Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How To Prevent Auditable Activities When Security Log Is Full
Article ID: 140058 - View products that this article applies to.
This article was previously published under Q140058
Because the security log is limited in size, and because a large number of routine audit records can make it difficult to find records that suggest a security problem, you should carefully consider how you audit object access. Generating too many audit records require you to review and clear the security log more often that is practical.
WARNING: Using Registry Editor incorrectly can cause serious, system- wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.
If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you may want to prevent auditable activities while the log is full so no new audit records can be written. To do this:
To recover when windows nt halts because it cannot generate an audit event record:
NOTE: If the Security log reaches it's size limitation and causes a system halt, then the CrashOnAuditFail registry value is automatically changed from "0x1" to "0x2" to allow administrative logon to the system. The CrashOnAuditFail value must then be manually reset to 0x1 after the Security event log is cleared.
Article ID: 140058 - Last Review: November 1, 2006 - Revision: 2.1