If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you can prevent auditable activities while the log is full. No new audit records can be written. To do so, use the Registry Editor to create or assign the following registry key value:
Hive: | HKEY_LOCAL_MACHINE\SYSTEM |
Key: | \CurrentControlSet\Control\Lsa |
Name: | CrashOnAuditFail |
Type: | REG_DWORD |
Value: | 1 |
The changes take effect the next time the computer is started. You can update the Emergency Repair Disk to reflect these changes.
If Windows NT Workstation halts as a result of a full security log, the system must be restarted and reconfigured to prevent auditable activities from occurring again while the log is full. After the system is restarted, only administrators can log on until the security log is cleared. For more information on recovering after Windows NT halts, see the "Recovering After Windows NT Halts Because it Cannot Generate an Audit Event Record" in Event Viewer Help.