STOP 0xC0000244 when security log full


If the CrashOnAuditFail registry key is set to 1 and the Security Event log is full on a computer that is running Microsoft Windows NT, Microsoft Windows 2000, or Microsoft Windows Server 2003, the following blue screen error message may be displayed:

STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed.


This behavior occurs if the Security Log has reached the Maximum Log Size specified, and Event Log Wrapping is set for "Overwrite Events Older than (X) Days." This can also occur if "Do Not Overwrite Events" is selected. Because the Security Event Log is full, and the CrashOnAuditFail registry key is set, Windows generates a STOP 0xC0000244 blue screen error message and cannot log audit information.


To work around this behavior, use one of the following options:

  • Set the Event Log Wrapping for "Overwrite Events as Needed."
  • Decrease the amount of information being audited.
  • Increase the log file size and use a combination of the previous options listed above.
  • Disable auditing.


This behavior is by design.

More Information

In some instances, the server may not bugcheck, but may instead run very slowly after administrator logon. The system may also report continuous RPC errors after logon. Non-administrators will not be able to log on as a result of the CrashOnAuditFail key being set to 0x1.


For additional information about the CrashOnAuditFail key, click the following article numbers to view the articles in the Microsoft Knowledge Base:

140058 How to prevent auditable activities when security log is full

178208 CrashOnAuditFail with logon/logoff auditing causes blue screen


ID d'article : 232564 - Dernière mise à jour : 7 janv. 2008 - Révision : 1