What is "Uninstall" evidence?

What is "Uninstall" evidence?

Summary

This article explains what "Uninstall" evidence is and how it's detected.

Synopsis

Applications that have "Uninstall" evidence type are detected from the "Uninstall" registry keys under Windows (what populates "add/remove programs"), but they are not MSIs (applications installed by the other installer technologies than MSI).

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall


"Uninstall" can indicate either it is installed or it has been removed (inappropriately) and the Windows registry key still remains in the system.

Labels (1)
Was this article helpful? Yes No
67% helpful (2/3)
Comments

Hi,

What about linux raw evidence showing "Uninstall"? Where it is coming from?

Br

Jan

@jan_milkovic:  Can you let us know where you are seeing "Uninstall" evidence types for a Linux inventory device?

Hi @kclausen,

I can see it under Evidence tab of Inventory device.

Database should be uninstalled on this device but still showing up.

evidence.JPG

Br

Jan

I do not have a definitive answer.  It is possible that this could be "Oracle Universal Installer" evidence, but I am not sure.  I recommend you submit a Support case for further research.

Looking at the contents of the actual NDI file generated by the agent would also provide more details.

Kirk

Software evidence from SCCM that is labeled 'uninstall' can actually be MSI evidence, FNMS doesn't make that distinction for SCCM evidence data. The registry key where MSI data is stored is HKEY_CLASSES_ROOT\Installer\Products

Based on the comment '"Uninstall" can indicate either it is installed or it has been removed (inappropriately) and the Windows registry key still remains in the system. ' what is the easiest way to verify which it is?

@kathy_allen - it is hard to provide a definite recipe for identifying whether arbitrary software has been removed while leaving the "Uninstall" registry data on the system, as it will highly depend on the nature of exactly what was removed. For example, if the software was "removed" by deleting files you would need to check whether the installed files for the software still exist. If the software was "removed" by deleting (say) Windows services, then you would have to check the services. Of course, you're likely in a situation that you don't know what to be looking for because you don't know what you don't know - so you would need to treat it as a exploratory/discovery exercise.

We have seen this in our environment in cases where we installed FNMS agent by a GPO and later utilised the target upgrades in FNMS.

Looking into the details of evidences it shows the uninstall evidence of the previous version. 

mag00_75_0-1584099013190.png

I saw some issue that has been resolved in FNMS 2019R2.2 Cloud, related?

IOJ-1925874 2 Inventory Beacon Inventory beacon uninstall leaves behind some binaries

 

@ChrisG Is it best practice to not use any uninstall evidence for application recognition or usage?

@kathy_allen - quite the opposite.  On the Windows Platform, the Installer Evidence coming from the Uninstall / Add Remove registry entries is much more reliable than File Evidence.  When applications are removed, the Add Remove evidence is almost always deleted, whereas is many cases the same removal leaves behind EXE files, which would then be picked up by inventory tools.  Recognition based on EXE Evidence, therefore, has a good chance of reporting false positives.

Hi,

i just wanted to know what files does Agent read on Linux system as installer evidence.

we are having issue with oracle products, even it has been uninstalled, its showing as installed.

Thanks and Regards

Bibek yadav

Version history
Revision #:
4 of 4
Last update:
‎Apr 14, 2020 08:59 PM
Updated by:
 
Contributors