CrashOnAuditFail preserves audit log forensics


In a environment with a need to ensure that there are no unaudited events, when
its critical to save the potential forensics of the event logs, the follow
registry key will force NT to crash when the event log becomes full. Once the
box crashes, an administrator would have to logon from the console to save and
clear the event logs to make the server functional again. To set
CrashOnAuditFail, apply the following NT registry hack:

Hive: HKEY_LOCAL_MACHINE

Key: SYSTEM\CurrentControlSet\Control\LSA
Name:
CrashOnAuditFail
Type: REG_DWORD
Value: 1

Q140058 – How To Prevent Auditable Activities When Security Log Is
Full

Q178208 – CrashOnAuditFail with Logon/Logoff Auditing Causes Blue
Screen

Q155076 – Only Administrators May Log in After Applying C2
Security

Q149393 – Auditing of ProcessTracking interaction
Q232564 – STOP 0xC0000244 When Security Log Full – Dah
Q233214 – STOP Error Occurs Even If CrashOnAuditFail Is Disabled



Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete
Corrupt Event Viewer Log Files

Forensics:
CrashOnAuditFail

Restrict access to Application
and System event logs

Security Event
Descriptions

Security Events Logon Type
Definitions

Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made
available a Windows NT Eventlog FAQ .

Leave a Comment

Your email address will not be published.

Scroll to Top