Uninstalling Problem Applications using Powershell
In my last story, we went over winnowing through a Nessus scan to determine which apps you might want to patch. But what if the final finding isn’t “Lets update Java” but rather, “Why do we need JRE installed at all? Let’s delete it across the domain”
How can you do this for free, without buying a full software inventory and management system. Say, with nothing but Powershell? In years past, I would have used WMIC and cmd files, but Powershell is much faster and much more flexible. Let’s start by listing the apps on a workstation. If you don’t have a software inventory solution, Powershell can get the job done with just a bit of scripting (note that this is does not show the entire list of members in $apps - it's a pretty long list)
Next, let’s get the info we need to delete an app – the App name, version and “IdentifyingNumber” (the application’s GUID):
OK – now let’s just pick the apps we want to remove:
That’s all the basic information we need to delete an app, let’s put it together. The $classkey variable shown is the string needed to “fully qualify” the application to delete – let’s just look at the first app in the list:
(note the escaping to make the quote characters around the values)
Then, to uninstall our target application, for each instance, we want to execute:
If $killit.ReturnValue is non-zero, the uninstall was not successful – a value of 1603 for instance means you don’t have rights to uninstall the apps, retry as local admin (or domain admin)
So, putting it all together, let’s delete a target app remotely in a typical company. We start by getting domain admin credentials (remember that you need admin rights to delete an app)
Next, get your list of servers into an object. Maybe you got that computer list from working through your Nessus report, or maybe output from your software inventory system:
Or maybe we’ll pull the target station list right out of AD. If you take this approach, maybe you just want the non-servers:
Whatever method you used to get your list, MANUALLY CHECK IT AND EDIT IT FIRST, before you proceed:
Not the most elegant piece of code, and certainly not the fastest, but it’ll get the job done. That "write-host" line especially would benefit from me making that an array of results, which would allow you at the end you to list out the full results, but then also just the failed results for instance. For me, using write-host is almost always a last resort - there's always a better option. The point was to keep things simple here though, not get to perfection - come to think of it, that's the point of most scripts we write.
Note again that this script as written can be very dangerous! We're running through a list of hosts, saying "if an application name has this string in it, delete it immediately". If you pick the wrong string (say "advanced" or "microsoft"), you could match a lot more than you intend to! Given that this script is going to UNINSTALL apps across your domain, and maybe reboot machines along the way, you likely will not want this in one mondo – automagic script anyway. Dumping things out, checking output along the way and testing step by step is definitely the way to go. Running your version of this against a few test stations first is also a really good practice.
This might sound like a lot of manual Posershell steps, when there's a script right there - but it’s still way faster than having to recover an app after you’ve had a script like this run through your domain. And needless to say, it's also way faster than uninstalling apps from stations one-by-one using just your keyboard and RDP!
If you’ve got a neat trick for uninstalling apps, or better yet, if you’ve got a more elegant Powershell approach for this, by all means, please share in our comment section!
===============
Rob VandenBrink
Compugen
References:
http://blogs.technet.com/b/heyscriptingguy/archive/2011/12/14/use-powershell-to-find-and-uninstall-software.aspx
https://isc.sans.edu/forums/diary/Nessus+and+Powershell+is+like+Chocolate+and+Peanut+Butter/20431/
Comments
I eventually rewrote the script to use reg.exe instead and look for the identifiers. Never did get around to powershell-ize-ing it...
Anonymous
Dec 10th 2015
8 years ago
$clsid = gwmi win32_product -computername "computername" | where {$_ -match "Java"}
foreach($cls in $clsid) {$cls.uninstall()}
The computername is contained in the returned $clsid
Anonymous
Dec 10th 2015
8 years ago
To do this first set the registry keys:
//Generate registry key to create admin shares
regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters]" "AutoShareWks"=dword:00000001
//Set Remote Registry service to start automatically
regset "[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RemoteRegistry]" "Start"=dword:00000002
Then ensure the Server ("Lanmanserver") service is restarted (no reboot required which means you can enable this using remote registry or script)
then you can call on hosts using \\$_\c$\program files\etc..
I usually set a location for a list of computers as you mentioned and then when calling on the list, \\$_ inserts each line of computer here. This may require the ForeachObject in this case? I havn't tested your uninstall script with my listed syntax yet
Anonymous
Dec 10th 2015
8 years ago
http://gregramsey.net/2012/02/20/win32_product-is-evil/
Anonymous
Dec 10th 2015
8 years ago
Anyway, formatting that long string:
One way to simplify the formatting is to use $(sub.expressions).
$classkey = "IdentifyingNumber=`"$($apps2go[0].IdentifyingNumber)`",Name=`"$($apps2go[0].Name)`",Version=`"$($apps2go[0].Version)`""
makes it easier to read as there are less double quotes and concatenation.
I prefer this way in complex strings. It is using the format operator (with works just fin with single quoted strings) to split the variables from the string. Makes the stricture of the string very easy to read.
$classkey = 'IdentifyingNumber="{0}",Name="{1}",Version="{2}"' -f $apps2go[0].IdentifyingNumber, $apps2go[0].Name, $apps2go[0].Version
Anonymous
Dec 10th 2015
8 years ago
Works great along with replacing Java with Flash/Reader/etc as needed.
--Matt
write-host "Uninstalling all/any versions of Java"
$product = Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "Java*"}
if ($product -ne $null ) {
$ProductDetails = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "Java*" } | Select Name, Version
"Found $ProductDetails "
"Attempting to Uninstall"
$product.Uninstall()
}
Else {"No Java Versions Found "}
Anonymous
Dec 20th 2015
8 years ago