A new Flexera Community experience is coming on November 18th, click here for more information.
This article explains what "Uninstall" evidence is and how it's detected.
Applications that have "Uninstall" evidence type are detected from the "Uninstall" registry keys under Windows (what populates "add/remove programs"), but they are not MSIs (applications installed by the other installer technologies than MSI).
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
"Uninstall" can indicate either it is installed or it has been removed (inappropriately) and the Windows registry key still remains in the system.
Dec 13, 2018 05:55 AM - edited Apr 14, 2020 08:59 PM
Hi,
What about linux raw evidence showing "Uninstall"? Where it is coming from?
Br
Jan
@jan_milkovic: Can you let us know where you are seeing "Uninstall" evidence types for a Linux inventory device?
Hi @kclausen,
I can see it under Evidence tab of Inventory device.
Database should be uninstalled on this device but still showing up.
Br
Jan
I do not have a definitive answer. It is possible that this could be "Oracle Universal Installer" evidence, but I am not sure. I recommend you submit a Support case for further research.
Looking at the contents of the actual NDI file generated by the agent would also provide more details.
Kirk
Software evidence from SCCM that is labeled 'uninstall' can actually be MSI evidence, FNMS doesn't make that distinction for SCCM evidence data. The registry key where MSI data is stored is HKEY_CLASSES_ROOT\Installer\Products
Based on the comment '"Uninstall" can indicate either it is installed or it has been removed (inappropriately) and the Windows registry key still remains in the system. ' what is the easiest way to verify which it is?
@kathy_allen - it is hard to provide a definite recipe for identifying whether arbitrary software has been removed while leaving the "Uninstall" registry data on the system, as it will highly depend on the nature of exactly what was removed. For example, if the software was "removed" by deleting files you would need to check whether the installed files for the software still exist. If the software was "removed" by deleting (say) Windows services, then you would have to check the services. Of course, you're likely in a situation that you don't know what to be looking for because you don't know what you don't know - so you would need to treat it as a exploratory/discovery exercise.
We have seen this in our environment in cases where we installed FNMS agent by a GPO and later utilised the target upgrades in FNMS.
Looking into the details of evidences it shows the uninstall evidence of the previous version.
I saw some issue that has been resolved in FNMS 2019R2.2 Cloud, related?
IOJ-1925874 2 Inventory Beacon Inventory beacon uninstall leaves behind some binaries
@ChrisG Is it best practice to not use any uninstall evidence for application recognition or usage?
@kathy_allen - quite the opposite. On the Windows Platform, the Installer Evidence coming from the Uninstall / Add Remove registry entries is much more reliable than File Evidence. When applications are removed, the Add Remove evidence is almost always deleted, whereas is many cases the same removal leaves behind EXE files, which would then be picked up by inventory tools. Recognition based on EXE Evidence, therefore, has a good chance of reporting false positives.
Hi,
i just wanted to know what files does Agent read on Linux system as installer evidence.
we are having issue with oracle products, even it has been uninstalled, its showing as installed.
Thanks and Regards
Bibek yadav
Does this still stand from 2020? Requested removal of application and getting "Uninstall Evidence" as only evidence on devices. Does this still mean the application could be uninstalled incorrectly and there may be junk left in the registry?
Shelby Day
@shelby_day - The information in this article is still an accurate description of the most common source of installer evidence on Windows devices that would cause an installer evidence rule of type "Uninstall" to be created when it is imported (if it is not already matched by an existing rule).
With that said, if you see an installer evidence rule with a type of "Uninstall" reported then there is not necessarily an exact way to know exactly what registry or other details were found on a computer that have been matched by that rule. The actual related data found on a device could depend on many things - including the tool used to gather inventory, and the particular evidence/software in question.
@ChrisG Hello does it exist a history log on devices where I can find all the different agent releases installation that has be done?
Thank you for your help
@didiercottereau - if there is any history that shows this then you would see it on the History tab when viewing an inventory device.
(In the future, I would suggest posting questions which don't directly relate to a clarification/correction of a KB article in the FlexNet Manager forum rather than as a comment on an article. That will help to have each question handled as a separate thread and discussion.)