CrashOnAuditFail in effect

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2005-11-18

The Microsoft® Exchange Server Analyzer Tool reads the following registry entry to determine whether the CrashOnAuditFail parameter has been set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\CrashOnAuditFail

If the Exchange Server Analyzer finds the value for CrashOnAuditFail is equal to 2, an error is displayed.

The purpose of the CrashonAuditFail registry key is to configure a server so that the end users are not permitted access to the computer when the security logs reach the configured size limit. Disallowing access to the computer ensures that audit information that would otherwise be logged is not missed.

When enabled, the CrashonAuditFail registry key is set to a value of 1. However, when the Security log limit is reached, the server will set the registry key to a value of 2, which in turn, stops processing on the server. Sometimes, this process will cause a complete failure, or STOP 0xC0000244, also known as a Stop error. At a minimum, users will not be able to access server resources and performance will be greatly diminished. Additionally, when the server is in this state, only users with administrator permissions can access the computer.

Important

This article contains information about editing the registry. Before you edit the registry, make sure that you understand how to restore the registry if a problem occurs. For information about how to restore the registry, view the "Restore the Registry" Help topic in Regedit.exe or Regedt32.exe.

To correct this error

  1. Open a registry editor, such as Regedit.exe or Regedt32.exe.

  2. Navigate to: HKLM\SYSTEM\CurrentControlSet\Control\LSA.

  3. Delete the value called CrashOnAuditFail (you must delete the entire value, not only the value data).

  4. Copy the security event logs to a separate location. By default, the security event logs (SecEvent.Evt) are located at %SystemRoot%\System32\Config, where %SystemRoot% is the path to where the Microsoft Windows® operating system is installed.

  5. Open Event Viewer, right-click Security, and then click Properties.

  6. On the Security Properties page, click Clear Log. When prompted to save the log, click Yes, and then specify a location to save the log file.

    Note   On the Security Properties page, you can also increase the log size by editing the Maximum log size field, and then clicking Apply.

  7. Restart the server.

  8. Verify that users can access server resources by logging on to an Exchange mailbox.

  9. Re-create the CrashonAuditFail registry key, and set the value data to 1.

  10. Restart the server so the CrashonAuditFail settings take effect.

  11. Periodically clear and save the server's Security Logs, so that the maximum log size is not exceeded. For more information, see the Microsoft Knowledge Base article 312571, "The event log stops logging events before reaching the maximum log size" (https://go.microsoft.com/fwlink/?LinkId=3052&kbid=312571).

Before you edit the registry, and for information about how to edit the registry, see the Knowledge Base article, "Description of the Microsoft Windows Registry" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=256986).

For more information about recovering from CrashOnAuditFail failures, see the following Knowledge Base articles: