Remove Forefront Client Security by force

I was recently trying to upgrade the Antivirus software on some servers from Forefront Client Security to System Center Endpoint Protection 2012 R2. On most servers it worked fine. However on a few I was unable to remove some of the FCS components due to missing .msi files. This was because somebody (not me!) had been deleting the contents of the C:\Windows\Installer folder, probably to save disk space.

This meant that the uninstall command was failing as Windows Installer couldn’t find the right .msi file. This in turn meant I was unable to install SCEP as its installer check to see that all previous have gone before it’ll install.

There is a very faffy way of fixing missing MSIs where you have to track down the correct version of the .msi via the Microsoft Update Catalogue and/or a WSUS server, but it was too fiddly and I didn’t have time. Thus, I wrote a script to manually uninstall the old FCS stuff (or at least, enough of it that SCEP will install and be happy).

The script will continue on errors, and you will get errors as some of the stuff only relates to 32-bit OS, and some only to 64-bit. Plus you might have already been able to remove some of the FCS components properly via Windows Installer.

Here’s the script, save it as a .cmd file and run as administrator.

@echo off
echo Stop services
net stop MOM
net stop FCSAM
net stop FcsSas

echo Delete services
sc delete MOM
sc delete FCSAM
sc delete FcsSas

echo Kill GUI
tskill msascui /a

echo Delete files
rd /s /q "C:\Program Files\Microsoft Forefront"
rd /s /q "C:\Program Files (x86)\Microsoft Forefront"

Echo Remove registry keys
echo ...MOM
rem 64-bit
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{F692770D-0E27-4D3F-8386-F04C6F434040}" /f
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft Operations Manager\2.0" /f
rem 32-bit
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F692770D-0E27-4D3F-8386-F04C6F434040}" /f
rem both
reg delete "HKLM\SOFTWARE\Classes\Installer\Products\D077296F72E0F3D438680FC4F6340404" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D077296F72E0F3D438680FC4F6340404" /f

echo ...SAS
rem 64-bit
reg delete "HKLM\SOFTWARE\Classes\Installer\Products\E4EB3435742B0D148BD1E4C755649001" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E4EB3435742B0D148BD1E4C755649001" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5343BE4E-B247-41D0-B81D-4E7C55460910}" /f
rem 32-bit
reg delete "HKLM\SOFTWARE\Classes\Installer\Products\838A5BA2CAD95F54E82C10D9DD4C4B6F" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\838A5BA2CAD95F54E82C10D9DD4C4B6F" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2AB5A838-9DAC-45F5-8EC2-019DDDC4B4F6}" /f

echo ...FCS
rem 64-bit
reg delete "HKLM\SOFTWARE\Classes\Installer\Products\EE98922AA7EA8F240A0CC999FC6B44BF" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\EE98922AA7EA8F240A0CC999FC6B44BF" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A22989EE-AE7A-42F8-A0C0-9C99CFB644FB}" /f
rem 32-bit
reg delete "HKLM\SOFTWARE\Classes\Installer\Products\FF0CF4D4791FF10448E21E811F2D46E7" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\FF0CF4D4791FF10448E21E811F2D46E7" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4D4FC0FF-F197-401F-842E-E118F1D2647E}" /f
rem both
reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Microsoft Forefront" /f
reg delete "HKLM\SOFTWARE\Microsoft\Microsoft Forefront" /f

echo Done.
pause

Use with care.

This entry was posted in Scripting, Security, Windows and tagged , , , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Remove Forefront Client Security by force

  1. Alex Rocha says:

    Great script.
    After spending hours of testing all my FCS install and update files, searching the web, and contacting Microsoft, this just saved me some more hours.
    And I can personally guarantee that in my case noone deleted files from the C:\Windows\Installer folder. I am the only one that installs and manages the server in question (I doubt my boss would do something like work :) ), and space was never a issue in this server.

    Thank you and great work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s