Event ID: 4826

Boot Configuration Data loaded

Boot Configuration Data loaded.

    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

General Settings:
    Load Options:                %5
    Advanced Options:            %6
    Configuration Access Policy: %7
    System Event Logging:        %8
    Kernel Debugging:            %9
    VSM Launch Type:             %10

Signature Settings:
    Test Signing:             %11
    Flight Signing:           %12
    Disable Integrity Checks: %13

HyperVisor Settings:
    HyperVisor Load Options: %14
    HyperVisor Launch Type:  %15
    HyperVisor Debugging:    %16

This event generates every time system starts and loads current Boot Configuration Data (BCD) settings.

Auditing:     Always

This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.

Volume:     Low

Only logged once during system boot.

Microsoft Documentation

Event ID - 4826

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SYSTEM
Account Name SubjectUserName %2 Any -
Account Domain SubjectDomainName %3 Any -
Logon ID SubjectLogonId %4 Any 0x3e7
Load Options LoadOptions %5 Any -
Advanced Options AdvancedOptions %6 Any No
Configuration Access Policy ConfigAccessPolicy %7 Any Default
System Event Logging RemoteEventLogging %8 Any No
Kernel Debugging KernelDebug %9 Any No
VSM Launch Type VsmLaunchType %10 Any Off
Test Signing TestSigning %11 Any No
Flight Signing FlightSigning %12 Any No
Disable Integrity Checks DisableIntegrityChecks %13 Any No
HyperVisor Load Options HypervisorLoadOptions %14 Any -
HyperVisor Launch Type HypervisorLaunchType %15 Any Off
HyperVisor Debugging HypervisorDebug %16 Any No

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Policy Change Events"

LEFT/RIGHT arrow keys for navigation

Back to List