looking for Tivoli remnants at bootup

I have a Win NT 4.0 machine that used to have Tivoli installed.  Tivoli was removed but on bootup it still looks for the files.

How can I permanently fix this?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Serch for tivoli in the registry and remove any registry keys that are left.

Also check autostart folder in the startmenu.

/Hans - Erik Skyttberg
Have you double checked the the Tivoli services have been removed or are set to dissabled.  If you did the uninstall while Tivoli was running, you will find that services might not have been removed.  You should notice the Tivoli Endpoint service which starts the Tivoli utility monitoring utillity.  

The entries in the registry to look out for usually reference lfcd or lcfep and should be found under hkey_local_Machine\software\microsoft\windows\currentversion\run these are the apps that are started as the PC is logged on.
PS...  The actual exe is lcfep.exe...
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I wrote a script for this -   It is written to be run against the machine remotely, but can run against "localhost":

The following is a snippet of the writeup I did for it:
The script used by Steve to put an end to the Evil Empire of TIVOLI.  Will destroy everything TIVOLI related on an NT-based PC, leaving its breath fresh and minty.

C:\>KillTivoli NodeName

The end user sees nothing, except possibly a faster, healthier PC.
Technical Gobbledy-Gook: (skip this section if you dont care how it works).  
This script utilizes the following utilities:  PSKILL to end Tivoli-Related Processes by name on the target node, SC to stop and then delete Tivoli-Related Services and Devices on the target, RD (System Command) to remove Tivoli-Related Directories, DEL (System Command) to remove isolated Individual Tivoli Files, ADDUSERS to take away the Tivoli created users, and REG to remove Tivoli related registry keys.  It flows in the following order:  Kill Tivoli Executables, Stop and Remove Tivoli Services/Devices, Remove Tivoli Files and Directories, Remove Tivoli Users, and Finally Remove Tivoli Registry Settings.   I very nearly named it DieTivoliDie, but that did not convey its function quite as well as KillTivoli.

I originally ran this script against a domain list gleaned from DOMAIN1 and DOMAIN2 (accidentally forgetting to remove the servers), as a subscript to the GRAB script (to get administrative rights, described in a later section).  After recovering from the political damage I caused myself, I improved my scripting processes a small eek to prevent that accident from ever happening again.

The script is kept around for in case you run into one of the machines that we missed during the initial mass execution of Tivoli I did in November of 2000
Where did it come from?
Steve is very proud to have written this script.  The removal of TIVOLI in the DOMAIN1/DOMAIN2 environment was completed (to about 98%) in approximately 6 hours, by a simple 200Mhz machine running a script; A lot better than the 3 weeks of manual, in person uninstalls that the SMS deployment plan called for, and a lot more cost effective.


the Script follows;  you will have to be sure to collect the files it depends on:

:: KillTivoli.CMD by Steven Yarnot
:: Last updated 05/09/2001
:: Assume Admin connection, assume NT, this is a spinoff script
pskill \\%1 lcfd.exe
pskill \\%1 TRIP.exe
pskill \\%1 lcfep.exe
pskill \\%1 TIVNTSVC.exe

sc \\%1 stop TGRAB
sc \\%1 delete TGRAB
sc \\%1 stop LCFD
sc \\%1 delete LCFD
sc \\%1 stop "TME Agent"
sc \\%1 delete "TME Agent"
sc \\%1 stop TME10RC
sc \\%1 delete TME10RC
sc \\%1 stop TRIP
sc \\%1 delete TRIP
sc \\%1 stop KEYEX2
sc \\%1 delete KEYEX2
sc \\%1 stop MOUEX2
sc \\%1 delete MOUEX2
sc \\%1 CONFIG KBDCLASS start= system
sc \\%1 CONFIG KEYEX start= disabled
sc \\%1 CONFIG MOUCLASS start= system
sc \\%1 CONFIG MOUEX start= disabled

RD /s /q \\%1\C$\Tivoli
RD /s /q \\%1\C$\ETC\Tivoli
DEL \\%1\C$\etc\AGTMSG.CAT
DEL \\%1\C$\etc\LstAgt.bat
DEL \\%1\C$\etc\Tmeagent.cfg
RD \\%1\C$\ETC
DEL \\%1\C$\!tiv!.log
DEL \\%1\C$\!tivstart!.txt
RD /s /q \\%1\ADMIN$\Tivoli

ADDUSERS \\%1 /e .\copytotarget\killtiv.grp
reg delete "\\%1\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v lcfep /f
reg delete "\\%1\HKLM\SOFTWARE\Tivoli" /va /f

echo %1 >> killtivoli3.log

killtiv.grp is for deleting the "user" accounts Tivoli leaves behind, and it contains:



tmersrvd,tmersrvd,,Tivoli Unprivileged Operations Account (required),,,,




Tivoli_Admin_Privileges,Tivoli Super Users should have these privileges,

Hope this helps

-Steven Yarnot

the Irony of this script is that I was the Tivoli administrator;  I could not wait to see the Tivoli environment die at my place of work--Vive la SMS!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AWPAuthor Commented:
It's looking for the icfep.exe file.  That's the error I'm getting.  I found the tivoli folder in the registry and deleted it.  I'm still getting the same message.

Then search for icefp.exe in registry and delete any referances to it.

Also check for it in any autostart folders.

/Hans - Erik Skyttberg
AWPAuthor Commented:
This unit used to be on a network.  When looking in the registry , control panel, there's a listing for "environment".  The valuename says "LOGONSERVER" and the data value is "\\SPR120500".  Is this safe to delete or does it need to be there for NT?
AWPAuthor Commented:
I've done a search in the registry and don't see any reference to the "icefp.exe" file.
AWPAuthor Commented:
In WINNT Diagnostics:

Tivoli Remote Control Service - RCSERV.EXE (in WINNT:) is STOPPED
Tivoli Endpoint (C:Program) is STOPPED

Tivoli Remote Control Keyboard Filter is RUNNING
Tivoli Remote Control Pointer Filer is RUNNING
Tivoli Remote Control Text Grabber is RUNNING

AWPAuthor Commented:
YarnoSG, How am I supposed to use this script?  I don't see it included, only portions of the code.
It is just a batch file:  copy between the lines into notepad and save it as KillTivoli.CMD in your path

You can then run it using:
Prompt:>KillTivoli Localhost

You will need to be sure you have SC.EXE and Addusers.exe from the NT/2000 resource kit, and PSKill from SYSINTERNALS (Free).

the whole script is up there;  if your computer is looking for LCFEP, it is a service (Tivoli Endpoint/TME Agent:  not sure, it has been a few years)  the SC commands in the batch file will wipe that out/ alternatively, you can go to the services & devices control panel and turn off & disable those services/devices marked with Tivoli, though my script takes it a step further and deletes them and all their freinds too.


AWPAuthor Commented:
I don't have sc.exe or addusers.exe.  I do not have the resource kit for NT/2000.  Maybe I can find them and download them.  Will I need to run them after killing Tivoli?  Or will I need them in case someone goes wrong?

Will I have to kill it every time I boot up or will it kill it permanently?
it is a permanent kill, and much of the resource kits can be downloaded for free.  (http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp and http://www.microsoft.com/windows2000/techinfo/reskit/default.asp)

However, in the absence of those files, you can use them as a guide for what needs to be done to completely remove Tivoli.

SC is a service controller, and controls both services and devices.  You will notice I stop then delete services.  Without SC you can Stop and then Disable these services/devices.  

The RDs and Dels are removing files and directories, and

ADDUSERS is used to DELETE the Tivoli User out of the local SAM.  All of these actions can be done manually.


-Steven Yarnot
AWPAuthor Commented:
I ran the script.  I received several errors.

"The filename, directory name, or volume lable syntax is incorrect."


"The name specified is not recognized as an internal or external command, inoperable program or batch file."

What did I do wrong?
In order to run the script you NEED SC, REG, ADDUSERS in your path.  But without them you can manually do what the batch file does by hand:  

Use the control panel Devices and Services tools to stop and disable the "TIVOLI" things, the Tivoli Remote Control Service (service) , the Tivoli Endpoint(service)
Tivoli Remote Control Keyboard Filter (Device),Tivoli Remote Control Pointer Filter (Device), and Tivoli Remote Control Text Grabber (Device).  Stop them.  Disable them.  

Delete the Tivoli Directories and files identified by the script.

Go to the user control panel and delete the Tivoli User and the Tivoli Admin Group.  

Go to the registry and delete the HKLM\Software\Tivoli Key, and the LCEFP value from the(HKLM\SOTWARE\Microsoft\Windows\CurrentVersion\Run)key.

-Steven Yarnot

AWPAuthor Commented:
Where do I install SC, REG, ADDUSERS ? when I get the Resource CD?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.