Silent uninstall of...
 

Silent uninstall of password protected TrendMicro antivirus  

Page 1 / 5
  RSS

Marco Nuijens
(@manu)
Member Admin
Joined: 3 years ago
Posts: 50
28/02/2013 9:19 am  

Ever tried to silently uninstall the TrendMicro AntiVirus client when it's password protected? You probably could not find a suitable, free and total solution for your situation. It happened to me a while ago and I would like to share my experiences. I know it's possible to manage the installed clients through the TrendMicro server management console, but at the company where I implemented this solution they chose not to because of the limited bandwidth to certain company locations.

 Environment description:

  • Windows 2008 R2
  • Window 7
  • SCCM 2007 R2
  • RES Workspace Manager 2011 SR2
  • App-V 4.6 SP1
  • TrendMicro v10.5+

The challenge:

Before installing the new version of the TrendMicro AV client the old client needs to be uninstalled. When I tried uninstalling the client with "msiexec.exe /x{guid} /qn /norestart" I noticed that the the uninstallation failed. At that point I discovered that the uninstallation required a password. The uninstall will be a part of a SCCM 2007 "Task Sequence" which  will contain multiple software updates and contains one reboot at the end.

Requirements:

  • Workarround for the Password protection
  • No Reboot until planned reboot
  • Silent Uninstall

Solution:

Searching the internet for a solution I didn't find any working method to bypass the password protection and/or silently uninstalling the AV client. It seemed that the only solution was to manage the clients through the TrendMicro AV Management Console. Like mentioned earlier this was not an option. I needed to look for another solution. After some searching I came across the AUTOPCC.ini file on the TrendMicro management Server: AUTOPCC.ini located in:

"X:Program Files (x86)Trend MicroOfficeScanPCCSRVAutopcc.cfg"

Here I found the values -991334* (no password) and -0442* (silent uninstall).
I discovered that these parameters worked in combination with "ntrmv.exe" which is located in the following location on the client side:

"C:program FilesTrend MicroOfficeScan Client"

(*) I've recently changed these parameters for security reasons, if your not able to find these parameters on the location I mentioned. You are probably not authorized to uninstall the TrendMicro AV

By using these parameters in combination with "ntrmv.exe" the uninstall ignores the password protection and uninstalls the TrendMicro client silently without rebooting.

I created a script for the uninstall. In this script I prevented that the installation of the new client would start before the uninstall of the old client is completed. To achieve this I added a check in the script. It will check if the "ntrmv.exe" process is still running, if so it will keep on checking untill the process has stopped. Than the script will finish.  Underneath the code of the vbs script I created.

' Name : UnInstall-TrendMicro.vbs
' Description : Script for silently uninstalling TrendMicro client and bypass password protection.
' Created by: Marco Nuijens - Virtualizethis.net

Set WshShell = WScript.CreateObject("WScript.Shell")
set FSO = CreateObject("Scripting.FileSystemObject")
strApp = "C:Program FilesTrend MicroOfficeScan Clientntrmv.exe"
strPara1 = "-980223"
strPara2 = "-331"

Dim myExit, return
myExit = 0

currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))

' Run UnInstall of TrendMicro
WshShell.run Chr(34) & strApp & Chr(34) & " " & Chr(34) & strPara1 & Chr(34) & " " & Chr(34) & strPara2 & Chr(34), 0, True

' Activate the loop until result is "myExit" = 1
Do Until myExit = 1
' Triggers the check on the active "ntrmv.exe" process
	CheckTrendMicro
Loop

SUB CheckTrendMicro()

myExit = 1
set service = GetObject ("winmgmts:")
' Check for active ntrmv.exe process.
for each Process in Service.InstancesOf ("Win32_Process")
	If Process.Name = "ntrmv.exe" then
			myExit = 0
			' wait for X time before checking for running process again.
			Wscript.sleep(60000)
	End if
NEXT
End SUB

Underneath a version which will check if it's a x86 or x64 installation;

' Name : UnInstall-TrendMicro.vbs
' Description : Script for silently uninstalling TrendMicro client and bypass password protection.
' Created by: Marco Nuijens - Virtualizethis.net

Set WshShell = WScript.CreateObject("WScript.Shell")
set FSO = CreateObject("Scripting.FileSystemObject")
strApp = "C:Program FilesTrend MicroOfficeScan Clientntrmv.exe"
strPara1 = "-980223"
strPara2 = "-331"

If OSarchitecture() Then
strApp = "C:Program FilesTrend MicroOfficeScan Clientntrmv.exe"
Else
strApp = "C:Program Files (x86)Trend MicroOfficeScan Clientntrmv.exe"
End If

Dim myExit, return
myExit = 0

currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))

' Run UnInstall of TrendMicro
WshShell.run Chr(34) & strApp & Chr(34) & " " & Chr(34) & strPara1 & Chr(34) & " " & Chr(34) & strPara2 & Chr(34), 0, True

' Activate the loop until result is "myExit" = 1
Do Until myExit = 1
' Triggers the check on the active "ntrmv.exe" process
CheckTrendMicro
Loop

SUB CheckTrendMicro()

myExit = 1
set service = GetObject ("winmgmts:")
' Check for active ntrmv.exe process.
for each Process in Service.InstancesOf ("Win32_Process")
If Process.Name = "ntrmv.exe" then
myExit = 0
' wait for X time before checking for running process again.
Wscript.sleep(60000)
End if
NEXT
End SUB

'Function to check if architecture is X86 or X64 (AMD64)
Function OSarchitecture()
Const HKLM = &H80000002
Dim strComputer, WshShell, sOSarch
strComputer = "."
Set WshShell = WScript.CreateObject("WScript.Shell")
sOSarch = WshShell.RegRead("HKLMSYSTEMCurrentControlSetControlSession ManagerEnvironmentPROCESSOR_ARCHITECTURE")
If sOSarch = "x86" Then
OSarchitecture = False
End If
If sOSarch = "AMD64" Then
OSarchitecture = True
End If
Set WshShell = Nothing
End Function

After the uninstall I checked if there was anything left behind. As well as the installation folder as the TrendMicro registry-tree were completly deleted during the uninstall.

If you've got any comments or questions please post them below if not I hope this information was useful for you.


Quote
Asen
 Asen
(@Asen)
Guest
Joined: 7 years ago
Posts: 1
18/03/2013 4:37 pm  

I don't known why I didn't find below directory in my computer.

X:Program Files (x86)Trend MicroOfficeScanPCCSRVAutopcc.cfg


ReplyQuote
Marco Nuijens
(@manu)
Member Admin
Joined: 3 years ago
Posts: 50
19/03/2013 9:13 am  

Dear Asen,

That directory is located on the server where the TrendMicro management console is installed. And X stands for the driveletter where it's installed. Could also be "c" or "d" or any other driveletter. You cannot find it on the client computers.
You could try it with the same parameters I used, these should work. If not, you need to find the AUTOPCC.ini file like described in the blogpost.

Greetz,

Marco Nuijens


ReplyQuote
Aaron
 Aaron
(@Aaron)
Guest
Joined: 6 years ago
Posts: 1
22/07/2013 4:50 pm  

Those command line options are the same for my installation. I'm thinking that they chose a "random" feeling number to prevent people from learning how to uninstall via commandline, without a password?

This find is impressive. Hands down one of the best odd finds I've seen in my 15 years of geekdom. Thanks for the post, I can't seem to find much information about OfficeScan on the Internet.


ReplyQuote
Marco Nuijens
(@manu)
Member Admin
Joined: 3 years ago
Posts: 50
22/07/2013 5:37 pm  

Hi Aaron,

Glad to be of help :). I found myself wandering the same thing too, why are they using the same numeric value in every installation. But it helped me and you and probably some more people. The reason I made the post is that I was looking for a suitable solution too but could not find a reasonable one.

Again glad to be of help and thanks for your commemt 🙂 always nice to hear 🙂


ReplyQuote
Christine
 Christine
(@Christine)
Guest
Joined: 6 years ago
Posts: 2
03/12/2013 6:21 pm  

When I ran the script it is still bring up a prompt to enter the password. I am running Trend 10.6 and have the same requirements as the author of the post (To silently uninstall Trend that is password protected)


ReplyQuote
Christine
 Christine
(@Christine)
Guest
Joined: 6 years ago
Posts: 2
03/12/2013 7:24 pm  

Disregard...The values for SilentInstall and No Password were different on my version. After modifying the parameters the script worked like a charm! I will be bundling this script with SEPprep since we are replacing Trend with Symantec's solution for my company. Now to get all everything Automated and I should be good. Thanks for posting this! It was so much help and very useful!


ReplyQuote
Marco Nuijens
(@manu)
Member Admin
Joined: 3 years ago
Posts: 50
03/12/2013 7:39 pm  

Hi Christine,

It could be that the values are not working for you. But to be honest I have changed the values a bit for security reasons of the company I worked for. So they could have been the same.

I will adjust the post so it's more clear for future readers that they will have to get the values themselve from the Autopcc.cfg file.

Thanks you and glad to be of some help 🙂


ReplyQuote
Rich Watkins
 Rich Watkins
(@Rich Watkins)
Guest
Joined: 6 years ago
Posts: 1
20/12/2013 6:05 pm  

Great job on this. Especially locating the values in the Autopcc.cfgi. Worked fantastic. Thanks for sharing.


ReplyQuote
Kellan
 Kellan
(@Kellan)
Guest
Joined: 6 years ago
Posts: 2
17/01/2014 2:18 pm  

When I ran the script I got

Line 31
Char 1
Error The system cannot find the file specified
Code 80070002

Made sure you check the install directory. For mine it was "Client Server Security Agent" instead of "Office Scan Client"

I changed this in the script and ran it again but still get the same error. Any ideas what I'm doing wrong here?

BTW This script is EXACTLY what I have been looking for. Thank you for reviving this thread and posting. You have made my life so much easier as I have about 200 clients that I need to remove from various computers at a mine site. Some are above ground, some underground so this saves me having to remote into each one. THANK YOU THANK YOU.


ReplyQuote
Marco Nuijens
(@manu)
Member Admin
Joined: 3 years ago
Posts: 50
18/01/2014 6:16 pm  

Hi Kellan,

Glad to be of some help. I've noticed that lately the code blocks in my blog posts are ignoring the (back)slashes. I suggest changing the variable strApp into "C:Program FilesTrend MicroOfficeScan Clientntrmv.exe" in your case to "C:Program FilesClient Server Security Agentntrmv.exe"

Hopefully this will correct your issue if not please let me know. Sorry for the inconvenience, I'm working on a new site which will overcome these mistakes in the script blocks.

Kind regards


ReplyQuote
Kellan
 Kellan
(@Kellan)
Guest
Joined: 6 years ago
Posts: 2
18/01/2014 8:44 pm  

Marco,

Here is my script as it stands x's for my config numbers.

' Name : UnInstall-TrendMicro.vbs

' Description : Script for silently uninstalling TrendMicro client and bypass password protection.

Set WshShell = WScript.CreateObject("WScript.Shell")

set FSO = CreateObject("Scripting.FileSystemObject")

strApp = "C:Program FilesTrend MicroClient Server Security Agentntrmv.exe"

strPara1 = "-xxxxxx"

strPara2 = "-xxx"

Dim myExit, return

myExit = 0

currentDirectory = left(WScript.ScriptFullName,(Len(WScript.ScriptFullName))-(len(WScript.ScriptName)))

' Run UnInstall of TrendMicro

WshShell.run Chr(34) & strApp & Chr(34) & " " & Chr(34) & strPara1 & Chr(34) & " " & Chr(34) & strPara2 & Chr(34), 0, True

' Activate the loop until result is "myExit" = 1

Do Until myExit = 1

' Triggers the check on the active "ntrmv.exe" process

CheckTrendMicro

Loop

SUB CheckTrendMicro()

myExit = 1

set service = GetObject ("winmgmts:")

' Check for active ntrmv.exe process.

for each Process in Service.InstancesOf ("Win32_Process")

If Process.Name = "ntrmv.exe" then

myExit = 0

' wait for X time before checking for running process again.

Wscript.sleep(60000)

End if

NEXT

End SUB

Am I missing something?


ReplyQuote
Oussama
 Oussama
(@Oussama)
Guest
Joined: 5 years ago
Posts: 1
24/10/2014 5:47 pm  

For What the
strPara1 = "-991334"
strPara2 = "-442"
Are used ?


ReplyQuote
Marco Nuijens
(@manu)
Member Admin
Joined: 3 years ago
Posts: 50
24/10/2014 6:14 pm  

Hi Oussama,

These are the parameters you have to change to your parameters found in the "X:Program Files (x86)Trend MicroOfficeScanPCCSRVAutopcc.cfg” file on your management server of Trendmicro.

-991334 is the parameter for "no password" and -0442 is the parameter for "silent uninstall". Please notice that you need to change these parameters for the values found in your "autopcc.cfg" file.

Kind regards,

Marco Nuijens


ReplyQuote
Rocko
 Rocko
(@Rocko)
Guest
Joined: 5 years ago
Posts: 1
07/01/2015 7:14 pm  

Hi, sorry, you know the commands for silentInstall, i try change the value in the same file, autopcc.ini, but in the login script the window of CMD show the process , i need one command for example @echo off for no show this.. thanks


ReplyQuote
Page 1 / 5
Share:

Please Login or Register