Creating a Windows 7 Image

Getting Started

If you create many images, a real timesaver is building everything in VMware Workstation or vSphere with snapshots at all the image milestones. Allows creating trees of images and avoids most of the re-arming regedit hacks.

Running Sysprep

  • To build a complex image with many installs try running the sysprep and reboot into AUDIT mode. Add the software you need and any other changes. Finally run sysprep to finalize the image.
  • Each time sysprep runs with /generalize, it re-arms the Windows activation timer for another thirty days. Only three rearms are available, so if you're running sysprep /generalize several times on the same machine, make this registry change before each run:

    • HKLM\Software\Microsoft\Windows NT\Current Version\Software Protection Platform\SkipRearm = 1       
  • Check how many re-arms are left (among other things) with the command
    • slmgr /dlv  
  • At the "Windows Welcome" screen:
    • CTRL-SHIFT-F3 will reboot in audit mode

    • SHIFT-F10 will give a cmd prompt

Running Sysprep from an Existing Image

  • Image a system from
  • On boot, Activate a local Admin account, then remove it from Active Directory
  • reboot and log into admin account, and open C:\Windows\System32\sysprep
  • run sysprep
    • select "Enter System Audit Mode" for System Clean-up Action and "Reboot" for Shutdown Options
    • Click "Okay"

The system will come up in Audit mode, install software and Update to your hearts delight.

Answer File Tips

Put settings for the specialize and oobeSystem passes (like CopyProfile, DisableFirstRunWizard) inside the server-side ("post-sysprep") answer file, and settings for the generalize pass (like PersistAllDeviceInstalls, DoNotCleanUpNonPresentDevices) in the local ("pre-sysprep") answer file.

  • To set default user settings based on the user running sysprep (i.e., the audit-mode Administrator): set CopyProfile. CopyProfile will not:

  • To keep drivers that were installed while setting up an image: set PersistAllDeviceInstalls.

  • To keep drivers even when the device isn't present while the specialize pass is running, for example for USB devices: set DoNotCleanUpNonPresentDevices in addition to PersistAllDeviceInstalls.

Setting up Unattend Files

Disable IE Setup Questions

To disable the annoying "set up IE" window that comes along even with CopyProfile set, add this to the unattend file, inside the "specialize" pass:

  • <component name="Microsoft-Windows-IE-InternetExplorer"  processorArchitecture="x86" publicKeyToken="31bf3856ad364e35"  language="neutral" versionScope="nonSxS"  xmlns:wcm=""  xmlns:xsi="">              <DisableFirstRunWizard>true</DisableFirstRunWizard> </component>  


Do not join AD before running sysprep.

During sysprep's generalize phase (before the image is acquired), logs are stored in %WINDIR%\system32\sysprep\Panther\.

On installation, Windows places files (such as the unattend.xml delivered by WDS) in %WINDIR%\Panther\. This directory has a binary log file for the specialize phase, setup.etl, that can be converted to text (CSV or XML) with tracerpt. Plaintext log files named setuperr.log and setupact.log are stored here as well. Finally, logs for the actions in the unattend.xml file are placed in %WINDIR%\Panther\UnattendGC\.

If you capture an image to WDS and store a local copy, the local copy remains after the capture. So, if you then re-enter audit mode on the same installation, make changes, and capture again, the original image will be captured inside of the new image! Delete the original manually before capturing again to avoid a stupidly-huge image the second time.

On a similar note: /generalize leaves all network settings intact, so if an image is being prepared on a machine that originally had a static IP configuration, reset it to DHCP before running syprep. (Otherwise every machine with the deployed image will start up squatting on the same IP address!)


A fatal error occurred while trying to sysprep the machine.

Check the logs in %WINDIR%\system32\sysprep\Panther

Windows cannot install required files. Make sure all files required for installation are available, and restart the installation. Error code: 0x80070714

When I've seen this so far it's actually been a WDS problem, not a sysprep problem. Try disabling and exporting the image on eng-wds; if it gives "The system cannot find the file specified" and fails, something is definitely wrong with the image (or Res.RWM for the image group) on the server.

Windows could not complete the installation.

""Windows could not complete the installation. To install Windows on this computer, restart the installation.""

Check the logs in %WINDIR%\Panther and %WINDIR%\Panther\UnattendGC. I've found UnattendGC\setuperr.log particularly helpful. For example, messages about failing to enable Administrator account, access denied, 0x800708c5, 0x8c5, and others can imply that the system is (or was until recently) joined to AD, and sysyprep can't enter the built-in account because of restrictions associated with being a member of a domain.

Even if the computer has already left AD before entering audit mode, there needs to be at least one full reboot between these to avoid being locked in an endless cycle of the above message. If this happens, these commands may help (first pull up a cmd-prompt with SHIFT-F10)

net user administrator /active:yes net user administrator a_password_long_enough_to_satisfy_AD shutdown /r /t 0  

This will reset the admin account and then reboot back into audit mode again.

Recover from Failed Generalization

Generalization can fail for a few reasons including forgetting to rearm the activation count. If this happen you can work around by changing the GeneralizationState with regedit.

Restoring the Rearm Count

  1. Create a batch script delwpa.bat in C:\ with the following commands:

    • reg load HKLM\MY_SYSTEM "%~dp0Windows\System32\config\system" reg delete HKLM\MY_SYSTEM\WPA /f reg unload HKLM\MY_SYSTEM 
  2. Boot into Rescue Tool. I use the Windows 7 install DVD (ISO with VM), but if the Rescue Tool is installed you can press F8 on boot or right after the BIOS screen to get to the “Advanced Boot Options”.
  3. Select Repair Your Computer.
  4. Select your keyboard input method, and click Next.
  5. Enter user name and password login credentials, and click OK. (No password requires with DVD)
  6. In the “System Recovery Options”, open Command Prompt. Type C: to go to the main drive, and the execute the delwpa.bat file. The console should display messages saying that the commands were executed successfully. Close the console window and reboot the machine. (Note: On some computers such as virtual machine or computer with recovery partition, the main drive may appear as D:)
  7. After system start up, sign into Windows. System will display message such as “This product is not genuine”. Just ignore it.
  8. Run Command Prompt as Administrator, and execute the following command to re-insert the default Windows 7 product key into the system. These product keys, which is on every unactivated Windows 7 right after installed, allow Windows 7 to be used for 30 days without activating it with further 3 rearms available.
    • slmgr /ipk *****-*****-*****-*****-***** 
  9. Reboot the computer (if needed)

Restarting McAfee Access Protection

  • Windows could not parse or process the unattend answer file for pass [specialize]. The settings specified in the answer file cannot be applied. the error was detected while processing the setting for component [Microsoft-Windows-Shell-Setup].

System Setup fails to parse with McAfee 8.8 Access Protection left on. Disable it before capture and use %WINDIR%\Setup\Scripts\SetupComplete.cmd to turn Access Protection back on in a newly-installed image:

set key=HKLM\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking
reg add "%key%" /v APEnabled /t REG_DWORD /d 1 /f

See Also

Eng-IT: Sysprep (last edited 2014-08-26 16:38:40 by jkgoebel)