Overview
You may face the issue where the GFI EndPointSecurity agent cannot be removed from a remote machine when attempting to deploy a removal from the GFI EndPointSecurity console or you may no longer have access to the console and you're looking for a manual way to uninstall the agent.
Solution
- The GFI EndPointSecurity agent should be uninstalled by using the GFI EndPointSecurity Console.
- This procedure should only be given as a last resort when the agent cannot be removed from the machine.
- Before carrying out the steps, read the procedure carefully in order to verify what you need to do depending on the operating system and version of the EndPointSecurity agent installed.
- If you are not sure which agent version you have installed, check the registry keys and files listed in the steps to verify.
- If you are still not sure, do not carry out the procedure and ask for assistance from EndPointSecurity support.
- The procedure documented in this document applies to versions 4, 4.1, 4.2, 4.3, 2012, and 2013 only, and may not work with previous or newer versions.
- Manually removing the GFI EndPointSecurity Agent requires deleting registry keys manually. It is advised to take a backup of these keys before deleting them.
- If you have a large number of computers, this process will take a long time and there isn't currently a way you can initiate it on all computers at the same time. Therefore, consider reactivating the console to uninstall agents on many machines
Microsoft Troubleshooter
- This tool from Microsoft will remove the agent in some cases and is easier than the other methods below.
- To download the tool, click on the following link:
Steps
- Click on Download Troubleshooter on the site linked above
- A file named MicrosoftProgram_Install_and_Uninstall.meta.diagcab is installed. Open the file.
- Click Next.
- Select Uninstalling
- Select EndPointSecurity Agent from the programs listed and click Next
- Select Yes, try to uninstall
- You will receive a message saying that the problem has been fixed.
- Click Close
- Once this is complete, EndPointSecurity Agent should have been removed from the system.
Windows XP / Server 2003
- Boot from Windows CD
- Choose REPAIR (R) and select the installation to be repaired
- Type the password for the local Administrator
- Enter the command depending on the agent version:
- version 2013: DEL C:\WINDOWS\system32\drivers\esecdrv60.sys
- version 4.2 / 2012: DEL C:\WINDOWS\system32\drivers\esecdrv42.sys
- Enter the command: exit
- Start Windows normally
- Delete the following registry keys:
- HKLM\SYSTEM\CurrentControlSet\Services\EsecAgentSvc
- HKLM\SYSTEM\CurrentControlSet\Services\esecdrv
- HKLM\SYSTEM\CurrentControlSet\Services\esecdrv42
- HKLM\SYSTEM\CurrentControlSet\Services\esecdrv60
- HKLM\SOFTWARE\GFI\EndPointSecurity 4 / 5 / 6
- HKLM\SOFTWARE\Wow6432Node\GFI\EndPointSecurity4 / 5 / 6
- Restart the computer
- Delete the folder C:\Program Files\GFI\EndPointSecurity Agent
- Depending on the version of the agent, delete the registry keys as specified in Appendix A
- From the GFI EndPointSecurity Console, remove the agent by selecting the option ‘Delete computer(s) without uninstall’
Note 1: In step 4, if the agent installed is version 4 or 4.1, the driver is called esecdrv.sys
Note 2: In step 12, on x64 operating systems the GFI\EndPointSecurity registry key is located under HKLM\SOFTWARE\Wow6432Node\GFI
Windows 7 / Server 2008
- Boot from Windows CD
- Choose the Language / Time & Currency formats, and click ‘Next’
- Choose the ‘Repair your computer’ option
- Select ‘Use Recovery Tools that can help fix problems…’
- Choose the installation to be repaired and click ‘Next’
- Choose the Command Prompt option
- Enter the command: D:
- Enter the command depending on the agent version:
- version 2013: DEL C:\WINDOWS\system32\drivers\esecdrv60.sys
- version 4.2 / 2012: DEL C:\WINDOWS\system32\drivers\esecdrv42.sys
- Enter the command: exit
- Choose the option to restart the machine
- Start Windows normally
- Delete the following registry keys:
- HKLM\SYSTEM\CurrentControlSet\Services\EsecAgentSvc
- HKLM\SYSTEM\CurrentControlSet\Services\esecdrv
- HKLM\SYSTEM\CurrentControlSet\Services\esecdrv42
- HKLM\SYSTEM\CurrentControlSet\Services\esecdrv60
- HKLM\SOFTWARE\GFI\EndPointSecurity4 / 5 / 6
- Restart the computer
- Delete the folder C:\Program Files (x86)\GFI\EndPointSecurity Agent
- Depending on the version of the agent, delete the registry keys as specified in Appendix A
- From the GFI EndPointSecurity Console, remove the agent by selecting the option ‘Delete computer(s) without uninstall’
Note 1: In steps 7 and 8, on Windows 7 the drive specified is that of the CD/DVD, on Windows 2008 the drive specified is that of the operating system
Note 2: In step 8, if the agent installed is version 4 or 4.1, the driver is called esecdrv.sys
Note 3: In step 12, on x64 operating systems the GFI\EndPointSecurity registry key is located under HKLM\SOFTWARE\Wow6432Node\GFI
Appendix A
GFI EndPointSecurity 2013
Keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\57DC5777E98C02540B69CD2C61BE3CD7
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7775CD75-C89E-4520-B096-DCC216EBC37D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7775CD75-C89E-4520-B096-DCC216EBC37D}
GFI EndPointSecurity 2012
Keys:
- HKLM\SOFTWARE\Classes\Installer\Products\5AA82EF304184E740A3D79F442385165 and
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3FE28AA5-8140-47E4-A0D3-974F24831556}
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3FE28AA5-8140-47E4-A0D3-974F24831556}
GFI EndPointSecurity 4.2 and 4.3
Builds: 20100625, 20100428, 20091109, 20091014
Keys:
- HKLM\SOFTWARE\Classes\Installer\Products\505AD1BC44D34744B81ED6B0071A1E23 and
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB1DA505-3D44-4474-8BE1-6D0B70A1E132}
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CB1DA505-3D44-4474-8BE1-6D0B70A1E132}
GFI EndPointSecurity 4 and 4.1
Builds: 20090508, 20090217, 20080215
Keys:
- HKLM\SOFTWARE\Classes\Installer\Products\09F8D729D7CAB5946B6907B2AD8DDEC7 and
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{927D8F90-AC7D-495B-B696-702BDAD8ED7C}
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{927D8F90-AC7D-495B-B696-702BDAD8ED7C}
Note: On x64 operating systems, the Uninstall\{<GUID>} registry key is located under HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall