I work for an organization that requires the Audit: Shut down system immediately if unable to log security audits. On Windows 2003 this wasn't a problem because we set the following registry keys by custom admin template: HKLM\System\CurrentControlSet\Services\Eventlog\Security\AutobackupLogfiles = 1 HKLM\System\CurrentControlSet\Services\Eventlog\Security\Retention = 4294967295 These settings would allow the security, and other logs if configured, to autoarchive when full and keep on logging events with a new event log. With Windows 2008, we're on R2, I was happy to see that the settings were incorporated into the builtin group policies: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Backup log automatically when full Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Retain old events These settings work for all the event logs but the Audit setting doesn't seem to react the same way in Windows 2008. Here is the behavior I see whether I use the builtin policies or the 'Classic Administrative Templates (ADM)' that worked in Win2003 (they set the same keys): Security event log fills upSecurity event log auto-archives, new security log is created.Events start writing to the 'new' security event log.The system reboot due to the audit trigger but I don't need to log into the system as admin and reset the CrashOnAuditFail key. I have a test system that I can perform this on demand with. Test system is set for 1028KB for security log size, autoarchiving, retention and the Audit setting. Psexec to system and run a local script that runs "ipconfig /all" 200 times which throws a few events into the security log per ipconfig command. Do this until log fills up and I can see the log autoarchive and new security log record events but the system will reboot anyway. The reboot does not happen on Win2003 boxes when configure the same way. If I undo the Audit setting it works while autoarchiving but again, I have a business requirement to have this checked or the necessity of a strong mitigation to not enable it. Is this behavior by design now in Windows 2008? Is there a registry key or hotfix that can be applied if the behavior is not by design?

Hi, Does the reboot problem only occur on Windows Server 2008? Please check if value of the key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail is 0. Also, I suggest you test the problem on another server thats running Windows Server 2008. Regards, Bruce

Yes it only happens on our Windows 2008R2 boxes we don't have any Windows 7 boxes deployed yet and as I stated originally the settings as decribed work fine on XP/Win2003. We also never deployed Win2008/Vista. The LSA\CrashOnAuditFail registry key is not needing to be reset when the system comes back up. I had the following hotfix provided to me via another source HF 2546548 I have just confirmed that the hotfix solved my issue. Thank you Bruce-Liu for replying to my thread.