Event Details
User Activity->Policy Changes->Windows 2008->EventID 4826 - Boot Configuration Data loaded.
EventID 4826 - Boot Configuration Data loaded.
 Sample: 
Boot Configuration Data loaded.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x3e7

General Settings:
	Load Options:		-
	Advanced Options:		No
	Configuration Access Policy:	Default
	System Event Logging:	No
	Kernel Debugging:	No
	VSM Launch Type:	Off

Signature Settings:
	Test Signing:		No
	Flight Signing:		No
	Disable Integrity Checks:	No

HyperVisor Settings:
	HyperVisor Load Options:	-
	HyperVisor Launch Type:	Off
	HyperVisor Debugging:	No
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Policy Change
Source Microsoft-Windows-Security-Auditing
TaskCategory Other Policy Change Events
EventId 4826
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. - 1/1/2000
Who Account or user name under which the activity occured. Security ID
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Boot Configuration Data loaded" Boot Configuration Data loaded
Where The name of the workstation/server where the activity was logged. - 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. - High
WhoDomain Account Domain
WhereDomain -
Policy Name The name of the affected policy. -
Comments
You must be logged in to comment