Windows 10: Win10 Enterprise; suddenly in audit mode?

  1. Posts : 2
    Windows 10 Enterprise
       27 Oct 2015 #1

    Win10 Enterprise; suddenly in audit mode?

    Guys, hear me out...

    VMware ESXi virtual machine. Installed Win10 Enterprise, went into audit mode, did my installs and whatnot. Shut down the machine. Copied that vm and ran sysprep, everything seems just fine and dandy. Activated Windows, put into domain. Used a domain admin account, logged in as domain user. Put in settings, blah, blah...

    Until one day, vm starts up and user cannot log in remotely. I went to the console and logged in as domain admin. Screen goes all glitchy and sysprep window opens, just like in audit mode. Tinkered around a bit, but didn't have time to play with it too much. Restored a previous nights image and everything is fine.

    Fast forward a few weeks. User cannot log in. I log in from console, everything seems ok. Remote desktop services won't start and there's nobody listening @3389. That's weird. All I can find is Event ID 34 with TerminalServices-LocalSessionManager. It's telling me, and I'm paraphrasing, "Remote Desktop Services cannot accept logins, because there is an installation in progress". It's really in Finnish and that's what I came up with. This is the exact same message that I can see when I run my original vm which is in audit mode.

    I've looked into registry and I've looked into the setup state file; both are saying that the ImageState equals IMAGE_STATE_COMPLETE. However, the setup state file has a modified date and date from the evening before everything went weird.

    So, I looked into Panther directory and I saw that setupact.log was growing. All I could see was loads of "Primitive installers commited for repair". I ran sfc /scannow (apparently it found errors but was able to fix them), then ran DISM with restorehealth, and then sfc /scannow again. No errors left. That got rid of the Primitive installer error, but didn't affect otherwise.

    And now, I've found this in C:\windows\panther\unattendgc\setupact.log:

    2015-10-22 17:27:03, Info                         [audit.exe] Audit.exe launched with command-line [/user]...2015-10-22 17:27:03, Info                         [audit.exe] Parsing command line arguments...
    2015-10-22 17:27:03, Info                         [audit.exe] Parsing the following command line: [/user]
    2015-10-22 17:27:03, Info                         [audit.exe] GetAdminAccountName: Local built-in admin account name is [Järjestelmänvalvoja]
    2015-10-22 17:27:03, Info                         [audit.exe] Successfully restored previous state (0x10203) for user [Järjestelmänvalvoja]
    2015-10-22 17:27:03, Info                         [audit.exe] ScreenSaver:Successfully disabled screen saver
    2015-10-22 17:27:03, Info                         [audit.exe] Status for unattend pass [auditUser] = 0x0
    2015-10-22 17:27:03, Info                         [audit.exe] UnattendSearchExplicitPath: Found unattend file at [C:\Windows\Panther\unattend.xml]; examining for applicability.
    2015-10-22 17:27:03, Info                         [audit.exe] UnattendSearchExplicitPath: [C:\Windows\Panther\unattend.xml] does not meet criteria to be used for this unattend pass.
    2015-10-22 17:27:05, Info                         [audit.exe] Found no unattend file for auditUser pass; skipping pass.
    2015-10-22 17:27:05, Info                         [audit.exe] No reboot has been requested for auditUser unattend.
    2015-10-22 17:27:05, Info                         [audit.exe] Successfully ran unattend pass.
    2015-10-22 17:27:05, Info                         [audit.exe] Successfully launched Sysprep with command line [C:\Windows\system32\sysprep\sysprep.exe  /reboot ]
    2015-10-22 17:27:05, Info                         [audit.exe] ScreenSaver:Screen saver was originally enabled, successfully re-enabled it
    2015-10-22 17:27:05, Info                         [audit.exe] Audit.exe exiting with code [0x0]...
    2015-10-23 08:29:24, Info                         [windeploy.exe] ------------------------------------------------
    2015-10-23 08:29:24, Info                         [windeploy.exe] WinDeploy.exe launched with command-line []...
    2015-10-23 08:29:24, Info                         [windeploy.exe] LogBootDeviceInfo:The firmware boot device ARC path is [multi(0)disk(0)rdisk(0)partition(1)] and NT path is [\Device\Harddisk0\Partition1].
    2015-10-23 08:29:24, Info                         [windeploy.exe] LogBootDeviceInfo:The system boot device ARC path is [multi(0)disk(0)rdisk(0)partition(2)] and NT path is [\Device\Harddisk0\Partition2].
    2015-10-23 08:29:24, Info                         [windeploy.exe] Making sure that SystemSetupInProgress is cleared.
    2015-10-23 08:29:24, Info                         [windeploy.exe] Starting system services...
    2015-10-23 08:29:30, Info                         [windeploy.exe] WinDeploy.exe exiting with code [0x0]
    2015-10-23 08:36:09, Info                         [windeploy.exe] ------------------------------------------------
    After that audit.exe ran, these problems started. And that windeploy.exe sequence is seen everytime the machine starts up. What the h**k is happening? Just worried about other machines starting to run audit.exe whenever they please...
      My ComputerSystem Spec

  2. Posts : 2
    Windows 10 Enterprise
    Thread Starter
       27 Oct 2015 #2


    So. I found something. See below:

    Click image for larger version. 

Name:	setup2.png 
Views:	3 
Size:	37.2 KB 
ID:	44923

    I cleared CmdLine, removed Respecialize and set the rest of them to 0. This is how these were on other machines made from the same image. After rebooting everything seems to be working again.

    I'm still a bit concerned whether there's still something that would need to be set (you know, like what I did to those keys I mentioned earlier) related to sysprep, audit.exe or windeploy.exe. And I'm still worried this might happen again, because I've got no clue what caused this phenomenon.

    Only 30 more years to retirement...
      My ComputerSystem Spec

  3.    16 Feb 2016 #3

    You dude are genious.
    So much better than microsoft customer support.
      My ComputerSystem Spec


Related Threads
Installation & Upgrade Customize Windows 10 Image in Audit Mode with Sysprep in Tutorials
First a quote from Microsoft TechNet: Understanding Audit Mode: The Audit Mode, although originally intended to be used in corporate environment in preparing Windows images for deployment (a fancy geek word ;), installing same image on multiple...
Sysprep and Audit Mode questions in Installation and Upgrade
I'm noticing some stuff when running sysprep on an image: - I uninstalled OneDrive in Audit Mode, but after generalization it comes right back? Any way to keep it uninstalled? - Windows Updates seemingly gets undone after going to OOBE, and some...
Yep, my Windows 10 just suddenly went into Test Mode with the small words at the bottom right of my screen which says,Test Mode, Windows 10, Build 10240. Is this normal? ~ Thanks in advance.
I've used Win10 for over a week now. And overall, I like it with the exception that Microsoft Money Sunset Edition is no longer compatible with this OS (at least for now). I've used that program for years and very disappointed about it..but can...
Source: Announcing improvements to Enterprise Mode and Enterprise Site Discovery - IEBlog - Site Home - MSDN Blogs
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 21:31.
Find Us