Forum Discussion
Manually uninstall the Azure ATP sensor
MicrosoftCan you grab the deployment logs before you close the error window?
Also, you might be able to clean things up with this tool:
It is known to sometimes help before for similar situations.
What exact version of AATP sensor is it?
Thanks Eli!
Your suggestion did help and it got me going in the right path.
This ended up being relatively straight forward so here are the steps I took if anybody has this in the future.
1. On the domain controller where the ATP Sensor had failed, I searched the registry for "Azure Advanced" (without the quotes), and deleted all keys and subkeys where this was found. I just made sure it was referencing the sensor. There were several keys that needed to be deleted from HKCR and HKLM. Just to be sure to be sure....make a backup of the registry before you delete the keys.
2. I deleted the folder C:\Program Files\Azure Advanced Threat Protection Sensor
3. Manually re-installing the sensor worked and it is reporting as expected in the portal.
Note: I had to manually delete the old (failed) sensor entry from the portal.
Hopefully this will help someone else out.
I was able to complete the uninstall doing this as well, but first I had to navigate to C:\Program Files\Azure Advanced Threat Protection Sensor\2.235.17900.47908 - and go back to the add and remove programs and uninstall, this was done after a reboot and restoring the Azure Advanced Threat protection folder from Recycle Bin.
One other thing I found out from from Eli's eariler post is you can find your version of the Tri Sensor in the logs located: C:\Users\*username*\AppData\Local\Temp under the Microsoft.Tri.Sensor. Log
- This was very helpful thank you.
- EliOfek
Can you share the failing call stack from the deployment log?
I wonder if I can change the code to auto recover from this situation.
The call stack might help me do that.
I have the same issue happen to me today. Windows 2012r2. I think the server restarted during the install. However there is not a log folder that was created.
Can't uninstall (says not installed). Trying to reinstall it says setup is already running. I'll try removing the registry keys and try the install again.
- EliOfek
Ken Brown "already running" means you have another deployment process running.
Maybe you did not close the uninstall attempt or not waited enough time for it to exit?
I would restart the machine to make sure it's clean from running deployments and try to install again to see what happens...
Hi Eli,
I've actually had the same issue occur now on a separate domain controller. It looks like when the ATP Sensor went to self update, it broke itself during the install process. And again the same result - it reports as not responding in the portal. On the Domain Controller, there is no ATP service listed in services.msc, and the sensor is unable to be uninstalled (because it doesn't exist) and it's unable to be reinstalled because it thinks it already is.
I have some more information this time. It appears to have happened on August 29th (a while ago I know - I only just got around to doing a better look into it). I can see the following events in the application log.
Event ID 1040 (MSI Installer)
Beginning a Windows Installer transaction: C:\ProgramData\Package Cache\{D3EE6325-F634-4C55-9AA8-A197DB7781A4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. Client Process Id: 5644.
Event ID 10000 (RestartManager)
Starting session 0 - ?2018?-?08?-?29T04:54:37.351639000Z.
Event ID 1026 (.NET Runtime)
Application: rundll32.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 00007FFE6D3034D2
Stack:Event ID 1000 (Application Error)
Faulting application name: rundll32.exe_MSIE9AD.tmp, version: 6.3.9600.17415, time stamp: 0x54504eb8
Faulting module name: MSIE9AD.tmp, version: 2.43.5215.24283, time stamp: 0x590746fd
Exception code: 0xc0000005
Fault offset: 0x00000000000034d2
Faulting process id: 0xbdc
Faulting application start time: 0x01d43f5463b51c8a
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\Installer\MSIE9AD.tmp
Report Id: addfe5ab-ab47-11e8-810b-000d3ad01b38
Faulting package full name:
Faulting package-relative application ID:
Event ID 11707 (MSIINSTALLER)
Product: Azure Advanced Threat Protection Sensor -- Installation completed successfully.Event ID 1033 (MSIINSTALLER)
Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.Event ID 1042 (MSIINSTALLER)
Ending a Windows Installer transaction: C:\ProgramData\Package Cache\{D3EE6325-F634-4C55-9AA8-A197DB7781A4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. Client Process Id: 5644.Event ID 10001 (RestartManager)
Ending session 0 started ?2018?-?08?-?29T04:54:37.351639000Z.So it's at this point the installation has failed - but actually finishes with a success code. It looks as though this is another instance that will need to be manually cleaned up and then reinstalled.
I'm not sure if it makes any difference - but in the ATP portal I can see the failed sensor as last reporting v2.43.5215. On the DC under C:\Program Files\Azure Advanced Threat Protection - I can see v2.47.544.8863 and 2.48.5521.36675
- EliOfek
I had a similar issue with another customer back than, the new sensor will know how to handle this case better, but if you are still stuck with the old version, the only way to uninstall it,
is to copy the binary exe from another sensor, and register the service manually so the uninstall can find it. (the new code should not fail if it does not find it).
sc create AATPSensor binPath= "C:\Program Files\Azure Advanced Threat Protection Sensor\XXXXXX\Microsoft.Tri.Sensor.exe"
where XXXXXX is the exact number of the version we try to uninstall, for example: 2.39.5033.27241
Once you have that, you can try to uninstall again (don't need to actually run the service).
Let me know how it goes.
