If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you might want to enable CrashOnAuditFail. The CrashOnAuditFail registry entry directs the operating system to crash (shutdown abnormally and display a blue screen) when the audit log is full. This assures that no auditable activities, including security violations, occur while the system is unable to log them. To enable CrashOnAuditFail, use the Registry Editor to create the following Registry key value:
Hive: | HKEY_LOCAL_MACHINE\SYSTEM |
Key: | \CurrentControlSet\Control\Lsa |
Name: | CrashOnAuditFail |
Type: | REG_DWORD |
Values: | 1 Crash if the audit log is full. 2 (This value is set by the operating system just before it crashes due a full audit log. While the value is 2, only the administrator can log on to the computer. This value confirms the cause of the crash. To reset, change this value back to 1.) |
The changes take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes. Note that there is no 0 value for this key. To disable CrashOnAuditFail, delete the key from the registry.
If Windows NT halts as a result of the security log becoming full, the system must be restarted and reconfigured to restore it to high-level security. When Windows NT restarts, the Security log is full and so no auditable actions are recorded until the Security log is cleared.
1. Restart the computer and log on using an account in the Administrators group.
2. Use Event Viewer to clear all events from the Security log, archiving the currently logged events. For details, see the "Event Viewer" chapter in the Windows NT Workstation or Windows NT Server System Guide.
3. Use the Registry Editor to change the value of CrashOnAuditFail, to 1, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa (as described earlier in this section).
4. Exit, and then restart the computer.