Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

looking for Tivoli remnants at bootup

Posted on 2003-03-09
16
Medium Priority
?
1,303 Views
Last Modified: 2013-12-21
I have a Win NT 4.0 machine that used to have Tivoli installed.  Tivoli was removed but on bootup it still looks for the files.

How can I permanently fix this?
0
Comment
Question by:AWP
  • 8
  • 4
  • 2
  • +1
16 Comments
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8101544
Hi!

Serch for tivoli in the registry and remove any registry keys that are left.

Also check autostart folder in the startmenu.

Regards
/Hans - Erik Skyttberg
0
 
LVL 2

Expert Comment

by:RooiValk
ID: 8102495
Have you double checked the the Tivoli services have been removed or are set to dissabled.  If you did the uninstall while Tivoli was running, you will find that services might not have been removed.  You should notice the Tivoli Endpoint service which starts the Tivoli utility monitoring utillity.  

The entries in the registry to look out for usually reference lfcd or lcfep and should be found under hkey_local_Machine\software\microsoft\windows\currentversion\run these are the apps that are started as the PC is logged on.
0
 
LVL 2

Expert Comment

by:RooiValk
ID: 8102547
PS...  The actual exe is lcfep.exe...
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 7

Accepted Solution

by:
YarnoSG earned 750 total points
ID: 8103557
I wrote a script for this -   It is written to be run against the machine remotely, but can run against "localhost":

The following is a snippet of the writeup I did for it:
______________________________________________________
Tool: KILLTIVOLI
The script used by Steve to put an end to the Evil Empire of TIVOLI.  Will destroy everything TIVOLI related on an NT-based PC, leaving its breath fresh and minty.
Usage:

C:\>KillTivoli NodeName


The end user sees nothing, except possibly a faster, healthier PC.
Technical Gobbledy-Gook: (skip this section if you dont care how it works).  
This script utilizes the following utilities:  PSKILL to end Tivoli-Related Processes by name on the target node, SC to stop and then delete Tivoli-Related Services and Devices on the target, RD (System Command) to remove Tivoli-Related Directories, DEL (System Command) to remove isolated Individual Tivoli Files, ADDUSERS to take away the Tivoli created users, and REG to remove Tivoli related registry keys.  It flows in the following order:  Kill Tivoli Executables, Stop and Remove Tivoli Services/Devices, Remove Tivoli Files and Directories, Remove Tivoli Users, and Finally Remove Tivoli Registry Settings.   I very nearly named it DieTivoliDie, but that did not convey its function quite as well as KillTivoli.

I originally ran this script against a domain list gleaned from DOMAIN1 and DOMAIN2 (accidentally forgetting to remove the servers), as a subscript to the GRAB script (to get administrative rights, described in a later section).  After recovering from the political damage I caused myself, I improved my scripting processes a small eek to prevent that accident from ever happening again.

The script is kept around for in case you run into one of the machines that we missed during the initial mass execution of Tivoli I did in November of 2000
Where did it come from?
Steve is very proud to have written this script.  The removal of TIVOLI in the DOMAIN1/DOMAIN2 environment was completed (to about 98%) in approximately 6 hours, by a simple 200Mhz machine running a script; A lot better than the 3 weeks of manual, in person uninstalls that the SMS deployment plan called for, and a lot more cost effective.

____________________________________

the Script follows;  you will have to be sure to collect the files it depends on:

_____________________________
:: KillTivoli.CMD by Steven Yarnot
:: Last updated 05/09/2001
:: USES PSKILL.EXE FROM SYSINTERNALS.COM, ADDUSERS.EXE AND SC.EXE FROM THE NT RESOURCE KIT
:: THE FILE "KILLTIV.GRP" CONTAINS THE USER INFORMATION OF TIVOLI USER TO KILL IT.
::
:: Assume Admin connection, assume NT, this is a spinoff script
pskill \\%1 lcfd.exe
pskill \\%1 TRIP.exe
pskill \\%1 lcfep.exe
pskill \\%1 TIVNTSVC.exe

sc \\%1 stop TGRAB
sc \\%1 delete TGRAB
sc \\%1 stop LCFD
sc \\%1 delete LCFD
sc \\%1 stop "TME Agent"
sc \\%1 delete "TME Agent"
sc \\%1 stop TME10RC
sc \\%1 delete TME10RC
sc \\%1 stop TRIP
sc \\%1 delete TRIP
sc \\%1 stop KEYEX2
sc \\%1 delete KEYEX2
sc \\%1 stop MOUEX2
sc \\%1 delete MOUEX2
sc \\%1 CONFIG KBDCLASS start= system
sc \\%1 CONFIG KEYEX start= disabled
sc \\%1 CONFIG MOUCLASS start= system
sc \\%1 CONFIG MOUEX start= disabled


RD /s /q \\%1\C$\Tivoli
RD /s /q \\%1\C$\ETC\Tivoli
DEL \\%1\C$\etc\AGTMSG.CAT
DEL \\%1\C$\etc\LstAgt.bat
DEL \\%1\C$\etc\PCREMOTE.CFG
DEL \\%1\C$\etc\Tmeagent.cfg
RD \\%1\C$\ETC
DEL \\%1\C$\!tiv!.log
DEL \\%1\C$\!tivstart!.txt
RD /s /q \\%1\ADMIN$\Tivoli

ADDUSERS \\%1 /e .\copytotarget\killtiv.grp
reg delete "\\%1\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v lcfep /f
reg delete "\\%1\HKLM\SOFTWARE\Tivoli" /va /f



echo %1 >> killtivoli3.log
____________________________________________

killtiv.grp is for deleting the "user" accounts Tivoli leaves behind, and it contains:

____________________

[User]

tmersrvd,tmersrvd,,Tivoli Unprivileged Operations Account (required),,,,

[Global]

tmersrvd,

[Local]

Tivoli_Admin_Privileges,Tivoli Super Users should have these privileges,
__________________________

Hope this helps

-Steven Yarnot
http://yarnosg.home.insightbb.com

the Irony of this script is that I was the Tivoli administrator;  I could not wait to see the Tivoli environment die at my place of work--Vive la SMS!
0
 

Author Comment

by:AWP
ID: 8106895
It's looking for the icfep.exe file.  That's the error I'm getting.  I found the tivoli folder in the registry and deleted it.  I'm still getting the same message.
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8107161
Hi!

Then search for icefp.exe in registry and delete any referances to it.

Also check for it in any autostart folders.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:AWP
ID: 8107655
This unit used to be on a network.  When looking in the registry , control panel, there's a listing for "environment".  The valuename says "LOGONSERVER" and the data value is "\\SPR120500".  Is this safe to delete or does it need to be there for NT?
0
 

Author Comment

by:AWP
ID: 8107668
I've done a search in the registry and don't see any reference to the "icefp.exe" file.
0
 

Author Comment

by:AWP
ID: 8107718
In WINNT Diagnostics:

Tivoli Remote Control Service - RCSERV.EXE (in WINNT:) is STOPPED
Tivoli Endpoint (C:Program) is STOPPED

Tivoli Remote Control Keyboard Filter is RUNNING
Tivoli Remote Control Pointer Filer is RUNNING
Tivoli Remote Control Text Grabber is RUNNING

0
 

Author Comment

by:AWP
ID: 8107742
YarnoSG, How am I supposed to use this script?  I don't see it included, only portions of the code.
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8110881
It is just a batch file:  copy between the lines into notepad and save it as KillTivoli.CMD in your path

You can then run it using:
Prompt:>KillTivoli Localhost

You will need to be sure you have SC.EXE and Addusers.exe from the NT/2000 resource kit, and PSKill from SYSINTERNALS (Free).


the whole script is up there;  if your computer is looking for LCFEP, it is a service (Tivoli Endpoint/TME Agent:  not sure, it has been a few years)  the SC commands in the batch file will wipe that out/ alternatively, you can go to the services & devices control panel and turn off & disable those services/devices marked with Tivoli, though my script takes it a step further and deletes them and all their freinds too.

HTH

-Steve
0
 

Author Comment

by:AWP
ID: 8113408
I don't have sc.exe or addusers.exe.  I do not have the resource kit for NT/2000.  Maybe I can find them and download them.  Will I need to run them after killing Tivoli?  Or will I need them in case someone goes wrong?

Will I have to kill it every time I boot up or will it kill it permanently?
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8114313
it is a permanent kill, and much of the resource kits can be downloaded for free.  (http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp and http://www.microsoft.com/windows2000/techinfo/reskit/default.asp)

However, in the absence of those files, you can use them as a guide for what needs to be done to completely remove Tivoli.

SC is a service controller, and controls both services and devices.  You will notice I stop then delete services.  Without SC you can Stop and then Disable these services/devices.  

The RDs and Dels are removing files and directories, and

ADDUSERS is used to DELETE the Tivoli User out of the local SAM.  All of these actions can be done manually.

HTH

-Steven Yarnot
http://yarnosg.home.insightbb.com
0
 

Author Comment

by:AWP
ID: 8114797
I ran the script.  I received several errors.

"The filename, directory name, or volume lable syntax is incorrect."

or

"The name specified is not recognized as an internal or external command, inoperable program or batch file."

What did I do wrong?
0
 
LVL 7

Expert Comment

by:YarnoSG
ID: 8118898
In order to run the script you NEED SC, REG, ADDUSERS in your path.  But without them you can manually do what the batch file does by hand:  

Use the control panel Devices and Services tools to stop and disable the "TIVOLI" things, the Tivoli Remote Control Service (service) , the Tivoli Endpoint(service)
Tivoli Remote Control Keyboard Filter (Device),Tivoli Remote Control Pointer Filter (Device), and Tivoli Remote Control Text Grabber (Device).  Stop them.  Disable them.  

Delete the Tivoli Directories and files identified by the script.

Go to the user control panel and delete the Tivoli User and the Tivoli Admin Group.  

Go to the registry and delete the HKLM\Software\Tivoli Key, and the LCEFP value from the(HKLM\SOTWARE\Microsoft\Windows\CurrentVersion\Run)key.

HTH
-Steven Yarnot

0
 

Author Comment

by:AWP
ID: 8166876
Where do I install SC, REG, ADDUSERS ? when I get the Resource CD?
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article on how to answer questions, earn points and become an expert.
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question