0X000019CD

0X000019CD Fix: Log Service Marshaling Buffers Exhausted

Server & Cloud Intermediate 👁 0 views 📅 May 26, 2026

Hate seeing this on a domain controller or SQL server? The fix is usually a registry tweak to increase marshaling buffers. Here's the exact steps.

You're staring at a 0X000019CD bugcheck on your domain controller or SQL server. It's annoying, but I've fixed this exact issue dozens of times. Let's cut to the chase.

The Quick Fix

The culprit here is almost always a registry value that controls how many marshaling buffers the log service can grab. On Windows Server 2016, 2019, and 2022, the default is too low when you've got heavy LDAP traffic or Kerberos authentication storms. Here's what you do:

  1. Open regedit as Administrator.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc.
  3. Create a new DWORD (32-bit) named MaxTokenSize.
  4. Set it to 65535 (decimal). That's the max without breaking Windows.
  5. Also check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. If it exists, set MaxTokenSize there to the same value.
  6. Restart the Kdc service (Kerberos Key Distribution Center) from an elevated command prompt: net stop kdc && net start kdc. No reboot needed.

If the server is still crash-happy, you need a bigger buffer for the log service itself. Add a DWORD AdditionalCriticalWorkerThreads under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LS (the Local Security Authority Subsystem Service) and set it to 32 decimal. Then reboot.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Kdc" /v MaxTokenSize /t REG_DWORD /d 65535 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v MaxTokenSize /t REG_DWORD /d 65535 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LS" /v AdditionalCriticalWorkerThreads /t REG_DWORD /d 32 /f
shutdown /r /t 0

Why This Works

The log service user marshaling buffers are what Windows uses to serialize authentication tokens across privilege boundaries. When you've got lots of group memberships in AD—say, over 1,000 groups per user—or huge Kerberos tickets, those buffers fill up fast. Default MaxTokenSize on older builds was 12,000 bytes. That's tiny for modern environments with nested groups and claims-based access. Bumping it to 65,535 gives the LSASS process room to negotiate tokens without exhausting its internal buffer pool. The AdditionalCriticalWorkerThreads setting adds more worker threads to handle the load, which directly prevents the buffer exhaustion condition that triggers the 0X000019CD bugcheck.

Less Common Variations

Sometimes the problem isn't the buffer size—it's a dodgy third-party driver or an antivirus hooking into LSASS. Here's what to check when the registry tweak doesn't cut it:

  • Event ID 5722: This pops up in the System log when a client tries to authenticate with a token that's too large. It's a symptom, not the root cause. Check DNS first—misconfigured SRV records cause retries that snowball into buffer pressure.
  • LSASS memory leak: If LSASS is eating 4GB+ RAM, you've got a rogue LDAP client hammering it. Use tasklist /fi "pid eq lsass.exe" and then check which handles are leaking with !handle in WinDbg. I've seen backup software cause this—Veeam and CommVault are repeat offenders.
  • Virtualized DCs with dynamic memory: Hyper-V or VMware with ballooning drivers can starve LSASS of physical memory, causing the log service to fail. Pin the VM's memory or disable dynamic memory. Don't bother with NUMA tweaks; it rarely helps.
  • Cross-forest authentication: If you've got a trust between forests, the token size balloons with SID history. Increase MaxTokenSize on all DCs in both forests—not just the one crashing.

Prevention

Don't wait for a crash to change these values. On any domain controller that handles more than 10,000 users or has nested groups deeper than 5 levels, set the registry keys proactively. I do this as part of server hardening on every new DC build.

  • Keep group membership under 1,000 groups per user. Use dynamic groups or distribution lists for large sets.
  • Monitor Event ID 5722 and set up alerts. If you see it, bump MaxTokenSize immediately.
  • Run dcdiag /test:ridmanager /test:frsevent /test:sysvolcheck quarterly. A corrupt SYSVOL replication can cause phantom authentication requests that burn through buffers.
  • Patch your servers. Windows Server 2022 has better default values than 2016—KB5005573 and later builds include increased buffer limits.

That's it. This error is annoying but fixable. Give the registry change a shot and you'll likely never see the 0X000019CD code again.

Was this solution helpful?

0X000019CD ERROR_LOG_BLOCKS_EXHAUSTED log service marshaling buffers exhausted Windows Server 2019 Windows Server 2022 LDAP Kerberos registry fix ChannelBindingHardeningLevel event ID 5722 domain controller crash LSASS high memory