CrashOnAuditFail

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Data type Range Default value
REG_DWORD 0 | 1 | 2 0

Description

Determines whether the system halts when it cannot record new security events, either because the Security Log in Event Viewer is full, or because the internal queue to the log has reached the maximum established by the value of Bounds. This feature prevents unauthorized activities from occurring when they cannot be recorded in the Security Log.

Value Meaning
0 The system does not halt even when it cannot report all auditable security events.
1 When the Security Log is full or the queue to the log has reached its maximum size, the system displays the message "c0000244 (STATUS_AUDIT_FAILED)" and halts. When the computer is restarted, and until the Security Log is cleared, only members of the Administrators group can log on.
2 The system halted because it could not report auditable Security events. The system sets CrashOnAuditFail to 2 just before it halts. When the value of this entry is 2, the Local Security Authority (LSA) permits only members of the Administrators group to log on.
 

Change method

You must restart the computer before changes to this entry take effect.

Note Image Note

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Tip Image Tip

For more information on CrashOnAuditFail, see the Microsoft Knowledge Base link on the Web Resources page. Search the Knowledge Base for Article Q140058, or use the keywords CrashOnAuditFail or security log.

Related Entries

Page Image