Full Event Log

My company had a problem in which client computers couldn't map a drive to our file server. Users received the error message Unable to impersonate using a named pipe until data has been read from that pipe.

We also couldn't apply Group Policy Objects (GPOs) to the affected servers. When administrators tried to log on to the servers, they received the error message Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine.

The problem was that the event log was full and needed emptying. The solution we found for this problem was to start regedt32 and ensure that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa subkey was set to crashonauditfail, with REG_DWORD as the subkey's type and 0 as its value.

In our case, the value was set to 2 and needed to be changed. A value of 2 means that the system halted because it couldn't report auditable events; the system sets crashonauditfail to 2 just before it halts. A value of 0 prevents the system from halting when it can't report all auditable events.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.