Windows Security Log Event ID 4906

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Policy Change
 • Audit Policy Change
Type Success
Corresponding events
in Windows 2003
and before		  

4906: The CrashOnAuditFail value has changed

On this page

This event is logged when you change the value of the security option "Audit: Shut down system immediately if unable to log security audits" which can be used to make the system crash with blue screen if the security log fills and configured to not overwrite or autobackup.

The above security option corresponds to the registry value CrashOnAuditFail in HKLM\SYSTEM\CurrentControlSet\Control\LSA.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.

Free Security Log Resources by Randy

Description Fields in 4906

  • New Value of CrashOnAuditFail: 
    0 feature is off. The system does not halt, even when it cannot record events in the Security Log
    1 feature is on. The system halts when it cannot record an event in the Security Log
    2 feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on.

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 4906

The CrashOnAuditFail value has changed.

New Value of CrashOnAuditFail:  1

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 4906
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources