Folder Delete After Uninstall

Content Authoring
1

I am running an action script to uninstall Sophos and delete the folder’s in Program Files & Program Files (x86). Here is my action script, it’s failing with an exit code of 1605. Am I missing something simple here?

Completed //64-bit
Completed if {x64 of operating system}
Completed //SophosStopServices
Completed waithidden net stop "Sophos Anti-Virus"
Completed waithidden net stop "Sophos AutoUpdate Service"
Completed waithidden net stop "Sophos Agent"
Completed waithidden net stop "Sophos Anti-Virus status reporter"
Completed waithidden net stop "Sophos Message Router"
Completed waithidden net stop "Sophos Network Threat Protection"
Completed waithidden net stop "Sophos System Protection Service"
Completed waithidden net stop "Sophos Web Control Service"
Completed waithidden net stop "Sophos Web Intelligence Service"
Completed waithidden net stop "Sophos Web Intelligence Update"
Completed //Endpoint Defense
Completed dos echo "Endpoint Defense"
Completed if {exists folder “C:\Program Files\Sophos\Endpoint Defense”}
Completed waithidden “C:\Program Files\Sophos\Endpoint Defense\uninstall.exe” /quiet
Completed endif
Completed //System Protection
Completed dos echo "System Protection"
Completed if {exists folder “C:\Program Files (x86)\Sophos\Sophos System Protection”}
Completed waithidden MsiExec.exe /X{{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /quiet /norestart
Completed endif
Completed //AutoUpdate
Completed dos echo "AutoUpdate"
Completed if {exists folder “C:\Program Files (x86)\Sophos\AutoUpdate”}
Completed waithidden MsiExec.exe /X{{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /quiet /norestart
Completed endif
Completed //RemoteManagement
Completed dos echo "Remote Management"
Completed if {exists folder “C:\Program Files (x86)\Sophos\Remote Management System”}
Completed waithidden MsiExec.exe /X{{FED1005D-CBC8-45D5-A288-FFC7BB304121} /quiet /norestart
Completed endif
Completed //Anti Virus
Completed dos echo "Anti Virus"
Completed if {exists folder “C:\Program Files (x86)\Sophos\Sophos Anti-Virus”}
Completed waithidden MsiExec.exe /X{{65323B2D-83D4-470D-A209-D769DB30BBDB} /quiet /norestart
Completed endif
Completed //Network Threat
Completed dos echo "Network Threat"
Completed if {exists folder “C:\Program Files\Sophos\Sophos Network Threat Protection”}
Completed waithidden MsiExec.exe /X{{66967E5F-43E8-4402-87A4-04685EE5C2CB} /quiet /norestart
Completed endif
Completed //Delete Sophos Directory
Failed folder delete "C:\Program Files (x86)\Sophos"
folder delete “C:\Program Files\Sophos”
//dos rd “C:\Program Files\Sophos” /s /q
//dos rd “C:\Program Files (x86)\Sophos” /s /q

Edit: Just to clarify, the Completed portion of this is not in the action script, it’s the Execution detail showing where the script is failing.

2

Yep. 32-bit redirection strikes again, I think.

There’s a lot of gory detail in other postings here, but the short version is you probably need this at the start of your script

action uses wow64 redirection false

3

Thank you, I’ll edit and give it a shot. T

4

I’ve added to the beginning, but it’s still failing. Here’s my full script, did I put it in the wrong place?

//64-bit
action uses wow64 redirection false
if {x64 of operating system}

//SophosStopServices
waithidden net stop "Sophos Anti-Virus"
waithidden net stop "Sophos AutoUpdate Service"
waithidden net stop "Sophos Agent"
waithidden net stop "Sophos Anti-Virus status reporter"
waithidden net stop "Sophos Message Router"
waithidden net stop "Sophos Network Threat Protection"
waithidden net stop "Sophos System Protection Service"
waithidden net stop "Sophos Web Control Service"
waithidden net stop "Sophos Web Intelligence Service"
waithidden net stop “Sophos Web Intelligence Update”

//Endpoint Defense
dos echo "Endpoint Defense"
if {exists folder “C:\Program Files\Sophos\Endpoint Defense”}
waithidden “C:\Program Files\Sophos\Endpoint Defense\uninstall.exe” /quiet
endif

//System Protection
dos echo "System Protection"
if {exists folder “C:\Program Files (x86)\Sophos\Sophos System Protection”}
waithidden MsiExec.exe /X{{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /quiet /norestart
endif

//AutoUpdate
dos echo "AutoUpdate"
if {exists folder “C:\Program Files (x86)\Sophos\AutoUpdate”}
waithidden MsiExec.exe /X{{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /quiet /norestart
endif

//RemoteManagement
dos echo "Remote Management"
if {exists folder “C:\Program Files (x86)\Sophos\Remote Management System”}
waithidden MsiExec.exe /X{{FED1005D-CBC8-45D5-A288-FFC7BB304121} /quiet /norestart
endif

//Anti Virus
dos echo "Anti Virus"
if {exists folder “C:\Program Files (x86)\Sophos\Sophos Anti-Virus”}
waithidden MsiExec.exe /X{{65323B2D-83D4-470D-A209-D769DB30BBDB} /quiet /norestart
endif

//Network Threat
dos echo "Network Threat"
if {exists folder “C:\Program Files\Sophos\Sophos Network Threat Protection”}
waithidden MsiExec.exe /X{{66967E5F-43E8-4402-87A4-04685EE5C2CB} /quiet /norestart
endif

//Delete Sophos Directory
folder delete "C:\Program Files (x86)\Sophos"
folder delete “C:\Program Files\Sophos”

//dos rd “C:\Program Files\Sophos” /s /q
//dos rd “C:\Program Files (x86)\Sophos” /s /q

else

//32-bit

if {x32 of operating system}

//SophosStopServices
waithidden net stop "Sophos Anti-Virus"
waithidden net stop "Sophos AutoUpdate Service"
waithidden net stop "Sophos Agent"
waithidden net stop "Sophos Anti-Virus status reporter"
waithidden net stop "Sophos Message Router"
waithidden net stop "Sophos Network Threat Protection"
waithidden net stop "Sophos System Protection Service"
waithidden net stop "Sophos Web Control Service"
waithidden net stop "Sophos Web Intelligence Service"
waithidden net stop “Sophos Web Intelligence Update”

//Endpoint Defense
if {exists folder “C:\Program Files\Sophos\Endpoint Defense”}
waithidden “C:\Program Files\Sophos\Endpoint Defense\uninstall.exe” /quiet
endif

//System Protection
if {exists folder “C:\Program Files\Sophos\Sophos System Protection”}
waithidden MsiExec.exe /X{{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /quiet /norestart
endif

//Anti Virus
if {exists folder “C:\Program Files\Sophos\Sophos Anti-Virus”}
waithidden MsiExec.exe /X{{65323B2D-83D4-470D-A209-D769DB30BBDB} /quiet /norestart
endif

//Network Threat
elseif (exists folder “C:\Program Files\Sophos\Sophos Network Threat Protection”)
waithidden MsiExec.exe /X{{66967E5F-43E8-4402-87A4-04685EE5C2CB} /quiet /norestart
endif

//Auto Update
if {exists folder “C:\Program Files\Sophos\AutoUpdate”}
waithidden MsiExec.exe /X{{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /quiet /norestart
endif

//Remote Management
if {exists folder “C:\Program Files\Sophos\Remote Management System”}
waithidden MsiExec.exe /X{{FED1005D-CBC8-45D5-A288-FFC7BB304121} /quiet /norestart
endif

//Delete Sophos Directory
folder delete "C:\Program Files\Sophos"
folder delete “C:\Program Files (x86)\Sophos”

5

Hm. Going back the first part, it all “thinks” it’s completed until it’s time to delete the folder.
Did all of the services actually get stopped, and did Sophos actually get uninstalled?
One reason for “folder delete” to fail is if there is a running process that still has a lock on the directory.

6

First if you are using C:\Program Files (x86) on a 64 bit system you don’t need to have the two sections as C:\Program Files will point there anyway on a 64 bit system without the redirection.

Does it show an error when the failure happens? Is there anything left in the directories that is still running etc?

7

Yes, the services are all stopped and Sophos is fully uninstalled.

8

The only error it’s showing is Exit Code 1605 - Failed.

In the X86 Folder, there is still a folder Sophos > Sophos Anti-Virus which is empty.

In the Program Files, there is Sophos > Endpoint Defense which has uninstall.exe.

9

edit: I pasted to much, just fixed it. (x86) should not be listed anymore.

AlanM brings up a good point. This is a case where 64-bit redirection is useful because “\Program Files” is automatically redirected to “\Program Files (x86)”. It looks like all of the service names, guids, and paths are the same except for the x86 redirection. So you should be able to collapse this script into

//SophosStopServices
waithidden net stop "Sophos Anti-Virus"
waithidden net stop "Sophos AutoUpdate Service"
waithidden net stop "Sophos Agent"
waithidden net stop "Sophos Anti-Virus status reporter"
waithidden net stop "Sophos Message Router"
waithidden net stop "Sophos Network Threat Protection"
waithidden net stop "Sophos System Protection Service"
waithidden net stop "Sophos Web Control Service"
waithidden net stop "Sophos Web Intelligence Service"
waithidden net stop “Sophos Web Intelligence Update”

//Endpoint Defense
dos echo "Endpoint Defense"
if {exists folder “C:\Program Files\Sophos\Endpoint Defense”}
waithidden “C:\Program Files\Sophos\Endpoint Defense\uninstall.exe” /quiet
endif

//System Protection
dos echo "System Protection"
if {exists folder “C:\Program Files\Sophos\Sophos System Protection”}
waithidden MsiExec.exe /X{{1093B57D-A613-47F3-90CF-0FD5C5DCFFE6} /quiet /norestart
endif

//AutoUpdate
dos echo "AutoUpdate"
if {exists folder “C:\Program Files\Sophos\AutoUpdate”}
waithidden MsiExec.exe /X{{AFBCA1B9-496C-4AE6-98AE-3EA1CFF65C54} /quiet /norestart
endif

//RemoteManagement
dos echo "Remote Management"
if {exists folder “C:\Program Files\Sophos\Remote Management System”}
waithidden MsiExec.exe /X{{FED1005D-CBC8-45D5-A288-FFC7BB304121} /quiet /norestart
endif

//Anti Virus
dos echo "Anti Virus"
if {exists folder “C:\Program Files\Sophos\Sophos Anti-Virus”}
waithidden MsiExec.exe /X{{65323B2D-83D4-470D-A209-D769DB30BBDB} /quiet /norestart
endif

//Network Threat
dos echo "Network Threat"
if {exists folder “C:\Program Files\Sophos\Sophos Network Threat Protection”}
waithidden MsiExec.exe /X{{66967E5F-43E8-4402-87A4-04685EE5C2CB} /quiet /norestart
endif

//Delete Sophos Directory
folder delete “C:\Program Files\Sophos”
10

I’d try using ‘handle’ from sysinternals (https://microsoft.com/sysinternals) to see which, if any, processes still have a lock on one of those directories.

11

See link for source: https://community.spiceworks.com/scripts/show/1601-sophos-9-5-10-removal-script?page=2

If I create a .bat file, can I run this via BigFix or is this not advised?

12

Jason,

Thank you for taking the time to edit this for me. I tested and am getting an exit code 2 and it’s failing on the following line:

Failed if {exists folder C:\Program Files\Sophos\Endpoint Defense}

Any ideas?

13

Unless that’s a copy/paste error, you’re going to need quotes around the folder name…

if {exists folder "C:\Program Files\Sophos\Endpoint Defense"}

1 Like
14

Thanks Jason. After putting in the quotes, it did complete, however the programs didn’t uninstall. After checking the uninstall path the exists folder is pointing to C:\Program Files and the uninstaller needs to run from C:\Program Files (x86). Is there a way to add both Program Files and Program Files (x86) to the action? I believe this is why we had it broken out to begin with.

Edit: Another thought… I guess I could make two different scripts, one for 32-bit and one for 64-bit. Then change the relevance to match the bit version. This should work, right?

15

I honestly find that it’s easier to parameterize these kinds of things and just pull the information from the registry.

For example, Popcorn Time (some random software someone managed to install, catering to both 32- and 64-bit versions as well as potentially different uninstallers (uninstaller.exe and unins000.exe in this case, could be msiexec.exe, setup.exe, helper.exe, or some other random installer):

// Define parameters
parameter “DisplayName”=“popcorn time”
parameter “Publisher”=“popcorn time”

//32-bit removal using unins000.exe
if{exists keys whose ((value “DisplayName” of it as string as lowercase contains (parameter “DisplayName”) as lowercase) AND (value “Publisher” of it as string as lowercase contains (parameter “Publisher”) as lowercase)) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x32 registries}
waithidden {value “uninstallstring” of keys whose ((value “DisplayName” of it as string as lowercase contains (parameter “DisplayName”) as lowercase) AND (value “Publisher” of it as string as lowercase contains (parameter “Publisher”) as lowercase)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x32 registries as string} /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
endif

//64-bit removal using uninstall.exe
if{exists keys whose ((value “DisplayName” of it as string as lowercase contains (parameter “DisplayName”) as lowercase) AND (value “Publisher” of it as string as lowercase contains (parameter “Publisher”) as lowercase)) of keys “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x64 registries}
waithidden {value “uninstallstring” of keys whose ((value “DisplayName” of it as string as lowercase contains (parameter “DisplayName”) as lowercase) AND (value “Publisher” of it as string as lowercase contains (parameter “Publisher”) as lowercase)) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of x64 registries as string} /VERYSILENT /SUPPRESSMSGBOXES /NORESTART
endif

By gathering the uninstall keys using BigFix query first, you can determine what your exposure is and figure out which code to use rather than hardcoding the path and product code to use.

You can also add more parameters to the query, if you only wanted to uninstall certain versions of a product instead of just blanket removing anything that matches the name. Note that this approach may be easier, but also potentially more dangerous, as other products may contain the same names.

Again, using inspectors to pull the product names and uninstall keys might be a good idea to verify that what you are trying to remove actually exists. Once you have that information, you can then parameterize to your heart’s content.

16

Am I the only one who did a search for

1605 “windows installer”

and get a result of Product Doesn’t Exist?

I’m wondering whether you are reinstalling the product in your test environment whenever you run it again? The folder path existing doesn’t mean the product is still there.

If I’m way off: apologies. But when I see a 16xx error I typically look at why the MSI is complaining before assuming the issue is actionscript related.

1 Like
17

I am not attempting to reinstall anything. I am trying to uninstall Sophos and also get the folder path in Program Files and Program Files (x86) to delete.

The programs are being removed, but the folder path is not. The folder path is what the relevance is based on so this is why I need it removed.

18

Yes I can see that. :slight_smile:

My question was more about your lab environment and how you set it up to simulate what is in the field with Sophos already installed.

But like I said, I could be way off. And I’m OK with that, it happens. -Michelle

19

Sorry, I misread your previous reply. I have not been reinstalling to test it. I actually have several laptops we use for General purposes that I’ve been testing with that had Sophos installed. These are a combination of 32 and 64 bit and if something were to happen, it wouldn’t matter.

20

@FireFox9854 I have also been dealing with Sophos uninstallation headaches recently. From what I can tell you figured out already that some of Sophos’s apps are now x64 while others are still x32, which can cause some added complexity.

As far as being able to remove all Sophos related files and folders, with some versions of their apps I have not always been able to do that.

What I am always able to do is delete their registry keys and services, so any lingering files don’t do anything at least. So if you are ok with that, you could change your applicability relevance from looking at the folders to instead looking at the registry and services. For example, this is what I use:

exists keys whose (exists value "Publisher" whose (it as string as lowercase contains "sophos") of it) of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries) or exists services whose (display name of it as lowercase contains "sophos")