CrashOnAuditFail is a setting on each operating system that is used to essentially stop your system if it can no longer write to the Security log. the stop us typically a Blue Screen of Death (BSOD) that bring the system down when it can no longer write to the security log.
STOP 0xC0000244 when security log full
Most of the time this can be due to a improperly configured event log setting that has a small size and doesn’t allow for archiving. Other times, it is unauthorized activity on the system and every now and then, it could just be another issue (such as something accidently stopping the Services.exe process). Depending on your environment, you may have this enabled, or you may not.
Either way, it might be a good idea to know if this is enabled on your systems in your network. I will show you how you can write a quick function that can hit all of the remote systems and report back the status of this setting. All of this can be checked from the registry by navigating through HKLM\SYSTEM\CurrentControlSet\Control\Lsa and looking at the value of crashonauditfail. There are 3 valid values that are used on this key that are worth noting.
|
Value |
Meaning |
|
0 |
The feature is off. The system does not halt, even when it cannot record events in the Security Log. |
|
1 |
The feature is on. The system halts when it cannot record an event in the Security Log. |
|
2 |
The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the |
So now that we have that out of the way, we can now begin looking at how to get this data from a system. Since the possibility exists that we will be remotely looking for this value, I am going to use the [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey() method to connect to the remote system’s registry hive.
$remotereg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey`
("LocalMachine","Dc1.rivendell.com")
If it didn’t work, we would see some sort of error, but just in case, you can run the following code to see the subkeys:
$remotereg.GetSubKeyNames()
With that out of the way, we can now proceed to connect to the lsa subkey in the registry.
$regkey = $remotereg.opensubkey(` "SYSTEM\CurrentControlSet\Control\lsa",$False)
I specify the $False in the OpenSubKey() method because I am not planning writing to the registry key.
Lastly, I now need to get the value of the crashonauditfail key.
$regkey.GetValue("crashonauditfail")
In this case, we can see that CrashOnAuditFail is disabled. It may be better to translate this to something a little easier to understand, so I use a hash table to make this simpler.
$crashOnAuditState = @{
0 = 'Disabled'
1 = 'Enabled'
2 = 'Tripped'
}
Now I can do this:
$crashOnAuditState[$regkey.GetValue('crashonauditfail')]
A little better for someone to read and understand. Of course, something like this is made better as either a script or a function. Luckily, I wrote a function that allows you to run this again multiple remote systems that returns the state of the setting.
As with all functions that reside in a script, you must dot source the script to load the function into the current PowerShell session before use. So lets see an example of this function.
Get-CrashOnAuditFail -Computername Boe-Pc,DC1.rivendell.com
If this sounds like something that you can use, feel free to download the script and give it a run. Let me know what you think of it!
Download the Script
Filed under: powershell, scripts Tagged: crashonauditfail, Powershell, registry, report
