Some users may have issues creating a community account See more here.

sasikumar_r
Intrepid explorer

How to delete the services created by Agent less inventory scan

Hi ,

Agentless inventory(Zero foot print) scan has created 4 services(screenshot attached), anybody know how to remove those services from the devices. Is there any option to remove the services automatically by any policy from beacon server.

 

Thank you

Sasi

5 Replies
JohnSorensenDK
Moderator Moderator
Moderator

@sasikumar_r 

Does the customer have a deployment technology in place to manage the devices and as such to remove the footprint left behind, e.g. Microsoft SCCM?

If that's the case it would be quite easy to "deploy" a services removal job to delete these "left overs"...

Thanks,

Hi @JohnSorensenDK ,

Thank you for your reply!  Do you have steps\script available to remove the services? i could see the jobs created which get created donot have a unique name. attached screenshot for your reference.

 

Thank you

Sasi

0 Kudos

@sasikumar_r 

You didn't mention whether you've got SCCM implemented but if you do a Google search using 'sccm example remove registry keys' as keywords provides a number of useful hits.

You can also use PowerShell to remotely remove registry keys, again Google search using 'powershell script to remove registry keys' as keywords provides good examples.

Services are placed in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry leaf...

A reboot will be needed to make them visually disappear from the Services list after they're deleted...

Thanks,

0 Kudos

Hi @JohnSorensenDK ,

Customer use SCCM and they can try with powershell as well. on internet i could see we have to use service\display name to delete the service  but as i mentioned service name which is getting created are not unique it starts with mgs- and rest is filled with numbers(example mgs-[12345678}. so it is bit hard  to identify the managesoft service that needs to be deleted. However i have tried with wildcard like below to identify & remove the service. It is yet to be tested. if you have any other better solution it would be very helpful.

Get-WmiObject win32_service | ?{$_.displayname -like '*mgs-*' -And $_.pathname -like '*sambeacon*'} | ForEach-object{ cmd /c  sc stop $_.Name}

Get-WmiObject win32_service | ?{$_.displayname -like '*mgs-*' -And $_.pathname -like '*sambeacon*'} | ForEach-object{ cmd /c  sc delete $_.Name}

 

Thank you

Sasi

0 Kudos

@sasikumar_r 

To stop the service remotely the following PowerShell syntax seems to be working for me (replace <device name>  with a device to which you have remote admin access rights (but you can begin with localhost)):

Get-WMIObject Win32_Service -ComputerName <device name> | Where-Object{$_.Name -like 'mgs*'} | ForEach-object{ cmd /c  sc stop $_.Name}

and obviously the delete syntax would be:

Get-WMIObject Win32_Service -ComputerName <device name> | Where-Object{$_.Name -like 'mgs*'} | ForEach-object{ cmd /c  sc delete $_.Name}

Please be careful in testing that these commands don't delete other services that you don't want to delete from the environment, i.e. I would be run commands to list the services returned first...

Thanks,

0 Kudos