Impossible to uninstall Elastic Endpoint

Hello,
I've uninstalled the elastic agent on a windows machine successfully, the uninstall command runs successfully but, the Elastic Endpoint Folder is still present.

• I've tried to delete manually the folder with an Administrator account but gives "access denied".
• tried to follow this guide Uninstall Elastic Endpoint | Elastic Security Solution [8.12] | Elastic

image873×375 26.5 KB

without success; it runs but the folder is still present.

• Tried to reinstall the elastic agent but gives me the error

How I can definitively remove the folder C:\Program Files\Elastic\Endpoint ?

Thanks in advance for the help.

Hi,

Run the following command to stop the Elastic Endpoint service:

sc stop "Elastic Endpoint"

Once the service is stopped, try to delete the folder again.

Regards

Hi,

I'm Endpoint developer.

We don't even know what version is installed. However it shouldn't matter when following the uninstall guide, unless it's a very recent Endpoint with Tamper Protection turned ON.

Could you send me a console log from executing

cd %TEMP%
copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe
.\elastic-endpoint.exe version
.\elastic-endpoint.exe uninstall --log stdout --log-level trace
del .\elastic-endpoint.exe

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Hi, thanks a lot for the help.
Here the output of the commands

Version

version: 8.9.1, compiled: Tue Aug 8 15:00:00 2023, branch: 8.9, commit: 1d13054232606508c9e4c0a53380f2e20158b9f9 

Unprotect command .\elastic-endpoint.exe unprotect no output received

Uninstall command with trace (output too heavy, here an extract but all the output is pretty similar (

2024-03-14 09:29:42: info: Main.cpp:287 Executing uninstall
2024-03-14 09:29:42: debug: Service.cpp:817 PPL is supported. This process is unprotected. (TrustLevelSid: absent)
2024-03-14 09:29:42: error: Service.cpp:329 OpenServiceW(ElasticEndpointDriver) failed with error 1060
2024-03-14 09:29:42: trace: Service.cpp:330 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2024-03-14 09:29:42: trace: Service.cpp:389 Function returned error status (Failure in an external software component)
2024-03-14 09:29:42: trace: File.cpp:1060 Function returned error status (Failure in an external software component) because of system status (2/The system cannot find the file specified.)
2024-03-14 09:29:42: trace: File.cpp:1145 Function returned error status (Failure in an external software component)
2024-03-14 09:29:42: trace: File.cpp:244 Function returned error status (Failure in an external software component)
2024-03-14 09:29:42: trace: Util.cpp:2081 Function returned error status (Failure in an external software component)
2024-03-14 09:29:42: error: Service.cpp:178 OpenServiceW(ElasticEndpoint) failed with error 1060
2024-03-14 09:29:42: trace: Service.cpp:179 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2024-03-14 09:29:42: error: Util.cpp:1383 Endpoint service was unable to be deleted or scheduled for deletion.
2024-03-14 09:29:42: error: Service.cpp:178 OpenServiceW(ElasticEndpointDriver) failed with error 1060
2024-03-14 09:29:42: trace: Service.cpp:179 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2024-03-14 09:29:42: error: Util.cpp:1401 Endpoint driver service was unable to be deleted or scheduled for deletion.
2024-03-14 09:29:42: error: Service.cpp:329 OpenServiceW(ElasticELAMDriver) failed with error 1060
2024-03-14 09:29:42: trace: Service.cpp:330 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2024-03-14 09:29:42: trace: Service.cpp:389 Function returned error status (Failure in an external software component)
2024-03-14 09:29:42: error: Service.cpp:178 OpenServiceW(ElasticELAMDriver) failed with error 1060
2024-03-14 09:29:42: trace: Service.cpp:179 Function returned error status (Failure in an external software component) because of system status (1060/The specified service does not exist as an installed service.)
2024-03-14 09:29:42: error: Util.cpp:1427 ELAM driver service was unable to be deleted or scheduled for deletion.
2024-03-14 09:29:42: trace: Util.cpp:396 Function returned error status (Failed to delete registry key)
2024-03-14 09:29:42: trace: Util.cpp:412 Function returned error status (Failed to delete registry key)
2024-03-14 09:29:42: debug: File.cpp:501 Removing [C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml]
2024-03-14 09:29:42: trace: File.cpp:508 Function returned error status (I/O error) because of system status (5/Access is denied.)
2024-03-14 09:29:42: info: File.cpp:528 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\elastic-endpoint.yaml
2024-03-14 09:29:42: debug: File.cpp:501 Removing [C:\Program Files\Elastic\Endpoint\SecurityProductInformation.ini]
2024-03-14 09:29:42: trace: File.cpp:508 Function returned error status (I/O error) because of system status (5/Access is denied.)
2024-03-14 09:31:22: info: File.cpp:528 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\NOTICE.txt
2024-03-14 09:31:22: trace: PlatformFile.cpp:1011 Function returned error status (Failure in an external software component)
2024-03-14 09:31:22: trace: PlatformFile.cpp:1009 Function returned error status (Invalid parameter)
2024-03-14 09:31:22: trace: PlatformFile.cpp:1009 Function returned error status (Invalid parameter)
2024-03-14 09:31:22: trace: File.cpp:703 Function returned error status (I/O error)
2024-03-14 09:31:22: trace: File.cpp:703 Function returned error status (I/O error)
2024-03-14 09:31:22: trace: Util.cpp:647 Function returned error status (Not found)
2024-03-14 09:31:22: trace: Util.cpp:836 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:606 Function returned error status (Invalid parameter)
2024-03-14 09:31:22: trace: PlatformFile.cpp:965 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:986 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:536 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:984 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:536 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:984 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:536 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:984 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:536 Function returned error status (Not found)
2024-03-14 09:31:22: trace: PlatformFile.cpp:984 Function returned error status (Not found)

I have the console log saved on a txt file; how I can share it? Pastebin is ok?

Thanks again for the assistance.

Sincerely

I'll send you PM with an URL where you can upload the log(s).

I'm not sure how your machine ended up in this state.

I would like to see the full log from the uninstall. In addition I'd like to ask for output of:

cmd /c sc query "ElasticEndpoint"

Could you download a Sysinternals utility https://live.sysinternals.com/accesschk64.exe and also provide me output of this command:

accesschk64.exe -accepteula -l -v "c:\Program Files\Elastic\Endpoint"

Thanks

Hi,
This machine ended up in this state when I was migrating the agent to a new elastic server installation; instead of uninstall and reinstall, I've unenrolled it and enrolled again into the new server installation.

The strange thing ( I've only noticed it now ) is that the service does not exists, also if I try to install it again : in fact the sc query command gives "Service does not exists".

The problem is only on deleting the C:\Program Files\Elastic\Endpoint folder and the files inside it.

I've uploaded a zip with two files :

• uninstall.txt -> the complete logs for uninstall command
• accesschk.txt -> logs for the accesschk64 output

Tell me if you need something else.

Thanks for the assistance.

Hi, it would be hard to troubleshoot it further. The accesschk log confirms that you're using the right elastic-endpoint.exe.

At this point the simplest solution would be to boot the machine from Linux (bootable CD or pendrive) to delete the entire Endpoint directory bypassing Windows.

Hi,
Thanks for your analysis, since it is a Domain Controller (on a VM) is not too easy perform this solution.

Anyway, thanks again for your time, if there are no other alternatives to unlock this folder, I will try your solution the next available maintenance window on the server.

Bye, have a good day!

Thanks for the patience. I'm glad to hear that you'll eventually be able to fix it.

We are already aware of this problem. The file system may remain in an inconsistent state due to sudden power off, shutdown, etc. So far, the steps we have already tried here have been sufficient to recover from the situation otherwise. In this case, there NTFS is corrupted in a unique way for which we would most likely have to develop a one-time recovery tool. Linux doesn't care about SACL/DACL security on NTFS, so it will let you remove it cleanly.

Sorry again for the trouble. We're working on a new version of the files protection which will use different mechanisms to achieve the same goal.

have a nice day, and hope you sill like using Elastic Defend