Overview
If a networked computer automatically shuts down and then begins to deny access to its networked services, a potential cause could be that the CrashOnAuditFail registry value or "Shut down system immediately if unable to log security audits" Group Policy setting was triggered due to a full Security log in the Event Viewer. This type of error only happens when CrashOnAuditFail is enabled, the Event Viewer is configured to not overwrite events or to retain events for a certain number of days, and the server is unable to log an event to the Security event log.
NOTE: This article contains links to Microsoft Knowledge Base pages and TechNet Library pages.
Symptoms
When the computer shuts down because the Security log in the Event Viewer is full and the CrashOnAuditFail setting is enabled, an error is displayed on the computer's local session / interactive logon session that reads:
STOP: C0000244 {Audit Failed}
An attempt to generate a security audit failed
The computer may restart, depending on how it is configured, and then could start denying access to all services until a local
administrator logs in and reconfigures the CrashOnAuditFail registry value. An Event Log entry is also written to the EventID 4621 that reads "Administrator recovered system from CrashOnAuditFail. Users who are not administrators
will now be allowed to log on. Some auditable activity might not have been recorded."
Specific issues that can cause this issue , but are not limited to the following:
- Exchange server outage, as described in KB article 888179: Issues that occur when the crashonauditfail registry value is set to 1
- Web site outage, as described in Users cannot access Web sites when the security event log is full
- Active Directory replication fails with Access Denied because the partner domain controller is offline
- Active Directory-integrated domain name is not displayed in DNS snap-in with Event ID 4000 and 4013 messages
- Cannot install new or additional domain controller because the helper domain controller has crashed or cannot be located
- Event ID 1053 Source Userenv - Windows cannot determine the user or computer name because the name resolution (DNS) server has crashed
Resolutions
Only a member of the local administrators group can log on interactively (locally or using a remote tool allowing an interactive logon, such as KVM appliance or remote access device). To return the computer back to normal service:
- The local administrator must reset the CrashOnAuditFail registry setting back to a value of 0x1 (from 0x2). That value is located under the following registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Correct the problem that prevented the server from logging an event to the security event log. Typically this just involves saving and then clearing the log.
ResolutionsPossible reasons why the server was unable to log an event:
Security event log is full (and Do not overwrite events option is enabled)
Security event log is too large
Security event log is corrupt
- Restart the server
If the CrashOnAuditFail setting is appropriate for the computer, then the administrator should archive the security event log and
then configure a the
CrashOnAuditFail value to 1. Otherwise, the administrator should configure a value of 0 and ensure
that the setting is not enabled in Group Policy so that the computer to shutdown when the Security event log is full.
Related Resources
-
Resolving “STOP C0000244” Error Message in Windows Operating System
- Event Logging and Viewing
- Shut down system immediately if unable to log security audits
- How To Prevent Auditable Activities When Security Log Is Full
- Error message: Users cannot log on to a workstation
- STOP 0xC0000244 when security log full
- CrashOnAuditFail with Logon/Logoff Auditing Causes Blue Screen
- CrashOnAuditFail Activates on Shutdown with ProcessTracking