Environment
- EDR Sensor: All Versions
- Microsoft Windows: All Supported Versions
Symptoms
- EDR is still present on the endpoint under Add/Remove programs in Control Panel and failed to uninstall in the previous attempt.
- Previous attempt resulted in sensor physically being present on machine but not checking in.
Cause
Corrupt Uninstall.
Resolution
- Boot in Safe Mode
- Open Registry and delete the following:
- HKEY_LOCAL_MACHINE\SOFTWARE\CarbonBlack\config
- HKEY_CLASSES_ROOT\Installer\Products\<Product Code of CarbonBlack Sensor>
- Since the 'Product Code' is uniquely assigned by Windows, the most efficient way of finding the 'Product Code' mentioned above would be:
- With the Registry open, right click HKEY_CLASSES_ROOT, then click 'Find'
- Type 'carbonblack sensor', then click 'Find Next'
- A result should be found in the relative path above.
- If there are no results, search for 'carbon black EDR'
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CarbonBlack
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\carbonblackk
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cbstream
- Open appwiz.cpl and select Cb Enterprise Response Sensor
- It will prompt, that the application is not present anymore and to which you can delete.
- Open services.msc and select Carbon Black Sensor
- It will prompt it does not exist, to delete this stale entry open cmd as admin and type the following.
- Reboot Machine.
Additional Notes
A recent 7.x sensor version had updated the information in the HKEY_CLASSES_ROOT\Installer\Products\<Product Code of CarbonBlack Sensor> location so that it is referred to as Vmware Carbon Black. Previous versions used carbonblack sensor. So both searches should be done.
Related Content