4621(S): Administrator recovered system from CrashOnAuditFail.

This event is logged after a system reboots following CrashOnAuditFail. It generates when CrashOnAuditFail = 2.

There is no example of this event in this document.

Subcategory: Audit Security State Change

Event Schema:

Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.

Value of CrashOnAuditFail:%1

This event is logged after a system reboots following CrashOnAuditFail.

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Security Monitoring Recommendations

  • We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in CrashOnAuditFail.

  • If your computers don’t have the CrashOnAuditFail flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.