Windows Security Log Event ID 4906

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Policy Change
 • Audit Policy Change
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 4906
Ask a question about this event

4906: The CrashOnAuditFail value has changed

On this page

This event is logged when you change the value of the security option "Audit: Shut down system immediately if unable to log security audits" which can be used to make the system crash with blue screen if the security log fills and configured to not overwrite or autobackup.

The above security option corresponds to the registry value CrashOnAuditFail in HKLM\SYSTEM\CurrentControlSet\Control\LSA.

According to Microsoft, this event is always logged when an audit policy is disabled, regardless of the "Audit Policy Change" sub-category setting. This and several other events can help identify when someone attempts to disable auditing to cover their tracks.

Free Security Log Resources by Randy

Description Fields in 4906

  • New Value of CrashOnAuditFail: 
    0 feature is off. The system does not halt, even when it cannot record events in the Security Log
    1 feature is on. The system halts when it cannot record an event in the Security Log
    2 feature is on and has been triggered. The system halted because it could not record an auditable event in the Security Log. Only members of the Administrators group can log on.

Supercharger Enterprise


 

Examples of 4906

The CrashOnAuditFail value has changed.

New Value of CrashOnAuditFail:  1

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources