Jump to content

Advanced Audit Setting - Process Creation and Crash on Audit Fail issues


Recommended Posts

Guest jzderadicka
Posted

Hi All,

 

 

Currently having issues with two windows audit settings:

 

- Advanced Auditing\Detailed Tracking\Audit Process Creation - Enabled: Success

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation

 

- Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits - Enabled (HKLM:\SYSTEM\CurrentControlSet\Control\Lsa - crashonauditfail = 1)

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits

 

 

When enabling these settings together, upon a reboot the system blue screens with known state STOP: C0000244 {Audit Failed} and users are not able to login. When logging in as an admin account, the setting for 'crashonauditfail' is in a triggered state (crashonauditfail = 2). The Security Event Log shows event id 1101 with the description 'Audit events have been dropped by the transport. 0'.

 

I tried to disable all other Advanced Audit Settings, leaving only Audit Process Creation - Success but the issue still occurs. The issue can be easily reproduced by setting crashonauditfail = 1 and rebooting the system again.

 

Any help is appreciated.

 

 

With thanks,

 

 

Joey

 

More...

  • Replies 0
  • Created
  • Last Reply

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...