You are currently offline, waiting for your internet to reconnect

How To Prevent Auditable Activities When Security Log Is Full

This article was previously published under Q140058
This article has been archived. It is offered "as is" and will no longer be updated.
Because the security log is limited in size, and because a large number ofroutine audit records can make it difficult to find records that suggest asecurity problem, you should carefully consider how you audit objectaccess. Generating too many audit records require you to review and clearthe security log more often that is practical.
WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correctthem. Microsoft cannot guarantee that any problems resulting from theuse of Registry Editor can be solved. Use this tool at your own risk.

If you have set the security log either to "Overwrite Events Older than nDays" or "Do Not Overwrite Events (Clear Log Manually)", you may want toprevent auditable activities while the log is full so no new audit recordscan be written. To do this:
  1. Run Registry Editor (REGEDT32.EXE).
  2. From the HKEY_LOCAL_MACHINE\SYSTEM subtree, go to the following key:

  3. Add the entry:

    Key: CrashOnAuditFail
    Type: REG_DWORD
    Value: 1
  4. Save the changes. The Change will take effect the next time the computer is started. Update the Emergency Repair Disk to reflect these changes.
If Windows NT halts as a result of the security log becoming full, thesystem must be restarted and reconfigured to restore it to high-levelsecurity. When Windows NT restarts, the Security log is full and so noauditable actions are recorded until the Security log is cleared.

To recover when windows nt halts because it cannot generate an audit eventrecord:
  1. Restart the computer and log on using an account in the Administrators group.
  2. Use Event Viewer to clear all events from the Security log, archiving the currently logged events. For details, see the "Event Viewer" chapter in the Windows NT Workstation or Windows NT Server System Guide.
  3. Use the Registry Editor to delete and replace value entry CrashOnAuditFail, with data type REG_DWORD and value 1, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa (as described above).
  4. Exit and restart the computer.

NOTE: If the Security log reaches it's size limitation and causes a system halt, then the CrashOnAuditFail registry value is automatically changed from "0x1" to "0x2" to allow administrative logon to the system. The CrashOnAuditFail value must then be manually reset to 0x1 after the Security event log is cleared.
prodnt 3.50 3.51

Article ID: 140058 - Last Review: 12/04/2015 12:27:48 - Revision: 2.1

Microsoft Windows NT Workstation 3.1, Microsoft Windows NT Workstation 3.5, Microsoft Windows NT Workstation 3.51, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Advanced Server 3.1, Microsoft Windows NT Server 3.5, Microsoft Windows NT Server 3.51, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive KB140058