Win10 Enterprise; suddenly in audit mode?


  1. Posts : 2
    Windows 10 Enterprise
       #1

    Win10 Enterprise; suddenly in audit mode?


    Guys, hear me out...

    VMware ESXi virtual machine. Installed Win10 Enterprise, went into audit mode, did my installs and whatnot. Shut down the machine. Copied that vm and ran sysprep, everything seems just fine and dandy. Activated Windows, put into domain. Used a domain admin account, logged in as domain user. Put in settings, blah, blah...

    Until one day, vm starts up and user cannot log in remotely. I went to the console and logged in as domain admin. Screen goes all glitchy and sysprep window opens, just like in audit mode. Tinkered around a bit, but didn't have time to play with it too much. Restored a previous nights image and everything is fine.

    Fast forward a few weeks. User cannot log in. I log in from console, everything seems ok. Remote desktop services won't start and there's nobody listening @3389. That's weird. All I can find is Event ID 34 with TerminalServices-LocalSessionManager. It's telling me, and I'm paraphrasing, "Remote Desktop Services cannot accept logins, because there is an installation in progress". It's really in Finnish and that's what I came up with. This is the exact same message that I can see when I run my original vm which is in audit mode.

    I've looked into registry and I've looked into the setup state file; both are saying that the ImageState equals IMAGE_STATE_COMPLETE. However, the setup state file has a modified date and date from the evening before everything went weird.

    So, I looked into Panther directory and I saw that setupact.log was growing. All I could see was loads of "Primitive installers commited for repair". I ran sfc /scannow (apparently it found errors but was able to fix them), then ran DISM with restorehealth, and then sfc /scannow again. No errors left. That got rid of the Primitive installer error, but didn't affect otherwise.

    And now, I've found this in C:\windows\panther\unattendgc\setupact.log:

    Code:
    2015-10-22 17:27:03, Info                         [audit.exe] Audit.exe launched with command-line [/user]...2015-10-22 17:27:03, Info                         [audit.exe] Parsing command line arguments...
    2015-10-22 17:27:03, Info                         [audit.exe] Parsing the following command line: [/user]
    2015-10-22 17:27:03, Info                         [audit.exe] GetAdminAccountName: Local built-in admin account name is [Järjestelmänvalvoja]
    2015-10-22 17:27:03, Info                         [audit.exe] Successfully restored previous state (0x10203) for user [Järjestelmänvalvoja]
    2015-10-22 17:27:03, Info                         [audit.exe] ScreenSaver:Successfully disabled screen saver
    2015-10-22 17:27:03, Info                         [audit.exe] Status for unattend pass [auditUser] = 0x0
    2015-10-22 17:27:03, Info                         [audit.exe] UnattendSearchExplicitPath: Found unattend file at [C:\Windows\Panther\unattend.xml]; examining for applicability.
    2015-10-22 17:27:03, Info                         [audit.exe] UnattendSearchExplicitPath: [C:\Windows\Panther\unattend.xml] does not meet criteria to be used for this unattend pass.
    2015-10-22 17:27:05, Info                         [audit.exe] Found no unattend file for auditUser pass; skipping pass.
    2015-10-22 17:27:05, Info                         [audit.exe] No reboot has been requested for auditUser unattend.
    2015-10-22 17:27:05, Info                         [audit.exe] Successfully ran unattend pass.
    2015-10-22 17:27:05, Info                         [audit.exe] Successfully launched Sysprep with command line [C:\Windows\system32\sysprep\sysprep.exe  /reboot ]
    2015-10-22 17:27:05, Info                         [audit.exe] ScreenSaver:Screen saver was originally enabled, successfully re-enabled it
    2015-10-22 17:27:05, Info                         [audit.exe] Audit.exe exiting with code [0x0]...
    2015-10-23 08:29:24, Info                         [windeploy.exe] ------------------------------------------------
    2015-10-23 08:29:24, Info                         [windeploy.exe] WinDeploy.exe launched with command-line []...
    2015-10-23 08:29:24, Info                         [windeploy.exe] LogBootDeviceInfo:The firmware boot device ARC path is [multi(0)disk(0)rdisk(0)partition(1)] and NT path is [\Device\Harddisk0\Partition1].
    2015-10-23 08:29:24, Info                         [windeploy.exe] LogBootDeviceInfo:The system boot device ARC path is [multi(0)disk(0)rdisk(0)partition(2)] and NT path is [\Device\Harddisk0\Partition2].
    2015-10-23 08:29:24, Info                         [windeploy.exe] Making sure that SystemSetupInProgress is cleared.
    2015-10-23 08:29:24, Info                         [windeploy.exe] Starting system services...
    2015-10-23 08:29:30, Info                         [windeploy.exe] WinDeploy.exe exiting with code [0x0]
    2015-10-23 08:36:09, Info                         [windeploy.exe] ------------------------------------------------
    After that audit.exe ran, these problems started. And that windeploy.exe sequence is seen everytime the machine starts up. What the h**k is happening? Just worried about other machines starting to run audit.exe whenever they please...
      My Computer


  2. Posts : 2
    Windows 10 Enterprise
    Thread Starter
       #2

    Update


    So. I found something. See below:

    Win10 Enterprise; suddenly in audit mode?-setup2.png

    I cleared CmdLine, removed Respecialize and set the rest of them to 0. This is how these were on other machines made from the same image. After rebooting everything seems to be working again.

    I'm still a bit concerned whether there's still something that would need to be set (you know, like what I did to those keys I mentioned earlier) related to sysprep, audit.exe or windeploy.exe. And I'm still worried this might happen again, because I've got no clue what caused this phenomenon.

    Only 30 more years to retirement...
      My Computer


  3. Posts : 4
    WINDOWS 10
       #3

    You dude are genious.
    So much better than microsoft customer support.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 10:47.
Find Us




Windows 10 Forums