CrashOnAuditFail preserves audit log forensics

  • Section(s): Event Logs
  • Published on Apr 20, 2004.
  • Last Modified on Apr 20, 2004.
  • Last Modified by Wayne Maples.
  • Rating: Not Rated
In a environment with a need to ensure that there are no unaudited events, when its critical to save the potential forensics of the event logs, the follow registry key will force NT to crash when the event log becomes full. Once the box crashes, an administrator would have to logon from the console to save and clear the event logs to make the server functional again. To set CrashOnAuditFail, apply the following NT registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\LSA
Name: CrashOnAuditFail
Type: REG_DWORD
Value: 1

Q140058 - How To Prevent Auditable Activities When Security Log Is Full
Q178208 - CrashOnAuditFail with Logon/Logoff Auditing Causes Blue Screen
Q155076 - Only Administrators May Log in After Applying C2 Security
Q149393 - Auditing of ProcessTracking interaction
Q232564 - STOP 0xC0000244 When Security Log Full - Dah
Q233214 - STOP Error Occurs Even If CrashOnAuditFail Is Disabled

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made available a Windows NT Eventlog FAQ .

About Wayne Maples

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Help Desk solution?