Uninstalling Cylance

emmanuel.joseph 2022-06-29 12:56:39 UTC #1

Hello all,

I am trying to uninstall Cylance on our Workstations and it has been difficult. Below are the command i have tried but no result. It all failed and return Exit Code 1612 - msi file is not available in the Windows Installer cache. I still have cylance on machines, what can i do ? I need a fixlet or command that will remove all the presence of cylance

msiexec.exe /x{{2E64FC5C-9286-4A31-916B-0D8AE4B22954} /qn

msiexec /uninstall CylancePROTECT_x64.msi /qn /norestart

trn 2022-06-29 13:35:23 UTC #2

It may be just a case of 64/32 bit redirection - try action using wow64 redirection {not x64 of operating system}

If that doesn’t work you will need to go through the usual debug steps: try running the commands manually and see what happens. Do the affected machines show the product in Add/Remove Programs?, what is in the Uninstall registry key for the product?

emmanuel.joseph 2022-06-29 14:27:01 UTC #3

I am sure its not a case of 64/32 bit redirection. But I will try the wow redirection. I try running the command manually nothing happened. Yes! the affected machines show the product in Add/Remove programs.

This is what is in the uninstall registry key

MsiExec.exe /X{2E64FC5C-9286-4A31-916B-0D8AE4B22954}

baynes74 2022-06-29 14:34:10 UTC #4

Do you have access to the console for Cylance? Do you know if there is a Require Password to Uninstall Agent?Is Prevent Service Shutdown from Device active?

trn 2022-06-29 14:39:00 UTC #5

If the command doesn’t work manually then it probably isn’t redirection - in fact, it isn’t really a Bigfix thing at all.

The error (1612) suggests that housekeeping to create space has removed the installer, but @baynes74 makes some good points.

Did you run the command manually with or without the /qn? I would try again without /qn (or from Add/Remove programs) to see what error messages appear in the UI.

SLB 2022-06-29 14:44:12 UTC #6

I’ve had cases where an app can’t uninsall due to the msi having been removed (wasn’t due to manual cleanup of the Windows\Installer folder) and the way I managed to workaround it was to download the full MSI as part of the fixlet action then run the msiexec /x with the full path to the orginal MSI. Not ideal but helped avoid that somewhat tricky situation.

EDIT. And the MSI did vary depending of the version and patch level of the app the endpoint had. Woindering if you may have a spread of versions so the MSI you have may not work for all cases and you may beed MSI for each version in your environment?

emmanuel.joseph 2022-06-29 14:47:23 UTC #7

I stopped having access to the console yesterday. Before loosing access, I change to to a policy with no settings enabled and then change the self protection level from Local system to Local admin. My license for Cylance already expired.

emmanuel.joseph 2022-06-29 15:06:30 UTC #8

This was what i got using the commands without qn. Running the commands with qn shows no result. I got same result from add/remove programs

trn 2022-06-29 15:10:30 UTC #9

Hmmm.

Either the installer has been removed, or the product has been updated via the console or cloud (I know nothing about Cylance) and the installer referenced in the registry does not match the installed version.

JasonWalker 2022-06-29 15:10:48 UTC #10

This is a common issue to MSI packages. A quick Google for “Cylance Removal Tool” yielded quite a few results for me, but I’m not familiar with the software or any of the removal tools so I don’t want to post direct links here.

If you find and test a removal tool that works on one machine, we should be able to help you automate removing it on your systems through BigFix.

JasonWalker 2022-06-29 15:14:45 UTC #11

One other resource you might try is the Microsoft Fix-It Wizard for Windows Installer at http://support.microsoft.com/mats/Program_Install_and_Uninstall

emmanuel.joseph 2022-06-29 15:19:22 UTC #12

I think my solution will be deleting all the presence of Cylance from the registry and the C drive … After talking with Cylance support, I was told to disable Cylance services and then delete Cylance from this locations

Remove Cylance folders from C:\Program Files, %ProgramData%, and %AppData%\Local
Remove the Cylance driver from C:\Windows\system32\drivers and C:\Windows\system32\drvstore
Remove Cylance registry keys from HKLM\Software and HKLM\System\CurrentControlSet\services

You may also need to remove:

HKEY_CLASSES_ROOT\Installer\Products\C5CF46E2682913A419B6D0A84E2B9245
HKEY_CLASSES_ROOT\Installer\Products\D3D0C4A204C6F4843BBBD1487384BFF5

Comprehensive list:

C:\Program Files\Cylance
C:\ProgramData\Cylance
C:\Windows\System32\drivers\CyOpticsDrv.bak
C:\Windows\System32\drivers\CyOpticsDrv.sys
C:\Windows\System32\drivers\CyProtectDrv64.sys
C:\Windows\System32\drivers\CylanceDrv64.sys
C:\Windows\System32\drivers\CyDevFlt64.sys
C:\Windows\System32\DrvStore\CyOpticsDr_93D37CBD237A3B772B26BAC98F74A83C7DB67130
C:\Windows\System32\DrvStore\CyProtectD_35DEA6E5F703DD2A525FF0BF84B2520B9A03E8BC
HKEY_CLASSES_ROOT\Installer\Products\C5CF46E2682913A419B6D0A84E2B9245
KEY_CLASSES_ROOT\Installer\Products\D3D0C4A204C6F4843BBBD1487384BFF5
HKEY_LOCAL_MACHINE\SOFTWARE\Cylance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CyProtectDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CyOpticsDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CyOptics
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CylanceSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CyDevFlt64
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CylanceDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CyDevFlt

Also, search for any instances of Cylance in the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\

It worked doing all this but I need to be able to create action fixlet to delete all the presence of cylance in C: and registry. I created a fixlet to disable cylance service already.

emmanuel.joseph 2022-06-29 15:22:52 UTC #13

// Disable Cylance Service
if {exists key “CylanceSvc” whose (exists value “start” of it) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services” of registry}
regset “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CylanceSvc]” “start”=dword:00000004
endif true

This action to delete all the presence of cylance isnt working for me…

action uses wow64 redirection false

regdelete “[HKEY_CLASSES_ROOT\Installer\Products]” "C5CF46E2682913A419B6D0A84E2B9245"
regdelete “[HKEY_CLASSES_ROOT\Installer\Products]” "D3D0C4A204C6F4843BBBD1487384BFF5"
regdelete “[HKEY_LOCAL_MACHINE\SOFTWARE]” "Cylance"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CyProtectDrv"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CyOpticsDrv"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CyOptics"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CylanceSvc"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CyDevFlt64"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CylanceDrv"
regdelete “[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services]” "CyDevFlt"
delete “[C:\Program Files]” "Cylance"
delete “[C:\Windows\System32\drivers]” "CyOpticsDrv.bak"
delete “[C:\Windows\System32\drivers]” "CyOpticsDrv.sys"
delete “[C:\Windows\System32\drivers]” "CyProtectDrv64.sys"
delete “[C:\Windows\System32\drivers]” "CylanceDrv64.sys"
delete “[C:\Windows\System32\drivers]” "CyDevFlt64.sys"
delete “[C:\Windows\System32\DrvStore]” "CyOpticsDr_93D37CBD237A3B772B26BAC98F74A83C7DB67130"
delete “[C:\Windows\System32\DrvStore]” “CyProtectD_35DEA6E5F703DD2A525FF0BF84B2520B9A03E8BC”

trn 2022-06-29 15:29:53 UTC #14

Your syntax for the file system deletes is incorrect

Folder delete “C:\Program Files\Cylance"
delete “C:\Windows\System32\drivers\CyOpticsDrv.bak"

Edit: not sure why the formatting is so whacky, but I’m typing this on a phone

emmanuel.joseph 2022-06-29 15:40:06 UTC #15

This was what I came up with

Folder delete “C:\Program Files\Cylance"
delete “C:\Windows\System32\drivers\CyOpticsDrv.bak"
delete “C:\Windows\System32\drivers\CyOpticsDrv.sys"
delete “C:\Windows\System32\drivers\CyProtectDrv64.sys"
delete “C:\Windows\System32\drivers\CylanceDrv64.sys"
Folder delete “C:\Windows\System32\DrvStore\CyOpticsDr_93D37CBD237A3B772B26BAC98F74A83C7DB67130"
Folder delete “C:\Windows\System32\DrvStore\CyProtectD_35DEA6E5F703DD2A525FF0BF84B2520B9A03E8BC"

emmanuel.joseph 2022-06-29 20:19:52 UTC #16

Thanks this work for me. Please Is it possible to package the download and push through BigFix for mass uninstallation of Cylance ?

JasonWalker 2022-06-29 20:30:32 UTC #17

I’m not sure how to run the MS Troubleshooter silently, but it looks like there’s a set of PowerShell scripts embedded.

Your first step would be to identify whether there are command-line parameters you can use to automate whichever repair is working for you, but once you find that we can help you determine how to repeat it.

emmanuel.joseph 2022-06-29 20:47:19 UTC #19

I ran the troubleshooter I had downloaded, followed the instructions, selected the application I needed to uninstall, and that was it. It asks me to try my uninstall again even though it has already been done. I dont know how to get the command-line parameters

JasonWalker 2022-06-29 20:48:01 UTC #20

So I’m not clear, was the troubleshooter able to solve your problem or not?

emmanuel.joseph 2022-06-29 20:50:21 UTC #21

Yes it was able to solve my problem. I am asking how to package the troubleshooter for mass uninstallation using BigFix