4906 The CrashOnAuditFail value has changed
Written when the CrashOnAuditFail value is changed. It is a change to the “halt if auditing is impossible” protection setting, and draws attention in the context of audit evasion.
Overview
The subcategory is Audit Policy Change. It is generated when the value of CrashOnAuditFail (a setting that halts the system when audit events cannot be recorded) changes. The value means 0 (disabled) / 1 (halt when recording is impossible) / 2 (after halt, only administrators may log on).
How it is triggered
- When the CrashOnAuditFail value is changed via the registry or policy.
Security review points
- A change that disables this setting (from a high value to 0) means the system keeps running even if auditing stops, which can be a precursor to audit evasion. Be alert to a technique of disabling it in advance so the system does not halt when an attacker overflows the log to stop auditing.
- A change by an unexpected subject or at an unexpected time should be investigated as weakening of the auditing posture. Relate it to audit-policy change 4719 and the recovery event 4621.
Notes for log review
- It is a rare change. Confirm changes in the “halt setting to disabled” direction at high priority in particular.
- Record the value before and after and the acting subject.
Key fields
| Field | Meaning |
|---|---|
| CrashOnAuditFail value after change | One of 0/1/2 |
Subject\Account Name | The subject that made the change |