Windows 10 Advanced Audit Setting - Process Creation and Crash on Audit Fail issues

  • Thread starter Thread starter jzderadicka
  • Start date Start date
J

jzderadicka

Guest
Hi All,


Currently having issues with two windows audit settings:

- Advanced Auditing\Detailed Tracking\Audit Process Creation - Enabled: Success


- Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits - Enabled (HKLM:\SYSTEM\CurrentControlSet\Control\Lsa - crashonauditfail = 1)



When enabling these settings together, upon a reboot the system blue screens with known state STOP: C0000244 {Audit Failed} and users are not able to login. When logging in as an admin account, the setting for 'crashonauditfail' is in a triggered state (crashonauditfail = 2). The Security Event Log shows event id 1101 with the description 'Audit events have been dropped by the transport. 0'.

I tried to disable all other Advanced Audit Settings, leaving only Audit Process Creation - Success but the issue still occurs. The issue can be easily reproduced by setting crashonauditfail = 1 and rebooting the system again.

Any help is appreciated.


With thanks,


Joey

More...
 

Similar threads

A
IIS Admin Service unable to start - How and Why it can happen?
Replies
0
Views
246
ashfana
A
E
Windows 10 Event 4625 keeps happening every day at (nearly) the same time - Regular personal computer, not a Windows Server machine
Replies
0
Views
106
esunaga
E
P
Windows 10 Device Guard and Credential Guard Demystified
Replies
0
Views
375
Priyanka_Pillai
P
V
HTTP response 503 Service Unavailable from IIS: one common generic cause
Replies
0
Views
339
Viorel-Alexandru
V
K
Windows 10 What’s new in Windows 10 19H1(1903)
Replies
0
Views
149
Kate Li
K
Back
Top