Impossible to uninstall Elastic Endpoint

Elastic Stack Elastic Agent
21

Hello Hamid,

We've looked at the Kibana logs. You have 1 token out of 5 which cannot be decoded.

It's puzzling what has happen. You're running two Kibana instances, do both have identical config, especially xpack.encryptedSavedObjects.encryptionKey ? Or maybe the key was changed, then the 4 additional tokens were added?

It's also possible that the key is fine but something happened to the AAD (Additional Authenticated Data) of the saved object.

Since Tamper Protection requires platinum or higher subscription I suggest to move on this to official support channel where you'll get our full attention. Trying to solve it in a spare minute is challenging.

Best

22

Hello Lesio,

Thank you so much for your support.

The issue is almost fixed, we raised a ticket with Elastic support and they provide us with Artifacts that we used and manage to remove almost the endpoint, the only thing left is the service, we can still see Elastic Endpoint in the services but disabled, we will need to remove it to be able to install a new endpoint.

We used below command to delete the service but it did not work.

sc delete ElasticEndpoint

We already informed our support for that.

Thanks & Best Regards,

Hamid Allaoui

23

Then I've just seen your ticket, it was escalated to us.

I've already passed on this to support, but may ask here directly since you seem to be online. Was the C:\Program Files\Elastic\Endpoint directory removed?

Anyway thanks for letting us know it's the same case.

24

Hi there.
I come from an brand new install of ES 9.
I was using the trial from 8 and then wanted to try version 9 XDR / EDR features.
But the issue is that I forgot that the agents had the anti tamper protection on.

On linux and Mac OS is doable to enforce the removal so I had no issues, but on Windows it is giving a really big pain.

I tried everything, but nothing will adjust the ACLS on C:\Program Files\Elastic\Endpoint so even as SYSTEM i couldn't delete the folder.
I have two windows VM where I'm testing it and both had the 8.x agent with tamper protection.

I was able to fully remove the folders, drivers and services on one of the workstation from safe mode and then on normal mode + psexec to get SYSTEM.

But after the install it seems that some ACLs are still there even if i tried to reset and adjust them with takeown or icacls.

Logs at start of agents:

01:07:37.048
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: info: InstallLib.cpp:623 Endpoint is not installed
01:07:37.049
elastic_agent
[elastic_agent][info] after check if endpoint service is installed, err: 2025-04-28 23:07:37: info: InstallLib.cpp:623 Endpoint is not installed: exit status 1
01:07:37.049
elastic_agent
[elastic_agent][info] failed check endpoint service: 2025-04-28 23:07:37: info: InstallLib.cpp:623 Endpoint is not installed: exit status 1, try install
01:07:37.066
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: info: Main.cpp:559 Upgrading existing installation (protected)
01:07:37.068
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: info: Artifacts.cpp:1153 Attempting to process existing artifacts manifest, channel stable
01:07:37.068
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: info: InstallLib.cpp:527 Attempting uninstall with preserved state for upgrade
01:07:37.068
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: debug: VaultLib.cpp:207 Vault initialized with existing seed file
01:07:37.071
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: debug: VaultLib.cpp:614 Successfully read vault key: config
01:07:37.071
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: info: InstallLib.cpp:1173 Skipping uninstall token validation as tamper protection is not enabled.
01:07:37.071
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: info: InstallLib.cpp:549 Failed to uninistall with preserved state, attempting full uninstall
01:07:37.071
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: debug: Service.cpp:814 PPL is supported. This process is unprotected. (TrustLevelSid: absent)
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: warning: Util.cpp:1482 Error encountered while unprotecting service for uninstall
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: warning: Service.cpp:82 Service ElasticEndpointDriver does not exist
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: error: Service.cpp:360 Failed acquiring service handle (ElasticEndpointDriver) with error: Not found and GLE: 1060
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: error: Service.cpp:234 DeleteService(ElasticEndpoint) failed with error 5
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: error: Util.cpp:1522 Unable to delete Endpoint service key after failing to delete service through SCM.
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: warning: Service.cpp:82 Service ElasticEndpointDriver does not exist
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: warning: Service.cpp:222 Unable to uninstall service ElasticEndpointDriver as it was not found
01:07:37.072
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: error: Util.cpp:1550 Endpoint driver service was unable to be deleted or scheduled for deletion.
01:07:37.076
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: warning: InstallLib.cpp:246 At least one resources was found to still be protected after Uninstall()
01:07:37.076
elastic_agent
[elastic_agent][error] 2025-04-28 23:07:37: error: InstallLib.cpp:553 A resource unexpectedly remains protected after full Uninstall with no persisted state

I even uninstalled the ELAM driver so it won't block me, but still no luck.

I tried the trick with:

cd %TEMP%
copy "c:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" elastic-endpoint.exe
.\elastic-endpoint.exe version
.\elastic-endpoint.exe uninstall --log stdout --log-level trace
del .\elastic-endpoint.exe

But this was the output:

version: 8.17.4, compiled: Tue Mar 18 16:00:00 2025, branch: HEAD, commit: 8345b5c8635fc663766ada3b7c5c13f8aab43f07


2025-04-29 13:18:49: info: Main.cpp:273 Process machine 0x8664. Native machine 0x8664.
2025-04-29 13:18:49: info: Main.cpp:467 Executing uninstall
2025-04-29 13:18:49: trace: InstallLib.cpp:1146 Function returned error status (Invalid uninstall token)
2025-04-29 13:18:49: debug: VaultLib.cpp:207 Vault initialized with existing seed file
2025-04-29 13:18:49: trace: Mutex.cpp:1187 Function returned error status (Requested resource is not locked)
2025-04-29 13:18:49: trace: Mutex.cpp:1187 Function returned error status (Requested resource is not locked)
2025-04-29 13:18:49: debug: VaultLib.cpp:614 Successfully read vault key: config
2025-04-29 13:18:49: debug: ECSUtilities.cpp:447 Tamper protection enabled
2025-04-29 13:18:49: info: InstallLib.cpp:1162 Skipping uninstall token validation because system is running in Safe Mode.
2025-04-29 13:18:49: debug: Service.cpp:804 PPL is supported. This process is unprotected. (TrustLevelSid: absent)
2025-04-29 13:18:49: trace: Util.cpp:765 Function returned error status (Start failed)
2025-04-29 13:18:49: warning: Util.cpp:1482 Error encountered while unprotecting service for uninstall
2025-04-29 13:18:49: warning: Service.cpp:82 Service ElasticEndpointDriver does not exist
2025-04-29 13:18:49: error: Service.cpp:360 Failed acquiring service handle (ElasticEndpointDriver) with error: Not found and GLE: 1060
2025-04-29 13:18:49: trace: Service.cpp:412 Function returned error status (Not found)
2025-04-29 13:18:49: trace: File.cpp:1012 Function returned error status (Failure in an external software component) because of system status (2/The system cannot find the file specified.)
2025-04-29 13:18:49: trace: File.cpp:1096 Function returned error status (Failure in an external software component)
2025-04-29 13:18:49: trace: File.cpp:196 Function returned error status (Failure in an external software component)
2025-04-29 13:18:49: trace: Util.cpp:2238 Function returned error status (Failure in an external software component)
2025-04-29 13:18:49: error: Service.cpp:234 DeleteService(ElasticEndpoint) failed with error 5
2025-04-29 13:18:49: trace: Service.cpp:235 Function returned error status (Failure in an external software component) because of system status (5/Access is denied.)
2025-04-29 13:18:49: trace: RegistryApi.cpp:1001 Function returned error status (Failure in an external software component)
2025-04-29 13:18:49: error: Util.cpp:1522 Unable to delete Endpoint service key after failing to delete service through SCM.
2025-04-29 13:18:49: warning: Service.cpp:82 Service ElasticEndpointDriver does not exist
2025-04-29 13:18:49: trace: Service.cpp:220 Function returned error status (Not found)
2025-04-29 13:18:49: warning: Service.cpp:222 Unable to uninstall service ElasticEndpointDriver as it was not found
2025-04-29 13:18:49: error: Util.cpp:1550 Endpoint driver service was unable to be deleted or scheduled for deletion.
2025-04-29 13:18:49: trace: Util.cpp:396 Function returned error status (Failed to delete registry key)
2025-04-29 13:18:49: trace: Util.cpp:412 Function returned error status (Failed to delete registry key)
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\SecurityProductInformation.ini]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\SecurityProductInformation.ini
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-model]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-model
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-exceptionlist]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-exceptionlist
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-blocklist]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-blocklist
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\production-ransomware-v1-windows]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\production-ransomware-v1-windows
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-ransomware-v1-windows]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-ransomware-v1-windows
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-exceptionlist-windows]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-exceptionlist-windows
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-trustlist-windows-v1]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-trustlist-windows-v1
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-eventfilterlist-windows-v1]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-eventfilterlist-windows-v1
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-configuration-v1]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\global-configuration-v1
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\tamper-protection-config-v1]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\tamper-protection-config-v1
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-rules-windows-v1]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-rules-windows-v1
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\production-rules-windows-v1]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\production-rules-windows-v1
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\manifest.json]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\manifest.json
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\manifest.sig]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\manifest.sig
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\production-malware-signature-v1-windows]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\production-malware-signature-v1-windows
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-malware-signature-v1-windows]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-malware-signature-v1-windows
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-endpointpe-v4-exceptionlist]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-endpointpe-v4-exceptionlist
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-endpointpe-v4-blocklist]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-endpointpe-v4-blocklist
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-endpointpe-v4-model]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\diagnostic-endpointpe-v4-model
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\LICENSE.txt]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\LICENSE.txt
2025-04-29 13:18:49: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\NOTICE.txt]
2025-04-29 13:18:49: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:49: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\NOTICE.txt
2025-04-29 13:18:50: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\SecurityProductInformation.ini]
2025-04-29 13:18:50: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:50: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\SecurityProductInformation.ini
2025-04-29 13:18:50: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe]
2025-04-29 13:18:50: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:50: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe
2025-04-29 13:18:50: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-model]
2025-04-29 13:18:50: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:50: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-model
2025-04-29 13:18:50: debug: File.cpp:453 Removing [C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-exceptionlist]
2025-04-29 13:18:50: trace: File.cpp:460 Function returned error status (I/O error) because of system status (5/Access is denied.)
2025-04-29 13:18:50: info: File.cpp:480 Attempted deletion failed, failed to reset file attributes for C:\Program Files\Elastic\Endpoint\state\artifacts\global-artifacts\endpointpe-v4-exceptionlist

And those the ACLs:

C:\Program Files\Elastic\Endpoint S-1-19-512-1536-1701601651-1953063712-8-17-4-0:(OI)(CI)(RX)
                                  NT AUTHORITY\SYSTEM:(F)
                                  NT SERVICE\TrustedInstaller:(CI)(F)
                                  NT AUTHORITY\SYSTEM:(OI)(CI)(F)
                                  BUILTIN\Administrators:(OI)(CI)(F)
                                  CREATOR OWNER:(OI)(CI)(IO)(F)
                                  S-1-19-512-1536:(OI)(CI)(RX)

So tried from linux to delete the Endpoint folder, but at restart i got the logs that way, that it couldn't install the service back.

While if i try to delete the service "ElasticEndpoint" even from safe mode, it will give "Access is denied", any idea or tips?

I would avoid reinstalling the whole OS if possible and next time i will pay more attention to backup the uninstall token, lesson learned.

if you need anything else, LMK and thanks for the awesome product! <3

25

Just an update.

On a portable pc (second workstation i mentioned) I was able to fully remove it with:

  • use a linux live os (used system recovery one) to mount the NTFS drive:
    • Mount it: ntfs-3g /dev/sdx /mount/path -o permissions
    • Delete Elastic's folder (Endpoint, usually C:\Program Files\Elastic\Endpoint\)
    • Delete Elastic's drivers (Windows\System32\drivers\elastic-endpoint-driver.sys, C:\Windows\System32\drivers\ElasticElam.sys and C:\Windows\ELAMBKUP\ElasticElam.sys)
    • Use chntpw to edit Hive (search how, very easy: chntpw -e Windows\System32\config\SYSTEM) then cd ControlSet001\Services\ then rdel ElasticEndpoint, rdel ElasticEndpointDriver and rdel ElasticELAMDriver (Early Launch Anti-Malware driver)
      • For Windows Server, make sure to also clean from ControlSet002, as it works as Services Backup in case of errors on ControlSet001

This should do when you have lost the Uninstall token, on Windows.

For linux just get root access, then:

  • rm -rf /opt/Elastic/Endpoint/

And you should be good to go.

For OSX / MAC is just as getting root access on Linux, but you need to disable SIP with csrutil disable, but you MUST do it on recovery.

  • Get to recovery terminal (use google, it's a bit long to describe, very easy to find for your own device)
  • csrutil disable
  • reboot to normal

Once booted, unload the plists:

  • sudo launchctl unload /Library/LaunchDaemons/co.elastic.endpoint.plist
  • sudo launchctl unload /Library/LaunchDaemons/co.elastic.elastic-agent.plist

Also rememeber to remove System extensions:

  • sudo systemextensionsctl list
  • sudo systemextensionsctl uninstall <TeamID> co.elastic.systemextension

And remove the permissions and login from Settings>General>Login Items

Delete Elastic's Path

  • sudo rm -rf /Library/Elastic/

Once done, remember to enable back SIP (so csrutil enable in recovery) and reboot to normal os.

Those are what I tried and worked.

26

Ivan,

Thanks for sharing the details of how you were able to do it. I was actually just writing a response that included using a Linux live OS with chntpw when I saw your post.

I'm glad you're able to resolve it, but one thing in particular caught my eye as something I haven't seen before:

2025-04-29 13:18:49: trace: Util.cpp:765 Function returned error status (Start failed)

I'll direct message you a link to upload with, but if get a chance and you're willing to share, I'd love too look at any logs you might still have available.

1 Like
27

Hi Ben

Thanks for the answer.

I fear that the " migration " from Elastic 8.x to 9.x could have broke something.

Like on MAC even after full uninstall, it seems Elastic Agent 9.0 is unable to use osquery, like it doesn't get installed on Mac.

But this is another issue so I will open another discussion in case.
Will still check on this agent, but sadly I've lost all old logs of the agent version 8.x, I only have the 9.0 ones if needed.

Thanks for the response !

28

Update for everyone:

  • I adjusted the guidelines for forced uninstall, now they should work out of the box that way, unless the workstation ACLs (windows) are completely broken.
  • My case was exactly the previous point, where Windows ACL persisted for some reason due to my fault on how to I tried to delete stuff.

Hope this will help anyone searching for "forced" ways to uninstall endpoint, because with Uninstall Token tamper, to me it din't work even with the copy of elastic-endpoint.exe in %TEMP%