TipHKLM\SYSTEM\CurrentControlSet\Control\Lsa
| Data type | Range | Default value |
|---|---|---|
| REG_BINARY | 0x0 - 00 00 0A 00 00 00 0A 00 | 0x00 30 00 00 00 20 00 00 (Upper bound = 0x3000 (12,288); lower bound = 0x2000 (8,192)) |
Establishes thresholds for managing the length of the kernel-mode Local Security Authority (LSA) audit queue. The audit queue stores kernel-mode events destined for the Security Log in Event Viewer.
The value of this entry is an 8-byte binary field. The first four bytes establish the maximum number of items that can be held in the audit queue (the upper bound). When the number of audits exceeds this value, LSA discards all new audits until the number of audits remaining in the queue reaches the lower bound, as established by the value of the last four bytes.
Tip
The system does not notify you when the queue is nearing, has reached, or has exceeded its upper bound. To prevent the system from running when it cannot report all security events, set the value of CrashOnAuditFail to 1.
Related Entries
