Solved

create script to do these changes

Posted on 2010-09-02
14
2,408 Views
Last Modified: 2012-05-10
hello,

i have to manually remove trendmicro WFBS from 12 servers.  the beta install went..... eventful... and promptly killed all remote access to these servers.

we've since disabled the services for trendmicro so we could remote back in... now i need to manually remove it from all servers, so we can reinstall it

i don't know why trend apparently did not create a script already for this, or a program or something, but... lets make one.  i tried to write these in such a way to make it really easy for you to copy/paste into your script.  there are no spelling mistakes so don't correct anything that looks weird like pccnt or officescannt ... those are supposed to be doulbe-n like that, etc.

anyway, here's a set of tasks i'd like to see if i can get scripted... batch file is fine, or whatever is easiest

stop these services:
tmpfw
tmproxy
euq_monitor
ntrtscan
ofcservicetmicrcscanservice

taskkill /IM thesetasksbelow /F:
pccntmon.exe
ntrtscan.exe
tmlisten.exe
pccnt.exe
tm_pfw.exe
cntaosmgr.exe
tmbmsrv.exe
tmproxy.exe
tmas_oe.exe.exe  (duplicated exe as per their documentation)
tmas_oe.exe  (threw this in there just because)
tmas_oemon.exe
ofcservice.exe
ofcaosmgr.exe

remove these registry keys and every sub object of them:
"hkcu\software\trendmicro"
"hkcu\software\trendmicro_volatile"
"hklm\software\trendmicro"
"hklm\software\trendmicro_volatile"
"hklm\software\microsoft\windows\currentversion\uninstall\officescannt"
"hklm\software\microsoft\windows\currentversion\uninstall\security server"
"hklm\system\currentcontrolset\services\ntrtscan"
"hklm\system\currentcontrolset\services\ofcaosmgr"
"hklm\system\currentcontrolset\services\ofcservice"
"hklm\system\currentcontrolset\services\tmactmon"
"hklm\system\currentcontrolset\services\tmbmserver"
"hklm\system\currentcontrolset\services\tmcfw"
"hklm\system\currentcontrolset\services\tmcomm"
"hklm\system\currentcontrolset\services\tmevtmgr"
"hklm\system\currentcontrolset\services\tm filter"
"hklm\system\currentcontrolset\services\tmlisten"
"hklm\system\currentcontrolset\services\tmpfw"
"hklm\system\currentcontrolset\services\tmprefilter"
"hklm\system\currentcontrolset\services\tmproxy"
"hklm\system\currentcontrolset\services\tmtdi"
"hklm\system\currentcontrolset\services\vsapint"

delete these objects which live here: hklm\...\run
"officescannt monitor"
"officescannt oe"

uninstall these HIDDEN non-plug and play devices (this is the tricky part):
tmactmon
tmcomm
tmevtmgr
"trend micro filter"
"trend micro prefilter"
"trend micro tdidriver"
"trend micro vsapi nt"

uninstall this driver from the local area connection:
"trend micro common firewall driver"

whack this directory with YES confirmation:
rd "c:\program files\trend micro" /s



0
Comment
Question by:B H
14 Comments
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 33593444
Getting late, so I'm fading here, but I think I have it all but the device removal (that is the tricky part :)...however, I believe if you grab Microsoft's devcon utility, you should be able to piece that last bit into the script (http://support.microsoft.com/kb/311272)

Not fully tested, but for those pieces I wasn't able to test or wasn't entirely comfortable with you performing a 'live' test, I left off the confirmation suppression parameter...
@echo off
setlocal enabledelayedexpansion
for %%a in (tmpfw tmproxy euq_monitor ntrtscan ofcservicetmicrcscanservice) do sc stop %%a
for %%a in (pccntmon.exe ntrtscan.exe tmlisten.exe pccnt.exe tm_pfw.exe cntaosmgr.exe tmbmsrv.exe tmproxy.exe tmas_oe.exe.exe tmas_oe.exe tmas_oemon.exe ofcservice.exe ofcaosmgr.exe)) do taskkill /im %%a /f

reg delete hkcu\software\trendmicro /f
reg delete hkcu\software\trendmicro_volatile /f

REM Next line sends each key to a sub process
for %%a in ("hklm\software\trendmicro" "hklm\software\trendmicro_volatile" "hklm\software\microsoft\windows\currentversion\uninstall\officescannt" "hklm\software\microsoft\windows\currentversion\uninstall\security server") do call :process %%a

REM remove services from registry (supressed)
for %%a in (ntrtscan ofcaosmgr ofcservice tmactmon tmbmserver tmcfw tmcomm tmevtmgr tmlisten tmpfw tmprefilter tmproxy tmtdi vsapint) do reg delete "hklm\system\currentcontrolset\services\%%a" /f
reg delete "hklm\system\currentcontrolset\services\tm filter" /f

REM Add /F to skip confirmation
for %%a in ("officescannt monitor" "officescannt oe") do reg delete hklm\software\microsoft\windows\currentversion\run /v %%a

REM uninstall this driver from the local area connection:
REM This 'should' be under HKLM\System\CurrentControlSet\Control\Network
REM The problem is, it's typically under a uniquely-named key, so it gets tricky to locate it...

Set KeyToFind="trend micro common firewall driver"
for /f %%k in ('reg query hklm\system\currentcontrolset\control\network') do (
  set keyName=%%a
  if [!keyName:~-1!]==[}] call :searchSubKeys !keyName!
)


echo Removing Program Files folder...
pause
REM Add /Q to skip confirmation
rd "c:\program files\trend micro\" /s

goto DevRemoval

:process 
set regKey=%1
REM Add /F to skip confirmation
reg delete %regKey%
goto :eof

:searchSubKeys
for /f %%b in ('reg query %keyName%') do (
  for /f "tokens=3" %%c in ('reg query %%b\Connection /v Name') do (
    if /i ["%%c"]==[%KeyToFind%] (
      echo Found %KeyToFind%
      echo   Located at %keyName%
      REM Add /F to skip confirmation
      reg delete %keyName%
    )
  )
)
goto :eof

:DevRemoval
REM uninstall these HIDDEN non-plug and play devices (this is the tricky part):
REM tmactmon
REM tmcomm
REM tmevtmgr
REM "trend micro filter"
REM "trend micro prefilter"
REM "trend micro tdidriver"
REM "trend micro vsapi nt"

Open in new window

0
 
LVL 24

Author Comment

by:B H
ID: 33593494
Wow that is a lot more than I expected, very exquisite

Can't wait to test it out tomorrow and let you know :)

I thought I knew a thing or two about batch files... but this.... this is rediculous.  

A lot has been added to my bag of tricks after seeing your examples.

If I want to run one of those lines straight off the cmd line, just change %% to % right?  Can do a lot more faster crafting things on the fly with loops wow
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 33595535
"If I want to run one of those lines straight off the cmd line, just change %% to % right?" - correct.

If you're testing on a live production server, please place pauses and such so to step through this one time first.  I did the best I could not having the same environment (though some of the registry keys I did recreate here).  If you need me to dig further into devcon for you, let me know.

~sirbounty
0
 
LVL 24

Author Comment

by:B H
ID: 33595564
i don't have time for the devcon stuff so i can just manually right-click uninstall those no problem, i will be logging into the servers anyway to run the scripts and watch them

the script alone saves me like 15 minutes per server so well worth it :)
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 33595809
But, how are you going to have a complete script? :^)

It's been a few years since I've used devcon, but I believe it uses hardware ID for the devices, so it would realistically take a while to work through it and get it working the way you need, particularly since I have no similar environment...

You mention though, that you would be logging on to the server - most of those items can all be launched remotely, fyi.
taskkill has a /s <system> parameter, as does sc <system>.  And your reg deletes can all be run using \\<system\hklm...

So this could be tweaked a bit more to loop through a server list, though it still leaves the device drivers.

Good luck - and I hope you don't have to run this again!
0
 
LVL 4

Expert Comment

by:griff4345
ID: 33601753
I just wanted to add this comment:

The asker accurately posed his problem at 10:12 PM.

"sirbounty", by 11:31 PM, wrote and delivered a 64 line, comprehensive batch file, complete with annotations to the asker.

Now that is truly what I call dedication to the concept of community volunteer support.

Good on ya, sirbounty! That is awesome, indeed!

---GRIFF
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 33602709
Sorry about that - I had to jump in the shower, otherwise it would have been sooner... ;^)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 24

Author Comment

by:B H
ID: 33603294
plus he's against me leaving it unfinished, by manually doing the hwid uninstalls :)

sirbounty you're fearsome :)

now if i can just get my sheep to stop logging in, i can actually do it
0
 
LVL 24

Author Comment

by:B H
ID: 33623151
sorry for the delay

looks like it does most everything just have to remember to go get the devices by hand

line 3 in the script had this at the end:
rvice.exe ofcaosmgr.exe)) do taskkill /im %%a /f

i changed it to a single close paren and that let it keep going

for the most part though, that is great :)
0
 
LVL 24

Author Closing Comment

by:B H
ID: 33623152
very fast response and exactly as asked, thanks for the help
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 33623456
Glad I could help.  Thanks for the grade! :^)
0
 

Expert Comment

by:mybsa
ID: 34440802
Great stuff - This might help someone going forward

:DevRemoval
REM uninstall these HIDDEN non-plug and play devices (this is the tricky part):
REM tmactmon ***Didn't see this listed on test machine WFBS 6 SP1***
REM tmcomm
REM tmevtmgr ***Didn't see this listed on test machine WFBS 6 SP1***
REM "trend micro filter"
REM "trend micro prefilter"
REM "trend micro tdidriver"
REM "trend micro vsapi nt"
 
REM Use devcon to set a hardware ID as the hidden non-pnp devices do not have one
devcon sethwid @ROOT\LEGACY_TMCOMM\0000 := TMCOMM
devcon sethwid @ROOT\LEGACY_TMFILTER\0000 := TMFILTER
devcon sethwid @ROOT\LEGACY_TMPREFILTER\0000 := TMPREFILTER
devcon sethwid @ROOT\LEGACY_TMTDI\0000 := TMTDI
devcon sethwid @ROOT\LEGACY_VSAPINT\0000 := VSAPINT

REM Remove the devices we just named
for %%a in ("TMCOMM" "TMFILTER" "TMPREFILTER" "TMTDI" "VSAPINT") do devcon remove %%a

REM Now we have to reboot to complete the uninstall of those devices
devcon reboot

Open in new window


D
0
 
LVL 24

Author Comment

by:B H
ID: 34441593
Absolutely :)  and I know you know what it's for haha
(Don't say it tho keep the googles out)
0
 
LVL 24

Author Comment

by:B H
ID: 34441613
oh whoops i thought i was replying to a different scripting question, disregard that last question

in addition to this post here, i've recently found an official trendmicro dirty uninstaller from trend themselves - it's basically a batch file with all the changes above and then some

they have it on their public ftp server, but i've rehosted it for myself here:
www.thefocisgroup.com/helpdesk/tmuninstaller.zip

i found that even their uninstaller batch file crashes at first, saying you dont have admin rights when you really, really do... so i would just REM out that part of the batch file if it happens to you

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If like me you are one who spends a lot of time working and scripting with cmd.exe, sometimes it is handy to be able to quickly view a calendar for a given month and year. This script will quickly do just that!  Save the code posted below to a .bat …
VALIDATING DATES One method of validating dates is to jam the date into the DATE command and see if it accepts it by examining the system's errorlevel value. A non-zero result indicates failure. A typical example might look something like the fol…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now