Hard-Removing Elastic Endpoint

nemhods · May 26, 2021, 5:41pm

Hey,

after an upgrade to 7.13 and the auto-removal of Kibana-builtin Fleet, i'm now cleaning up in order to re-install Elastic Agents.

On Windows Hosts, I'm not able to remove Elastic Endpoint.

Unenrolling the agent from Fleet didn't work
I tried elastic-agent uninstall, which removed the Agent but left the Elastic Endpoint (even after restart)
There is no stopping the service. It always says "Access Denied". I tried as BUILTIN\Administrator, and even as NTAUTHORITY\SYSTEM. You can't even alter the service's security descriptor using sc.exe and NTAUTHORITY\System.

I mean, congratulations on the tamper protection but how do I get back control over my system now and properly remove Elastic Endpoint?

nemhods · May 26, 2021, 7:27pm

I was pointed to:

It works.

cd %TEMP%
copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe
.\elastic-endpoint.exe uninstall
del .\elastic-endpoint.exe

system · June 23, 2021, 7:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.