0x0–0x00 00 0A 00 00 00 0A 00
0x00 30 00 00 00 20 00 00 (Upper bound = 0x3000 (12,288); lower bound = 0x2000 (8,192))
Specifies thresholds for managing the length of the kernel-mode Local Security Authority ( LSA ) audit queue. The audit queue stores kernel-mode events destined for the Security Log in Event Viewer.
The value of this entry is an 8-byte binary field. The value of the first four bytes specifies the maximum number of items that can be held in the audit queue (the upper bound). When the number of audits exceeds this value, LSA discards all new audits until the number of audits remaining in the queue reaches the lower bound, as specified by the value of the last four bytes.
The system does not notify you when the queue is nearing, has reached, or has exceeded its upper bound. To prevent the system from running when it cannot report all security events, set the value of CrashOnAuditFail to 1.