How to Check if Windows is Running in Audit Mode in Batch Script
Audit Mode is a specialized Windows state used by PC manufacturers and IT professionals to customize a Windows image before it is shipped to an end-user. In Audit Mode, the system boots directly to the built-in Administrator account without going through the Out-of-Box Experience (OOBE). If you are creating deployment or configuration scripts, it is vital to detect if the machine is in Audit Mode so you can run "pre-shipment" tasks, like installing drivers or stripping bloatware, while skipping user-specific configurations. This guide explains how to identify Audit Mode using the registry and the sysprep service state.
What is Audit Mode?
Audit Mode allows you to bypass the initial Windows setup screens. It is often triggered by pressing Ctrl + Shift + F3 during the OOBE.
Key characteristics include:
- Automatic login as "Administrator."
- No user accounts have been created yet.
- The "System Preparation Tool" (Sysprep) window is usually open on the desktop.
You can check for Audit Mode status as a standard user, although most scripts running in Audit Mode will already be running with full Administrator privileges by default.
Method 1: Using the Registry (Most Reliable)
Windows stores its current setup state in the registry. When the system is in Audit Mode, the AuditInProgress value under the Setup key is set to 1.
Core Script Logic
@echo off
set "REG_PATH=HKEY_LOCAL_MACHINE\SYSTEM\Setup"
set "AUDIT_VAL="
echo [PROCESS] Checking system setup state...
:: Check the 'AuditInProgress' value (0x1 = Audit Mode active)
for /f "tokens=3" %%a in ('reg query "%REG_PATH%" /v AuditInProgress 2^>nul ^| findstr /i "AuditInProgress"') do set "AUDIT_VAL=%%a"
if "%AUDIT_VAL%"=="0x1" (
echo [STATUS] System is running in AUDIT MODE.
) else (
echo [STATUS] System is in OOBE or Normal User Mode.
)
pause
Method 2: Checking for the ImageState
Another way to verify the deployment phase is to check the ImageState value. This tells you if the machine is currently being "generalized" or "specialized."
@echo off
set "KEY=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\State"
for /f "tokens=3" %%a in ('reg query "%KEY%" /v ImageState 2^>nul ^| findstr /i "ImageState"') do set "STATE=%%a"
echo Current Image State: %STATE%
if "%STATE%"=="IMAGE_STATE_UNDEPLOYABLE" (
echo [INFO] This machine is likely in a specialized setup phase (Audit Mode^).
)
pause
Creating a Deployment Logic Script
A professional deployment script will use this check to execute "Manufacturer Only" tasks.
@echo off
setlocal EnableDelayedExpansion
echo ============================================================
echo Sysprep Deployment Helper
echo ============================================================
echo.
:: Check if in audit mode
set "InAudit=0"
for /f "skip=2 tokens=3" %%a in (
'reg query "HKLM\SYSTEM\Setup" /v AuditInProgress 2^>nul'
) do (
if /i "%%a"=="0x1" set "InAudit=1"
)
if !InAudit! equ 0 (
echo [ERROR] System is not in Audit Mode
echo.
echo This script should only run in Audit Mode
echo To enter Audit Mode: sysprep /audit /reboot
pause
exit /b 1
)
echo [OK] Audit Mode detected
echo.
echo Available Sysprep Options:
echo.
echo 1. Generalize and Shutdown (for imaging^)
echo sysprep /oobe /generalize /shutdown
echo.
echo 2. Generalize and Reboot to OOBE
echo sysprep /oobe /generalize /reboot
echo.
echo 3. Return to Audit Mode (reboot only^)
echo sysprep /audit /reboot
echo.
set /p "Choice=Enter choice (1-3^): "
if "!Choice!"=="1" (
echo.
echo [ACTION] Generalizing and shutting down...
echo.
echo This will:
echo - Remove machine-specific information
echo - Prepare system for imaging
echo - Shutdown the computer
echo.
set /p "Confirm=Continue? (Y/N^): "
if /i "!Confirm!"=="Y" (
sysprep /oobe /generalize /shutdown
)
) else if "!Choice!"=="2" (
echo.
echo [ACTION] Generalizing and rebooting to OOBE...
set /p "Confirm=Continue? (Y/N^): "
if /i "!Confirm!"=="Y" (
sysprep /oobe /generalize /reboot
)
) else if "!Choice!"=="3" (
echo.
echo [ACTION] Rebooting to Audit Mode...
sysprep /audit /reboot
) else (
echo.
echo Invalid choice
)
pause
Common Pitfalls and How to Avoid Them
Confusing Audit Mode with "Sysprepped"
An image can be "Sysprepped" (prepared for shipping) but not currently in Audit Mode.
Wrong Way:
:: Only checking for the existence of sysprep.exe
if exist C:\Windows\System32\sysprep\sysprep.exe ...
:: This is always true on every Windows machine.
Correct Way: Always use the Registry keys mentioned in Method 1 to check the active state of the operating system, not just the existence of files on the disk.
Registry Key Missing
If a computer has already finished OOBE and the user is logged in normally, some of these "Setup" registry keys might be cleaned up or changed.
Include error handling in your script. If reg query fails, your script should default to "Normal Mode" to prevent dangerous manufacture-only scripts from running on an end-user's live machine.
Best Practices for Image Deployment
- Skip UI: If your script detects Audit Mode, use the
/quietor/silentflags for all installers. There is no need for a user interface during a factory image build. - Verify Drivers: Use Audit Mode to check for "Yellow Bangs" (missing drivers) in Device Manager before sealing the image.
- The "Sealing" Command: If you are finished in Audit Mode, your script can automatically initiate the "Generalize" and shutdown process:
:: Finalize the image and prepare for user first-boot"%SystemRoot%\System32\sysprep\sysprep.exe" /oobe /generalize /shutdown
Any files created on the "Administrator" desktop during Audit Mode will NOT be copied to the end-user's profile unless you use a "CopyProfile" setting in your unattend.xml file.
Conclusion
Checking for Audit Mode via Batch script is a critical step for modern Windows image management and deployment. By accurately identifying whether a system is in the manufacturing phase or an end-user state, you can orchestrate complex configuration tasks, such as driver injection and software cleanup, with total precision. This professional approach ensures that your final Windows images are clean, optimized, and ready for the end-user, providing a seamless transition from the factory floor to the customer's desk.