Windows 8 and 8.1 Forums

Sysprep generalize not clearing logs

  1. #1

    Posts : 6
    Windows 7 Ultimate x64

    Sysprep generalize not clearing logs

    Hi everyone, I'm hoping that this wonderful community got some help for me.

    I've previously done image deployment with Windows 7 and know how to prepare an image for deployment.

    I'm now trying to make an image with Windows 8.1 enterprise.

    I'm making an image with with PersistAllDeviceInstalls to keep the hardware configuration.
    I use the gui to run sysprep oobe with generalize option checked.

    After its completed, I make an image of it and deploy to test laptop 2 with the exact same specs.

    After its done, and I boot it up and finish all the preparation (like computer name etc), the system boots up to the desktop.

    However, here is where I realized I'm most likely doing something wrong.

    The event logs are filled with data from pre-sysprep, Symantec Endpoint Protection logs are still there.

    Can someone help me out here? Isn't generalize suppose to remove logs and stuff?

    It's been almost 2 years since I touched sysprep and all. Hopefully someone here can shed some light about the issue I'm facing.

    All help is sincerely appreciated.
    Last edited by Neevar; 14 Feb 2015 at 22:09.

      My System SpecsSystem Spec

  2. #2

    A Finnish ex-pat in Leipzig, Germany
    Posts : 1,452
    Windows 8.1 Pro with Media Center

    Hi Neevar, welcome to the Eight Forums.

    First this warning about Sysprep GUI (from

    warning   Warning
    In Windows 8.1, the Sysprep user interface is deprecated. The Sysprep UI will continue to be supported in this release however it may be removed in a future release. We recommend that you update your Windows deployment workflow to use the Sysprep command line. For more information about the Sysprep Command line tool, see Sysprep Command-Line Options.

    To generalize your image without an answer file use command:
    %windir%\system32\sysprep\sysprep.exe /generalize /oobe /shutdown
    The closing option (highlighted) can be shutdown, restart or quit.

    To generalize your image with an answer file use command:
    %windir%\system32\sysprep\sysprep.exe /generalize /oobe /shutdown /unattend:X:\MyAnswerFile.xml
    Change the answer file path and name (highlighted) accordingly

    Event logs should be cleared when the /generalize switch is used. This from Microsoft TechNet support article

    Prepares the Windows installation to be imaged. If this option is specified, all unique system information is removed from the Windows installation. The security ID (SID) resets, any system restore points are cleared, and event logs are deleted.

    The next time the computer starts, the specialize configuration pass runs. A new security ID (SID) is created, and the clock for Windows activation resets, if the clock has not already been reset three times.
    I do not know why your logs are not cleared. Could you please tell which logs remain?

      My System SpecsSystem Spec

  3. #3

    Posts : 6
    Windows 7 Ultimate x64

    Hello Kari,

    Thank you for the insightful information.

    The logs that are still there are whatever you see in event viewer and the symantec endpoint protection logs.

    I'm currently not at home, so I can't attach the screen shots but basically I used the gui method to sysprep.

    When I get home, I'm going to try the CLI method and see if it makes a difference.

    The generalize option is supposed to remove the logs and all, but I'm not sure why it's not doing that for my image. Can it be anything to do with enterprise image? Group policy perhaps? Any way to check that?

    Is there any way I can get the windows 8.1 latest enterprise x64 iso legally?
      My System SpecsSystem Spec

  4. #4

    A Finnish ex-pat in Leipzig, Germany
    Posts : 1,452
    Windows 8.1 Pro with Media Center

    Did you sysprep from normal Windows desktop mode? Generalizing should be done from Audit Mode.

    I do it like this on a reference computer:
    • Clean install Windows 8
    • When installation finally boots to OOBE and asks to create the initial user ("Sign in to your Micrsoft Account..."), do not enter any username but instead press CTRL + SHIFT + F3 to reboot to Audit Mode
    • If no answer file is needed, you can then sysprep as soon as you arrive to Audit Mode desktop
      My System SpecsSystem Spec

  5. #5

    Posts : 6
    Windows 7 Ultimate x64

    Hi Kari,

    I re-did the whole process. Just like how you mentioned in the post above this.
    The only thing was I changed the PersistAllDeviceInstalls to 1 (in regedit)

    I used the CLI method to run sysprep /generalize /oobe / shutdown

    Here are the images after i put it into the second test laptop after a full clone using clonezilla.

    Click image for larger versionClick image for larger version

    as you can see, the event logs pre-sysprep are still there (identified by the computer name column)

    Hopefully I'm doing something wrong and it can be solved.
      My System SpecsSystem Spec

  6. #6

    A Finnish ex-pat in Leipzig, Germany
    Posts : 1,452
    Windows 8.1 Pro with Media Center

    I have moved on, running Windows 10 on my systems now. I need to install Windows 8.1 and test this. Will do it later tonight.
      My System SpecsSystem Spec

  7. #7

    A Finnish ex-pat in Leipzig, Germany
    Posts : 1,452
    Windows 8.1 Pro with Media Center

    OK, I have tested a few times now and at least for me, generalizing works exactly as it should.

    Here two screenshots, in first one I gave first the Time command in Command Prompt to get the time when I start sysprepping:

    Click image for larger version

    Half a second short of 20:08 (8:08 PM).

    After sysprep has finished and Windows booted to OOBE and further to desktop, I'll check the event logs which clearly show that all logged events prior to generalizing have been removed:

    Click image for larger version

    The remaining events from "old computer" are those created after the generalizing phase of Sysprep, which is of course totally OK, as it should be. The first logged event is Eventlog meaning that's the event when logs were deleted and new archive started.

    I simply can't get it to fail, to get generalizing to leave old events.

    In your case check the time stamp of those "old" events; if they are created after you run sysprep, everything is as it should be.
      My System SpecsSystem Spec

  8. #8

    Posts : 6
    Windows 7 Ultimate x64

    Sorry for the late reply. But seriously, thank you so much Kari for going into the extent of testing it out yourself.
    I realized that like what you said, those event logs are entries made DURING sysprep and then later on when in the OOBE.

    But no matter how, the scan logs and stuff for the Symantec Endpoint Protection isn't going anywhere

    The logs are still there after sysprep and imaging to the next laptop.
      My System SpecsSystem Spec

Sysprep generalize not clearing logs
Related Threads
Hi guys, I've been troubleshooting my MSI Laptop GE40 for quite awhile now, but I am just unable to find a solution online. My laptop is running Windows 8.1, I was doing some cleaning up for my laptop using Disk Cleanup. After running Disk Cleanup (With System Files), Windows Update files...
Hello. In mid-August, I tried to install the updates for the Windows August update. A lot of the updates failed, except for a few, and my computer seems fine. I then read that lots of people had issues with their computer. I just wanted to figure out if I should uninstall some them, and if so,...
Solved clearing browser data in General Support
is there a way to clear all data, cache... upon opening a browser. i have ccleaner which removes all data so i need to find a way of excecuting a clean when i press my browser button. can someone explain how do do this. why i want to do this as i watch alot of catch up and live tv & in my...
Solved Clearing icons from desktop in General Support
I have received a new laptop from HP to replace my original purchase which turned out to have a defective keyboard. I am in the process of clearing my personal info/history from the defective computer before returning it to HP. I have deleted all my files and have uninstalled all the programs...
Solved Clearing the Event Log in Windows 8 in Performance & Maintenance
It has been a long, long time since I have wanted to clear the event log and that was under Windows 7. I would like to clear the log under Windows 8 but can find no way to do it. It seems like I remember using 'Clear Log' under Actions but that doesn't seem to be there in Windows 8. Will...
Hello all, I have a Lenovo Z580 running Windows 8 on a 256 GB SSD, which was cloned from the original drive using Paragon cloning software. I got the computer up and running about a month ago, and I started personalizing it by installing programs and such. At the beginning of today, I probably...
Read more at source: Clearing Up 5 Windows 8 Confusions | News & Opinion |
Eight Forums Android App Eight Forums IOS App Follow us on Facebook