Summary
The
CrashOnAuditFail
feature is a registry key that can be set to make sure that all
auditable events are recorded in the security event log. If an auditable
event cannot be logged in the security event log, a stop error (STOP
0xC0000244) occurs. The stop error typically occurs because the
security event log is full. After the stop error occurs,
non-administrator accounts cannot access the Web sites, and Microsoft
Internet Information Services (IIS) returns HTTP 500 error messages
until the
CrashOnAuditFail
key is reset and the security event log is cleared.
Symptoms
When you access a Web site on the server, you receive one of the following error messages.
When friendly error messages are turned off in the browser, you may also receive the following error message:
Error message 1
HTTP 500 - Internal Server Error
Error message 2
HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
Error message 3
The Local security authority cannot be contacted.
Logon failure: user not allowed to log on to this computer.
Cause
This problem occurs if the security event log has reached the maximum log size and the Event Log Wrapping setting is set to Overwrite Events Older than X Days or Do Not Overwrite Events. Because the security event log is full, and the
CrashOnAuditFail
registry key is set, Microsoft Windows does not permit accounts that
are not administrator accounts to log on. When anonymous access is
configured, requests to the Web site try to authenticate by using the
IUSR_computername and IWAM_computername accounts. These accounts are not administrator accounts.
Resolution
Important
This section, method, or task contains steps that tell you how to
modify the registry. However, serious problems might occur if you modify
the registry incorrectly. Therefore, make sure that you follow these
steps carefully. For added protection, back up the registry before you
modify it. Then, you can restore the registry if a problem occurs. For
more information about how to back up and restore the registry, click
the following article number to view the article in the Microsoft
Knowledge Base:
To resolve this issue, follow these steps:
322756 How to back up and restore the registry in Windows
To resolve this issue, follow these steps:
- Save and clear the security event log.
- Start Registry Editor.
- Locate the following key, and then set the value of this key to 1: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
- Restart the server. The registry changes do not take effect until you restart the server.
Status
This behavior is by design.
Back to the top | Give Feedback
Back to the top | Give Feedback
More information
The
Note None of the following methods alone resolves the issue. You must follow the steps in the "Resolution" section before you use one of these methods.
CrashOnAuditFail
registry key provides an optional security feature that system
administrators can use to review all security events. The valid values
for the
CrashOnAuditFail
key are 0, 1, and 2.
The data options are:
- 0 - Anyone may log on. This is the default value.
- 1 - Anyone may log on if the system can audit the events and
write the events to the security event log. If the security event log
is full, the value for the CrashOnAuditFailkey is changed to 2, and the server crashes.
- 2 - Only administrators may log on.
CrashOnAuditFail
key.Note None of the following methods alone resolves the issue. You must follow the steps in the "Resolution" section before you use one of these methods.
- Set the Event Log Wrapping setting to Overwrite events as needed.
- Limit the number or types of events that are audited, or disable auditing completely.
- Set the value for the following registry key to 0: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
140058
How to prevent auditable activities when security log is full
232564 STOP 0xC0000244 when security log full
No comments:
Post a Comment