drop system evtx csv or bcdedit output · detect boot sector and bcd modification events · identify bootkit installation artifacts · surface unauthorized boot configuration changes · runs locally
evtx / bcdedit / wbadmin
drop security/system evtx csv or bcdedit output (multi-file)
or click
Security 4826/4688 · System kernel-boot/Code Integrity · bcdedit /enum paste · wbadmin delete catalog
drop security/system evtx csv · bcdedit /enum text · wbadmin output (multi-file)