CrashOnAuditFail
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
CrashOnAuditFail
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
| Data type | Range | Default value |
|---|---|---|
REG_DWORD |
0 | 1 | 2 |
0 |
Description
Directs the system to halt when it cannot record new events in the Security Log in Event Viewer. This feature prevents unauthorized activities from occurring when they cannot be recorded in the Security Log.
The system also uses this entry to indicate that this feature has been triggered (a value of 2). When the value of this entry is 2, only members of the Administrators group can log on to the computer. This restricted state lets an Administrator log on to resolve the problem and to reset the value of this entry to 1.
| Value | Meaning |
|---|---|
0 |
The feature is off. The system does not halt, even when it cannot record events in the Security Log. |
1 |
The feature is on. The system halts when it cannot record an event in the Security Log. |
2 |
The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on. |
Typically, the system cannot record security events because the Security Log in Event Viewer is full or because the internal queue to the log has reached the maximum established by the value of Bounds.
This entry does not exist in the registry by default. You can add it by using the registry editor Regedit.exe.
Change Method
You must restart the computer before changes to this entry take effect.