CrashOnAuditFail


In a environment with a need to ensure that there are no unaudited events, when
its critical to save the potential forensics of the event logs, the follow
registry key will force Windows NT or Windows 2000 to crash when the security
event log becomes full. Once the box crashes, an administrator would have to
logon from the console to save and clear the event logs to make the server
functional again. To set, apply the following Windows NT / Windows 2000 Registry
hack:

Hive: HKEY_LOCAL_MACHINE

Key: SYSTEM\CurrentControlSet\Control\LSA
Name:
CrashOnAuditFail
Type: REG_DWORD
Value: 1

Q140058 – How To Prevent Auditable Activities When Security Log Is
Full

Q178208 – CrashOnAuditFail with Logon/Logoff Auditing Causes Blue
Screen

Q155076 – Only Administrators May Log in After Applying C2
Security

Q149393 – Auditing of ProcessTracking interaction
Q232564 – STOP 0xC0000244 When Security Log Full – Dah
Q233214 – STOP Error Occurs Even If CrashOnAuditFail Is
Disabled


Frank Heyne has made available a Windows NT
Eventlog FAQ
.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top