Microsoft KB Archive/232564

= STOP 0xC0000244 when security log full =

Article ID: 232564

Article Last Modified on 2/26/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-



This article was previously published under Q232564





SYMPTOMS
If the CrashOnAuditFail registry key is set to 1 and the Security Event log is full on a computer that is running Microsoft Windows NT, Microsoft Windows 2000, or Microsoft Windows Server 2003, the following blue screen error message may be displayed:

STOP: C0000244 {Audit Failed}

An attempt to generate a security audit failed.



CAUSE
This behavior occurs if the Security Log has reached the Maximum Log Size specified, and Event Log Wrapping is set for "Overwrite Events Older than (X) Days." This can also occur if "Do Not Overwrite Events" is selected. Because the Security Event Log is full, and the CrashOnAuditFail registry key is set, Windows generates a STOP 0xC0000244 blue screen error message and cannot log audit information.



RESOLUTION
To work around this behavior, use one of the following options:
 * Set the Event Log Wrapping for "Overwrite Events as Needed."
 * Decrease the amount of information being audited.
 * Increase the log file size and use a combination of the previous options listed above.
 * Disable auditing.



STATUS
This behavior is by design.



MORE INFORMATION
In some instances, the server may not bugcheck, but may instead run very slowly after administrator logon. The system may also report continuous RPC errors after logon. Non-administrators will not be able to log on as a result of the CrashOnAuditFail key being set to 0x1.

