Share via

The security option "crash on audit fail" has no effect

Bagitman 596 Reputation points
2023-01-13T10:04:59.5933333+00:00

Dear MS security team,

setting the GPO "Audit: Shut down system immediately if unable to log security audits"

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits

does not have the desired effect on server 2019 (Version 10.0.17763.3770).

To test whether it works or not, I setup the security event log not to overwrite old events when it becomes full and then I waited until it became full. The eventlog then states that it's full, but no shutdown occurs.

I would also like to share the observation, that when you taskkill the eventlog service process and it restarts after a minute, it will populate the log with everything that happened in between the taskkill and the restart (which is fine!), but it will NOT trigger any event-triggered tasks that might be attached to the events it just wrote to the log. Is this expected behavior?

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bagitman 596 Reputation points
    2023-01-17T21:56:45.7933333+00:00

    Update: on Windows server 2022, all works: it crashes as expected and tasks triggered by missed events work after the service is restarted.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.