The CrashOnAuditFail value entry at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa is a type REG_DWORD that determines system behavior when the Security log (Event Viewer) is full. The default is 0, the system does not halt. An entry of 1 causes the system to halt and display c0000244 (STATUS_AUDIT_FAILED). The system then sets this entry to 2 so only Administrators can log on until the Security log is cleared.
Other crash control entries are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\CrashControl:
AutoReboot is a REG_DWORD that controls if the system will automatically reboot upon failure. A value of 0 (default for Workstation) does not cause reboot whereas a value of 1 (default for Server) does.
CrashDumpEnabled is a REG_DWORD that specifies whether a dump will be written (value 1, default for Server) or not (value 0, default for Workstation).
DumpFile is a type REG_EXPAND_SZ that contains the path and file name of the dump file. The default is %SystemRoot%\Memory.log.
LogEvent is a REG_DWORD that indicates if a System log entry is written when abnormal termination occurs. The default for Workstation is 0 (no) while Server defaults to 1 (yes).
Overwrite is a REG_DWORD that controls whether a new dump file is created if one already exists. A 0 is no, which is the default for Workstation. A 1 is yes, which is the default for Server.
SendAlert is a REG_DWORD that specifies if the logged on user will receive an administrative alert when the DumpFile is full and LogEvent is 1 and Overwrite is 0. The default for Workstation is 0 (no) and for Server is 1 (yes). If the value is 1 and the DumpFile is full, a user acknowledgement is required to proceed.
