Windows Security Log Event ID 4906

4906: The CrashOnAuditFail value has changed

On this page

• Description of this event
• Field level details
• Examples

This event is logged when you change the value of the security option "Audit: Shut down system immediately if unable to log security audits" which can be used to make the system crash with blue screen if the security log fills and configured to not overwrite or autobackup.

The above security option corresponds to the registry value CrashOnAuditFail in HKLM\SYSTEM\CurrentControlSet\Control\LSA.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4906

• New Value of CrashOnAuditFail: 

  0	feature is off. The system does not halt, even when it cannot record events in the Security Log
  1	feature is on. The system halts when it cannot record an event in the Security Log
  2	feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on.

Supercharger Free Edition

Centrally manage WEC subscriptions.

Free.

 

Mini-Seminars Covering Event ID 4906 Building a Security Dashboard for Your Senior Executives Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean Top 10 Event Categories to Monitor in the Windows Server Event Log

 

Upcoming Webinars

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy