Friday, January 23, 2009

Uninstalling Symantec (or any program) remotely

Found a nifty tool (that I knew about all along) in PSTools from Sysinternals called PSExec. It lets you run processes on remote computers. I namely found this useful in uninstalling Symantec Antivirus Corporate from over 100 workstations that needed McAfee installed on them. You can get PSTools from a simple search on Microsoft's website.

The first step is to find the uninstall string. In the registry of a computer with the app you want to uninstall, browse to HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall and browse through the list of applications till you find the one you want. Then look for the UninstallString value (or something similar). It likely has a large registry key associated with it. For example, Here is the one for Symantec AV CE 10.x:

{5A633EDO-E5D7-4D65-AB8D-53ED43510284}

Now just run the following command to uninstall it:

psexec.exe \\remotecomputername -u Domain\administrator -p Password MSIExec.exe /norestart /q /x{5A633EDO-E5D7-4D65-AB8D-53ED43510284}

As a side note... it is also worth mentioning that if policies are in place to require a password to uninstall Symantec AV CE... the following string will remove the password requirements so that the above string will work:

psexec.exe \\remotecomputername -u Domain\administrator -p Password regedit /s \\server\pathtoregfile.reg

And the contents of that regfile are (verbatim):
-------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AdministratorOnly\Security]
"LockUnloadServices"=dword:00000000
"UseVPUninstallPassword"=dword:00000000
-------------------------------------------------------------------------

These changes essentially set the above keys to 0 instead of 1, so the password is no longer required.

You can even stitch the two psexec commands together into a bat... then supply psexec with a list of computers in a text file and let-er-rip.

No comments:

Post a Comment