Report the CrashOnAuditFail Setting on Your Computers

CrashOnAuditFail is a setting on each operating system that is used to essentially stop your system if it can no longer write to the Security log. the stop us typically a Blue Screen of Death (BSOD) that bring the system down when it can no longer write to the security log.

STOP 0xC0000244 when security log full

Most of the time this can be due to a improperly configured event log setting that has a small size and doesn’t allow for archiving. Other times, it is unauthorized activity on the system and every now and then, it could just be another issue (such as something accidently stopping the Services.exe process). Depending on your environment, you may have this enabled, or you may not.

Either way, it might be a good idea to know if this is enabled on your systems in your network. I will show you how you can write a quick function that can hit all of the remote systems and report back the status of this setting. All of this can be checked from the registry by navigating through  HKLM\SYSTEM\CurrentControlSet\Control\Lsa and looking at the value of crashonauditfail. There are 3 valid values that are used on this key that are worth noting.

 

Value

Meaning

0

The feature is off. The system does not halt, even when it cannot record events in the Security Log.

1

The feature is on. The system halts when it cannot record an event in the Security Log.

2

The feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the

So now that we have that out of the way, we can now begin looking at how to get this data from a system. Since the possibility exists that we will be remotely looking for this value, I am going to use the [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey() method to connect to the remote system’s registry hive.

$remotereg=[Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey`
("LocalMachine","Dc1.rivendell.com")

If it didn’t work, we would see some sort of error, but just in case, you can run the following code to see the subkeys:

$remotereg.GetSubKeyNames()

image

With that out of the way, we can now proceed to connect to the lsa subkey in the registry.

$regkey  = $remotereg.opensubkey(`
"SYSTEM\CurrentControlSet\Control\lsa",$False)

I specify the $False in the OpenSubKey() method because I am not planning writing to the registry key.

Lastly, I now need to get the value of the crashonauditfail key.

$regkey.GetValue("crashonauditfail")

image

In this case, we can see that CrashOnAuditFail is disabled. It may be better to translate this to something a little easier to understand, so I use a hash table to make this simpler.

$crashOnAuditState = @{
    0 = 'Disabled'
    1 = 'Enabled'
    2 = 'Tripped'
}

Now I can do this:

$crashOnAuditState[$regkey.GetValue('crashonauditfail')]

image

A little better for someone to read and understand. Of course, something like this is made better as either a script or a function. Luckily, I wrote a function that allows you to run this again multiple remote systems that returns the state of the setting.

As with all functions that reside in a script, you must dot source the script to load the function into the current PowerShell session before use. So lets see an example of this function.

Get-CrashOnAuditFail -Computername Boe-Pc,DC1.rivendell.com

image

If this sounds like something that you can use, feel free to download the script and give it a run. Let me know what you think of it!

Download the Script

Script Repository

About Boe Prox

Microsoft Cloud and Datacenter MVP working as a SQL DBA.
This entry was posted in powershell, scripts and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s