Seeing multiple entries about Symantec Management Agent trying to reboot when the original reboot call was stopped

book

Article ID: 210642

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The customer noticed that there are multiple entries in the agent logs referring to the SMA agent (Symantec Management Agent or Altiris Agent) and its plug-ins trying to stop and start. He recently installed a couple of Microsoft patches that required a reboot of the system but he opted to no do it yet.

Is it normal that the SMA tries to restart if a previous reboot call was stopped/paused and the machine was not actually rebooted when it was originally intended?

Cause

The SMA agent checks if there is a pending reboot under:

[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Dynamic Data\PowerActions]

In this example, it has one:

[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Dynamic Data\PowerActions]
"ScheduledPowerAction"=dword:00010001

After the server reboots, this ""ScheduledPowerAction"=dword:00010001" should be gone.

This key is managed by the OS. SMA never cleans it, that’s the whole point. SMA creates the key as volatile and writes the reboot command in there. The command will be there until the actual reboot takes place.  If you restart SMA without restarting the machine SMA will read the reboot command on every start.  The whole registry key disappears after the reboot even before SMA starts.

Resolution

The following information is provided as a way to explain the process and what you may see in the agent logs.

1. You may see a record about a power action 

Pending power action '0x00010001: reboot, maintenance' scheduled for 2021-03-10 13:55:15 -7:00 UTC
-----------------------------------------------------------------------------------------------------
Date: 3/10/2021 6:54:15 AM, Tick Count: 136203 (00:02:16.2030000), Size: 329 B
Process: AeXNSAgent.exe (2876), Thread ID: 1280, Module: AeXNSAgent.exe
Priority: 4, Source: PowerAction

It indicates that the previous reboot command was presented in the registry SOFTWARE\Altiris\Altiris Agent\Dynamic Data\PowerActions during client start. 

2. Then Symantec Management Agent (SMA) starts, detects that restart is needed and is trying to reboot machine at 6:55:15 after the start. 

Starting the scheduled power action '0x00010001: reboot, maintenance' now
-----------------------------------------------------------------------------------------------------
Date: 3/10/2021 6:55:15 AM, Tick Count: 196203 (00:03:16.2030000), Size: 304 B
Process: AeXNSAgent.exe (2876), Thread ID: 1280, Module: AeXNSAgent.exe
Priority: 4, Source: PowerAction

Initiating safe system restart
-----------------------------------------------------------------------------------------------------
Date: 3/10/2021 6:55:15 AM, Tick Count: 196203 (00:03:16.2030000), Size: 261 B
Process: AeXNSAgent.exe (2876), Thread ID: 1280, Module: AeXNSAgent.exe
Priority: 4, Source: PowerAction

3. SMA fails to terminate gracefully because the Patch plugin hung during shutdown, so SMA kills itself after 12 seconds.

Agent Service will be terminated due to an excess of plugin stopping time over the limit or unexpected stopping failure!
-----------------------------------------------------------------------------------------------------
Date: 3/10/2021 6:55:28 AM, Tick Count: 209375 (00:03:29.3750000),  Size: 353 B
Process: AeXNSAgent.exe (2876), Thread ID: 2424, Module: AeXNSAgent.exe
Priority: 1, Source: Altiris Agent

4. The reboot should be occurring at this point, the service starts presumable after the reboot at  7:00:54, more than 5 minutes after the reboot. This looks OK, because the delayed services start about 3 minutes after Windows boot 

Started: '"C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe"' 
PID: 4320 
Parent: '\Device\HarddiskVolume1\Windows\System32\services.exe' 
Parent PID: 680
-----------------------------------------------------------------------------------------------------
Date: 3/10/2021 7:00:54 AM, Tick Count: 134671 (00:02:14.6710000),  Size: 396 B
Process: AeXNSAgent.exe (4320), Thread ID: 5528, Module: AeXNSAgent.exe
Priority: 8, Source: ProcessStartup

5. Then SMA is checking if there are any pending restart commands in registry and finds the same command again! Look at the first mention under Comment 1 and this one:

Pending power action '0x00010001: reboot, maintenance' scheduled for 2021-03-10 14:01:55 -7:00 UTC
-----------------------------------------------------------------------------------------------------
Date: 3/10/2021 7:00:55 AM, Tick Count: 136078 (00:02:16.0780000),  Size: 329 B
Process: AeXNSAgent.exe (4320), Thread ID: 4948, Module: AeXNSAgent.exe
Priority: 4, Source: PowerAction

With the information above, the following is most likely the reasons why the SMA agent is thinking that a reboot is still needed:

1. The machine did not actually reboot when the original reboot request was triggered. It seems to be that there was a scheduled reboot but it was manually cancelled/stopped/paused. That will explain if you see messages like this in the Windows Event logs:

The process C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe (Machine Name) has initiated the restart of computer <MachineName> on behalf of user NT AUTHORITY\SYSTEM for the following reason: Application: Maintenance (Planned)
 Reason Code: 0x80040001
 Shutdown Type: restart
 Comment: Shutdown requested by Symantec Management Agent

Because as far as our agent goes, it never happened yet.

2. The registry key “SOFTWARE\Altiris\Altiris Agent\Dynamic Data” is NOT volatile. 
How it works is agent creates the volatile key “Dynamic Data” and saves the pending reboot commands in there. The volatile keys are not stored in registry files, they cannot survive the reboot, all the volatile keys should be gone after the reboot. So if this key is not volatile then it will survive the reboot and will still contain the reboot command when SMA starts. 

If after a reboot you still see something like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Dynamic Data\PowerActions]

"ScheduledPowerAction"=dword:00010001

That suggest that you need to the system again. Then, check that the "Dynamic Data" key is missing after the reboot but prior to SMA start (if key is there then something created it as persistent. No common (Some software accidentally or on purpose created that key as persistent), but possible. Or you can simply stop SMA service, remove “Dynamic Data” key and start SMA service back, it will created the key as volatile.