Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Windows Sensor Uninstall Leaves Registry Keys Behind

EDR: Windows Sensor Uninstall Leaves Registry Keys Behind

Environment

  • EDR Windows Sensor: All Verisons
  • Microsoft Windows: All Supported Versions

Symptoms

After running the uninst.exe file to remove the Windows sensor, there are registry key files that remain, such as: 
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Cb Enterprise Response Sensor

Cause

This happens when using the C:\Windows\CarbonBlack\uninst.exe to uninstall instead of the Add/Remove Programs feature of the Windows OS.

Resolution

This is a known issue with the uninst.exe tool and is being worked on by Carbon Black Product Management. There are two options to resolve this:
  1. Remove the sensor using the built-in Windows Add/Remove Programs
  2. Use the uninst.exe tool, then clean up the registry keys manually if desired.

Additional Notes

  • The leftover registry keys are harmless and will cause no issues if left alone.

Labels (1)
Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
2861
Contributors