CrashOnAuditFail

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

Data type

Range

Default value

REG_DWORD

0 | 1 | 2

0

Description

Directs the system to halt when it cannot record new events in the Security Log in Event Viewer. This feature prevents unauthorized activities from occurring when they cannot be recorded in the Security Log.

The system also uses this entry to indicate that this feature has been triggered (a value of 2). When the value of this entry is 2, only members of the Administrators group can log on to the computer. This restricted state lets an Administrator log on to resolve the problem and to reset the value of this entry to 1.

Value

Meaning

0

The feature is off. The system does not halt, even when it cannot record events in the Security Log.

1

The feature is on. The system halts when it cannot record an event in the Security Log.

2

The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on.

Typically, the system cannot record security events because the Security Log in Event Viewer is full or because the internal queue to the log has reached the maximum established by the value of Bounds .

Change method

You must restart the computer before changes to this entry take effect.

Note Image Note

Windows 2000 does not add this entry to the registry. You can add it by editing the registry or by using a program that edits the registry.

Tip Image Tip

For more information about CrashOnAuditFail, see the Microsoft Knowledge Base link on the Web Resources page. Search the Knowledge Base for Article Q140058, or use the keywords CrashOnAuditFail or security log.

Related Entries

Page Image

Bounds