Overview


If a networked computer automatically shuts down and then begins to deny access to its networked services, a potential cause could be that the CrashOnAuditFail registry value or "Shut down system immediately if unable to log security audits" Group Policy setting was triggered due to a full Security log in the Event Viewer. This type of error only happens when CrashOnAuditFail is enabled, the Event Viewer is configured to not overwrite events or to retain events for a certain number of days, and the server is unable to log an event to the Security event log.

NOTE: This article contains links to Microsoft Knowledge Base pages and TechNet Library pages.
   

Symptoms

When the computer shuts down because the Security log in the Event Viewer is full and the CrashOnAuditFail setting is enabled, an error is displayed on the computer's local session / interactive logon session that reads:

                    STOP: C0000244 {Audit Failed} 
                    An attempt to generate a security audit failed

The computer may restart, depending on how it is configured, and then could start denying access to all services until a local administrator logs in and reconfigures the CrashOnAuditFail registry value. An Event Log entry is also written to the EventID 4621 that reads "Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded."

Specific issues that can cause this issue , but are not limited to the following:  

Resolutions

Only a member of the local administrators group can log on interactively (locally or using a remote tool allowing an interactive logon, such as KVM appliance or remote access device). To return the computer back to normal service:

  •  The local administrator must reset the CrashOnAuditFail registry setting back to a value of 0x1 (from 0x2). That value is located under the following registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  • Correct the problem that prevented the server from logging an event to the security event log.  Typically this just involves saving and then clearing the log.

Possible reasons why the server was unable to log an event:
Security event log is full (and Do not overwrite events option is enabled)
Security event log is too large
Security event log is corrupt

  • Restart the server

 
If the CrashOnAuditFail setting is appropriate for the computer, then the administrator should  archive the security event log and then configure a the CrashOnAuditFail value to 1. Otherwise, the administrator should configure a value of 0 and ensure that the setting is not enabled in Group Policy so that the computer to shutdown when the Security event log is full.

Related Resources