Enabling auditing for the Vista KSOD – THE OFFICIAL BLOG OF THE SBS “DIVA”:
One more thing about that auditing. The auditing log file on a Vista box is VERY chatty. The default file size of 16 megs gets filled up in about a 1/2 days activity on my workstation. Thus if you want to see if you can grab “it” in action, you’ll either need to increase the log file or set it to archive off.
When it occurs, it should be a specific registry change that should jump out in the log files. Since normally RpcSs service isn’t one that you can mess with, I changed another service and set up auditing to showcase what it should look like.