to CR3.
0F 22 /r MOV CR4,r32 Move r32 to CR4.
0F 20 /r MOV r32,CR0 Move CR0 to r32.
0F 20 /r MOV r32,CR2 Move CR2 to r32.
0F 20 /r MOV r32,CR3 Move CR3 to r32.
0F 20 /r MOV r32,CR4 Move CR4 to r32.
Description

Moves the contents of a control register (CR0, CR2, CR3, or CR4) to a general-purpose register or vice versa. The operand size for these instructions is always 32 bits, regardless of the operandsize attribute. (See "Control Registers" in Chapter 2 of the IA-32 Intel Architecture Software Developer's Manual, Volume 3, for a detailed description of the flags and fields in the control registers.) This instruction can be executed only when the current privilege level is 0.

When loading control registers, programs should not attempt to change the reserved bits; that is, always set reserved bits to the value previously read. An attempt to change CR4's reserved bits will cause a general protection fault. Reserved bits in CR0 and CR3 remain clear after any load of those registers; attempts to set them have no impact. On Pentium 4, Intel Xeon and P6 family processors, CR0.ET remains set after any load of CR0; attempts to clear this bit have no impact.

At the opcode level, the reg field within the ModR/M byte specifies which of the control registers is loaded or read. The 2 bits in the mod field are always 11B. The r/m field specifies the general-purpose register loaded or read.

These instructions have the following side effect: When writing to control register CR3, all non-global TLB entries are flushed (see "Translation Lookaside Buffers (TLBs)" in Chapter 3 of the IA-32 Intel Architecture Software Developer's Manual, Volume 3).

The following side effects are implementation specific for the Pentium 4, Intel Xeon, and P6 family processors. Software should not depend on this functionality in all IA-32 processors:

  • - When modifying any of the paging flags in the control registers (PE and PG in register CR0 and PGE, PSE, and PAE in register CR4), all TLB entries are flushed, including global entries.
  • - If the PG flag is set to 1 and control register CR4 is written to set the PAE flag to 1 (to enable the physical address extension mode), the pointers in the page-directory pointers table (PDPT) are loaded into the processor (into internal, non-architectural registers).
  • - If the PAE flag is set to 1 and the PG flag set to 1, writing to control register CR3 will cause the PDPTRs to be reloaded into the processor. If the PAE flag is set to 1 and control register CR0 is written to set the PG flag, the PDPTRs are reloaded into the processor.
Operation
Destination = Source;
Flags affected

The OF, SF, ZF, AF, PF, and CF flags are undefined.

Protected Mode Exceptions
#GP(0)If the current privilege level is not 0. If an attempt is made to write invalid bit combinations in CR0 (such as setting the PG flag to 1 when the PE flag is set to 0, or setting the CD flag to 0 when the NW flag is set to 1). If an attempt is made to write a 1 to any reserved bit in CR4. If any of the reserved bits are set in the page-directory pointers table (PDPT) and the loading of a control register causes the PDPT to be loaded into the processor.
Real-Address Mode Exceptions
#GPIf an attempt is made to write a 1 to any reserved bit in CR4. If an attempt is made to write invalid bit combinations in CR0 (such as setting the PG flag to 1 when the PE flag is set to 0).
Virtual-8086 Mode Exceptions
#GP(0)These instructions cannot be executed in virtual-8086 mode.