[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2462
  • Last Modified:

create script to do these changes

hello,

i have to manually remove trendmicro WFBS from 12 servers.  the beta install went..... eventful... and promptly killed all remote access to these servers.

we've since disabled the services for trendmicro so we could remote back in... now i need to manually remove it from all servers, so we can reinstall it

i don't know why trend apparently did not create a script already for this, or a program or something, but... lets make one.  i tried to write these in such a way to make it really easy for you to copy/paste into your script.  there are no spelling mistakes so don't correct anything that looks weird like pccnt or officescannt ... those are supposed to be doulbe-n like that, etc.

anyway, here's a set of tasks i'd like to see if i can get scripted... batch file is fine, or whatever is easiest

stop these services:
tmpfw
tmproxy
euq_monitor
ntrtscan
ofcservicetmicrcscanservice

taskkill /IM thesetasksbelow /F:
pccntmon.exe
ntrtscan.exe
tmlisten.exe
pccnt.exe
tm_pfw.exe
cntaosmgr.exe
tmbmsrv.exe
tmproxy.exe
tmas_oe.exe.exe  (duplicated exe as per their documentation)
tmas_oe.exe  (threw this in there just because)
tmas_oemon.exe
ofcservice.exe
ofcaosmgr.exe

remove these registry keys and every sub object of them:
"hkcu\software\trendmicro"
"hkcu\software\trendmicro_volatile"
"hklm\software\trendmicro"
"hklm\software\trendmicro_volatile"
"hklm\software\microsoft\windows\currentversion\uninstall\officescannt"
"hklm\software\microsoft\windows\currentversion\uninstall\security server"
"hklm\system\currentcontrolset\services\ntrtscan"
"hklm\system\currentcontrolset\services\ofcaosmgr"
"hklm\system\currentcontrolset\services\ofcservice"
"hklm\system\currentcontrolset\services\tmactmon"
"hklm\system\currentcontrolset\services\tmbmserver"
"hklm\system\currentcontrolset\services\tmcfw"
"hklm\system\currentcontrolset\services\tmcomm"
"hklm\system\currentcontrolset\services\tmevtmgr"
"hklm\system\currentcontrolset\services\tm filter"
"hklm\system\currentcontrolset\services\tmlisten"
"hklm\system\currentcontrolset\services\tmpfw"
"hklm\system\currentcontrolset\services\tmprefilter"
"hklm\system\currentcontrolset\services\tmproxy"
"hklm\system\currentcontrolset\services\tmtdi"
"hklm\system\currentcontrolset\services\vsapint"

delete these objects which live here: hklm\...\run
"officescannt monitor"
"officescannt oe"

uninstall these HIDDEN non-plug and play devices (this is the tricky part):
tmactmon
tmcomm
tmevtmgr
"trend micro filter"
"trend micro prefilter"
"trend micro tdidriver"
"trend micro vsapi nt"

uninstall this driver from the local area connection:
"trend micro common firewall driver"

whack this directory with YES confirmation:
rd "c:\program files\trend micro" /s



0
B H
Asked:
B H
1 Solution
 
sirbountyCommented:
Getting late, so I'm fading here, but I think I have it all but the device removal (that is the tricky part :)...however, I believe if you grab Microsoft's devcon utility, you should be able to piece that last bit into the script (http://support.microsoft.com/kb/311272)

Not fully tested, but for those pieces I wasn't able to test or wasn't entirely comfortable with you performing a 'live' test, I left off the confirmation suppression parameter...
@echo off
setlocal enabledelayedexpansion
for %%a in (tmpfw tmproxy euq_monitor ntrtscan ofcservicetmicrcscanservice) do sc stop %%a
for %%a in (pccntmon.exe ntrtscan.exe tmlisten.exe pccnt.exe tm_pfw.exe cntaosmgr.exe tmbmsrv.exe tmproxy.exe tmas_oe.exe.exe tmas_oe.exe tmas_oemon.exe ofcservice.exe ofcaosmgr.exe)) do taskkill /im %%a /f

reg delete hkcu\software\trendmicro /f
reg delete hkcu\software\trendmicro_volatile /f

REM Next line sends each key to a sub process
for %%a in ("hklm\software\trendmicro" "hklm\software\trendmicro_volatile" "hklm\software\microsoft\windows\currentversion\uninstall\officescannt" "hklm\software\microsoft\windows\currentversion\uninstall\security server") do call :process %%a

REM remove services from registry (supressed)
for %%a in (ntrtscan ofcaosmgr ofcservice tmactmon tmbmserver tmcfw tmcomm tmevtmgr tmlisten tmpfw tmprefilter tmproxy tmtdi vsapint) do reg delete "hklm\system\currentcontrolset\services\%%a" /f
reg delete "hklm\system\currentcontrolset\services\tm filter" /f

REM Add /F to skip confirmation
for %%a in ("officescannt monitor" "officescannt oe") do reg delete hklm\software\microsoft\windows\currentversion\run /v %%a

REM uninstall this driver from the local area connection:
REM This 'should' be under HKLM\System\CurrentControlSet\Control\Network
REM The problem is, it's typically under a uniquely-named key, so it gets tricky to locate it...

Set KeyToFind="trend micro common firewall driver"
for /f %%k in ('reg query hklm\system\currentcontrolset\control\network') do (
  set keyName=%%a
  if [!keyName:~-1!]==[}] call :searchSubKeys !keyName!
)


echo Removing Program Files folder...
pause
REM Add /Q to skip confirmation
rd "c:\program files\trend micro\" /s

goto DevRemoval

:process 
set regKey=%1
REM Add /F to skip confirmation
reg delete %regKey%
goto :eof

:searchSubKeys
for /f %%b in ('reg query %keyName%') do (
  for /f "tokens=3" %%c in ('reg query %%b\Connection /v Name') do (
    if /i ["%%c"]==[%KeyToFind%] (
      echo Found %KeyToFind%
      echo   Located at %keyName%
      REM Add /F to skip confirmation
      reg delete %keyName%
    )
  )
)
goto :eof

:DevRemoval
REM uninstall these HIDDEN non-plug and play devices (this is the tricky part):
REM tmactmon
REM tmcomm
REM tmevtmgr
REM "trend micro filter"
REM "trend micro prefilter"
REM "trend micro tdidriver"
REM "trend micro vsapi nt"

Open in new window

0
 
B HAuthor Commented:
Wow that is a lot more than I expected, very exquisite

Can't wait to test it out tomorrow and let you know :)

I thought I knew a thing or two about batch files... but this.... this is rediculous.  

A lot has been added to my bag of tricks after seeing your examples.

If I want to run one of those lines straight off the cmd line, just change %% to % right?  Can do a lot more faster crafting things on the fly with loops wow
0
 
sirbountyCommented:
"If I want to run one of those lines straight off the cmd line, just change %% to % right?" - correct.

If you're testing on a live production server, please place pauses and such so to step through this one time first.  I did the best I could not having the same environment (though some of the registry keys I did recreate here).  If you need me to dig further into devcon for you, let me know.

~sirbounty
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
B HAuthor Commented:
i don't have time for the devcon stuff so i can just manually right-click uninstall those no problem, i will be logging into the servers anyway to run the scripts and watch them

the script alone saves me like 15 minutes per server so well worth it :)
0
 
sirbountyCommented:
But, how are you going to have a complete script? :^)

It's been a few years since I've used devcon, but I believe it uses hardware ID for the devices, so it would realistically take a while to work through it and get it working the way you need, particularly since I have no similar environment...

You mention though, that you would be logging on to the server - most of those items can all be launched remotely, fyi.
taskkill has a /s <system> parameter, as does sc <system>.  And your reg deletes can all be run using \\<system\hklm...

So this could be tweaked a bit more to loop through a server list, though it still leaves the device drivers.

Good luck - and I hope you don't have to run this again!
0
 
griff4345Commented:
I just wanted to add this comment:

The asker accurately posed his problem at 10:12 PM.

"sirbounty", by 11:31 PM, wrote and delivered a 64 line, comprehensive batch file, complete with annotations to the asker.

Now that is truly what I call dedication to the concept of community volunteer support.

Good on ya, sirbounty! That is awesome, indeed!

---GRIFF
0
 
sirbountyCommented:
Sorry about that - I had to jump in the shower, otherwise it would have been sooner... ;^)
0
 
B HAuthor Commented:
plus he's against me leaving it unfinished, by manually doing the hwid uninstalls :)

sirbounty you're fearsome :)

now if i can just get my sheep to stop logging in, i can actually do it
0
 
B HAuthor Commented:
sorry for the delay

looks like it does most everything just have to remember to go get the devices by hand

line 3 in the script had this at the end:
rvice.exe ofcaosmgr.exe)) do taskkill /im %%a /f

i changed it to a single close paren and that let it keep going

for the most part though, that is great :)
0
 
B HAuthor Commented:
very fast response and exactly as asked, thanks for the help
0
 
sirbountyCommented:
Glad I could help.  Thanks for the grade! :^)
0
 
mybsaCommented:
Great stuff - This might help someone going forward

:DevRemoval
REM uninstall these HIDDEN non-plug and play devices (this is the tricky part):
REM tmactmon ***Didn't see this listed on test machine WFBS 6 SP1***
REM tmcomm
REM tmevtmgr ***Didn't see this listed on test machine WFBS 6 SP1***
REM "trend micro filter"
REM "trend micro prefilter"
REM "trend micro tdidriver"
REM "trend micro vsapi nt"
 
REM Use devcon to set a hardware ID as the hidden non-pnp devices do not have one
devcon sethwid @ROOT\LEGACY_TMCOMM\0000 := TMCOMM
devcon sethwid @ROOT\LEGACY_TMFILTER\0000 := TMFILTER
devcon sethwid @ROOT\LEGACY_TMPREFILTER\0000 := TMPREFILTER
devcon sethwid @ROOT\LEGACY_TMTDI\0000 := TMTDI
devcon sethwid @ROOT\LEGACY_VSAPINT\0000 := VSAPINT

REM Remove the devices we just named
for %%a in ("TMCOMM" "TMFILTER" "TMPREFILTER" "TMTDI" "VSAPINT") do devcon remove %%a

REM Now we have to reboot to complete the uninstall of those devices
devcon reboot

Open in new window


D
0
 
B HAuthor Commented:
Absolutely :)  and I know you know what it's for haha
(Don't say it tho keep the googles out)
0
 
B HAuthor Commented:
oh whoops i thought i was replying to a different scripting question, disregard that last question

in addition to this post here, i've recently found an official trendmicro dirty uninstaller from trend themselves - it's basically a batch file with all the changes above and then some

they have it on their public ftp server, but i've rehosted it for myself here:
www.thefocisgroup.com/helpdesk/tmuninstaller.zip

i found that even their uninstaller batch file crashes at first, saying you dont have admin rights when you really, really do... so i would just REM out that part of the batch file if it happens to you

0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now