Event ID: 4826

Boot Configuration Data loaded

Boot Configuration Data loaded.

Subject:
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

General Settings:
    Load Options:                %5
    Advanced Options:            %6
    Configuration Access Policy: %7
    System Event Logging:        %8
    Kernel Debugging:            %9
    VSM Launch Type:             %10

Signature Settings:
    Test Signing:             %11
    Flight Signing:           %12
    Disable Integrity Checks: %13

HyperVisor Settings:
    HyperVisor Load Options: %14
    HyperVisor Launch Type:  %15
    HyperVisor Debugging:    %16
Microsoft Documentation

Event ID - 4826



This event generates every time system starts and load current Boot Configuration Data (BCD) settings.

This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting.



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any -
Account Domain SubjectDomainName %3 Any -
Logon ID SubjectLogonId %4 Any 0x3e7
Load Options LoadOptions %5 Any -
Advanced Options AdvancedOptions %6 Any %%1843
Configuration Access Policy ConfigAccessPolicy %7 Any %%1846
System Event Logging RemoteEventLogging %8 Any %%1843
Kernel Debugging KernelDebug %9 Any %%1843
VSM Launch Type VsmLaunchType %10 Any %%1848
Test Signing TestSigning %11 Any %%1843
Flight Signing FlightSigning %12 Any %%1843
Disable Integrity Checks DisableIntegrityChecks %13 Any %%1843
HyperVisor Load Options HypervisorLoadOptions %14 Any -
HyperVisor Launch Type HypervisorLaunchType %15 Any %%1848
HyperVisor Debugging HypervisorDebug %16 Any %%1843


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Other Policy Change Events"
How to enable Windows Auditing


Operating Systems:
Windows 10 Windows 2016 Windows 2019

Audit Category:
Policy Change

Audit Subcategory:
Other Policy Change Events

LEFT/RIGHT arrow keys for navigation

Back to List