The customer reported that after their recent patching cycle, there was a machine that keeps adding entries in the Agent logs about system restart, even after the machine has been rebooted:
The System Event logs shows something like this:
The process C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe (ClientMachine01) has initiated the restart of computer ClientMachine01 on behalf of user NT AUTHORITY\SYSTEM for the following reason: Application: Maintenance (Planned)
Reason Code: 0x80040001
Shutdown Type: restart
Comment: Shutdown requested by Symantec Management Agent
This is an example of what was noticed on the Agent logs:
In this particular scenario, when the system needed to be rebooted, the end-user stopped/paused/cancelled the reboot.
The Altiris Agent (Symantec Management Agent or SMA) reads the instruction found under SOFTWARE\Altiris\Altiris Agent\Dynamic Data\PowerActions during client start. This system had the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Dynamic Data\
This value is meant to be volatile and cleared out by the OS after a reboot. If the registry key under “SOFTWARE\Altiris\Altiris Agent\Dynamic Data” is still there, then it is NOT volatile and it is causing the Altiris Agent to consistently think that there is still an scheduled reboot.
How it works is agent creates the volatile key “Dynamic Data” and saves the pending reboot commands in there. The volatile keys are not stored in registry files, they cannot survive the reboot, all the volatile keys are missing after the reboot. So if this key is not volatile then it will survive the reboot and will still contain the reboot command when SMA starts.
This key is managed by the OS. SMA never cleans it, that’s the whole point. SMA creates the key as volatile and writes the reboot command in there. The command will be there until the actual reboot takes place. If you restart SMA without restarting the machine SMA will read the reboot command on every start. The whole registry key disappears after the reboot even before SMA starts.
1. Reboot machine.
2. Check right before the Altiris Agent service starts if this "ScheduledPowerAction"=dword:00010001" regkey still exists under [HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Altiris Agent\Dynamic Data\PowerActions]
3. If so, delete "ScheduledPowerAction" regkey and restart Altiris Agent service.