Symptoms

If the computer on which the adTempus service is running has security auditing configured to log audit messages for Registry key reads, the adTempus Event Log Trigger may not trigger jobs for Security events, or may trigger long after the events occurred. The adTempus service may also use excessive CPU time in this situation. Additionally, this may cause the Security log to quickly reach its size limit, or to grow to an unacceptable size if no limit is configured.

Cause

The Event Log Trigger reads every event written to the Windows Event Log to determine whether it needs to trigger for the event. Because of the way the Event Log is architected, adTempus must then read the Registry to get information about the source of the event.

If auditing is turned on for reads of the Registry, Windows logs two Audit event messages in the Security log each time a Registry read occurs, causing the number of records in the Security log to expand exponentially: adTempus must process these two messages, which results in four more records. Processing those four messages produces eight more. This progression continues until the Event Log or system disk is full. The large number of records generated in this scenario prevents adTempus from reaching the events that adTempus is meant to be monitoring, or may cause those events to be overwritten quickly.

Resolution

In most cases read auditing should not be enabled for the Registry. If for some reason it must be, the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog" and its subkeys should be excluded from auditing, and/or the security account that the adTempus service is running under should be excluded from auditing.