Phone Lines icon GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - EndPointSecurity Section
  3. Articles

EndPointSecurity | Removing agent manually

Answer

PROBLEM

  • The GFI EndPointSecurity agent cannot be removed from a remote machine, when attempting to deploy a removal from the GFI EndPointSecurity console.


ENVIRONMENT

  • GFI EndPointSecurity
  • All Supported Environments 


SOLUTION

IMPORTANT NOTICE

  • The GFI EndPointSecurity agent should be uninstalled by using the GFI EndPointSecurity Console.
  • This procedure should only be given as a last resort when the agent cannot be removed from the machine.
  • The proper way to troubleshoot issues related to agent deployment and uninstallation is to gather logesecservice.csv from the server, and the logs located in C:\WINDOWS\EndPointSecurity on the agent machine.
  • These log files will help you determine why the agent cannot be deployed or uninstalled so you can address the problem.
  • If in doubt, contact the EndPointSecurity Product Specialist in your region.
  • This procedure is for the use of GFI Technical Support and should only be given to individual customers when needed.
  • Do not post this procedure on forums, to lists, or anywhere else online.
  • Before carrying out the steps, read the procedure carefully in order to verify what you need to do depending on the operating system and version of the EndPointSecurity agent installed.
  • If you are not sure which agent version you have installed, check the registry keys and files listed in the steps to verify.
  • If you are still not sure, do not carry out the procedure and ask for assistance.
  • The procedure documented in this document applies to version 4, 4.1, 4.2, 4.3, 2012, and 2013 only, and may not work with previous or newer versions.
  • Manually removing the GFI EndPointSecurity Agent requires deleting registry keys manually.
  • It is advised to take a backup of these keys before deleting them.

Microsoft Fix It

  • This tool from Microsoft will remove the agent in some cases and is easier than the other methods below.
  • To download the tool, click on the following link:

Steps

  1. Click on the green Run Now button on the site linked above
  2. Choose to Run the program, if prompted
  3. Click the Accept button. Microsoft Fix It will now scan the machine.
  4. Select Detect problems and let me select the fixes to apply
  5. Select Uninstalling
  6. Select EndPointSecurity Agent from the programs listed and click Next
  7. Select Yes, try uninstall
  8. Make sure all the Listed issues are checked and click Next
  9. You will get a result status notifying you that the process succeeded
  10. Select one of the feedback options and click Next
  11. Click the Close button
  12. Once this is complete, EndPointSecurity should have been removed from the system.


Windows XP / Server 2003

  1. Boot from Windows CD
  2. Choose REPAIR (R) and select the installation to be repaired
  3. Type the password for the local Administrator
  4. Enter the command depending on the agent version:
    • version 2013: DEL C:\WINDOWS\system32\drivers\esecdrv60.sys
    • version 4.2 / 2012: DEL C:\WINDOWS\system32\drivers\esecdrv42.sys
  5. Enter the command: exit
  6. Start Windows normally
  7. Delete the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\EsecAgentSvc
    • HKLM\SYSTEM\CurrentControlSet\Services\esecdrv
    • HKLM\SYSTEM\CurrentControlSet\Services\esecdrv42
    • HKLM\SYSTEM\CurrentControlSet\Services\esecdrv60
    • HKLM\SOFTWARE\GFI\EndPointSecurity 4 / 5 / 6
    • HKLM\SOFTWARE\Wow6432Node\GFI\EndPointSecurity4 / 5 / 6
  8. Restart the computer
  9. Delete the folder C:\Program Files\GFI\EndPointSecurity Agent
  10. Depending on the version of the agent, delete the registry keys as specified in Appendix A
  11. From the GFI EndPointSecurity Console, remove the agent by selecting the option ‘Delete computer(s) without uninstall’

Note 1: In step 4, if the agent installed is version 4 or 4.1, the driver is called esecdrv.sys
Note 2: In step 12, on x64 operating systems the GFI\EndPointSecurity registry key is located under HKLM\SOFTWARE\Wow6432Node\GFI

Windows 7 / Server 2008

  1. Boot from Windows CD
  2. Choose the Language / Time & Currency formats, and click ‘Next’
  3. Choose the ‘Repair your computer’ option
  4. Select ‘Use Recovery Tools that can help fix problems…’
  5. Choose the installation to be repaired and click ‘Next’
  6. Choose the Command Prompt option
  7. Enter the command: D:
  8. Enter the command depending on the agent version:
    • version 2013: DEL C:\WINDOWS\system32\drivers\esecdrv60.sys
    • version 4.2 / 2012: DEL C:\WINDOWS\system32\drivers\esecdrv42.sys
  9. Enter the command: exit
  10. Choose the option to restart the machine
  11. Start Windows normally
  12. Delete the following registry keys:
    • HKLM\SYSTEM\CurrentControlSet\Services\EsecAgentSvc
    • HKLM\SYSTEM\CurrentControlSet\Services\esecdrv
    • HKLM\SYSTEM\CurrentControlSet\Services\esecdrv42
    • HKLM\SYSTEM\CurrentControlSet\Services\esecdrv60
    • HKLM\SOFTWARE\GFI\EndPointSecurity4 / 5 / 6
  13. Restart the computer
  14. Delete the folder C:\Program Files (x86)\GFI\EndPointSecurity Agent
  15. Depending on the version of the agent, delete the registry keys as specified in Appendix A
  16. From the GFI EndPointSecurity Console, remove the agent by selecting the option ‘Delete computer(s) without uninstall’

Note 1: In steps 7 and 8, on Windows 7 the drive specified is that of the CD/DVD, on Windows 2008 the drive specified is that of the operating system
Note 2: In step 8, if the agent installed is version 4 or 4.1, the driver is called esecdrv.sys
Note 3: In step 12, on x64 operating systems the GFI\EndPointSecurity registry key is located under HKLM\SOFTWARE\Wow6432Node\GFI

Appendix A

GFI EndPointSecurity 2013

Keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\57DC5777E98C02540B69CD2C61BE3CD7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7775CD75-C89E-4520-B096-DCC216EBC37D}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{7775CD75-C89E-4520-B096-DCC216EBC37D}

GFI EndPointSecurity 2012 

Keys:

  • HKLM\SOFTWARE\Classes\Installer\Products\5AA82EF304184E740A3D79F442385165 and
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3FE28AA5-8140-47E4-A0D3-974F24831556}
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3FE28AA5-8140-47E4-A0D3-974F24831556}

GFI EndPointSecurity 4.2 and 4.3

Builds: 20100625, 20100428, 20091109, 20091014
Keys:

  • HKLM\SOFTWARE\Classes\Installer\Products\505AD1BC44D34744B81ED6B0071A1E23 and
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB1DA505-3D44-4474-8BE1-6D0B70A1E132}
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{CB1DA505-3D44-4474-8BE1-6D0B70A1E132}

GFI EndPointSecurity 4 and 4.1

Builds: 20090508, 20090217, 20080215
Keys:

  • HKLM\SOFTWARE\Classes\Installer\Products\09F8D729D7CAB5946B6907B2AD8DDEC7 and
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{927D8F90-AC7D-495B-B696-702BDAD8ED7C}
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{927D8F90-AC7D-495B-B696-702BDAD8ED7C}

Note: On x64 operating systems, the Uninstall\{<GUID>} registry key is located under HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall


CAUSES

  • One potential cause of this issue would be where a machine has been removed from the domain where GFI EndPointSecurity belongs and/or the machine has been relocated to a new network that no longer can communicate with the GFI EndPointSecurity console.
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments