If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you may want to prevent auditable activities while the log is full so no new audit records can be written. To do this:
- Run Registry Editor (REGEDT32.EXE).
- From the HKEY_LOCAL_MACHINE\SYSTEM subtree, go to the following key:
\CurrentControlSet\Control\Lsa\ - Add the entry:
Key: CrashOnAuditFail
Type: REG_DWORD
Value: 1 - Save the changes. The Change will take effect the next time the computer is started. Update the Emergency Repair Disk to reflect these changes.
To recover when windows nt halts because it cannot generate an audit event record:
- Restart the computer and log on using an account in the Administrators group.
- Use Event Viewer to clear all events from the Security log, archiving the currently logged events. For details, see the "Event Viewer" chapter in the Windows NT Workstation or Windows NT Server System Guide.
- Use the Registry Editor to delete and replace value entry CrashOnAuditFail, with data type REG_DWORD and value 1, under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa (as described above).
- Exit and restart the computer.
No comments:
Post a Comment