Forum Discussion

durairaj1991's avatar
durairaj1991
Copper Contributor
Jul 07, 2024

Older versions of Teams are still appearing in the registry for other user profiles and are being fl

 

Hello,

 

I wanted to update you on the issues we are facing after cleaning Classic Teams. Older versions of Teams are still appearing in the registry for other user profiles and are being flagged as vulnerable in 365 Defender, specifically in the HKEY_USERS registry path for others users.

 

For example, as evidence from the Defender portal, here are some entries indicating software issues:

- Endpoint Name: TestPC

  - Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user1\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user2\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

  - HKEY_USERS\user3\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams

 

We attempted to remove the registry entries from other user profiles to clean up the Classic Teams presence by using the following commands:

powershell

      " reg load "hku\$user" "C:\Users\$user\NTUSER.DAT"

      " Test-Path -Path Registry::HKEY_USERS\$hiveName\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams "

 

For checking the registry presence, we used the detection and remediation method in Intune for cleaning Classic Teams. I ran the detection script on only three PCs for testing.

 

Surprisingly, we received a warning from Sentinel about "User and group membership reconnaissance (SAMR) on one endpoint," indicating a potential security incident involving suspicious SAMR (Security Account Manager Remote) queries. This was detected for admin accounts, DC, and also for an account belonging to someone who left the organization five years ago (ABC Admin).

 

I am looking for appreciate your guidance on the best practices for detecting and removing Classic Teams leftovers in the registry for other user profiles.

 

Best Practice:

- How to detect and remove Classic Teams registry entries for other user profiles in the system.

- Best method? Using the Hive to load another user profile into the registry and remove the Classic Teams registry entries.

 

Reference Links:

- [Older versions of Teams showing in user profiles](https://answers.microsoft.com/en-us/msteams/forum/all/older-versions-of-teams-showing-in-user-profiles/2bc7563c-ccc9-4afc-b522-337acff9d20e?page=1)

- [Remove old user profiles on Microsoft Teams (Reddit)](https://www.reddit.com/r/PowerShell/comments/1bvjner/remove_old_user_profiles_on_microsoft_teams/)



  • durairaj1991's avatar
    durairaj1991
    Copper Contributor

     

    # Script that i used for Detection
    
    # Function to check registry for Teams
    function Check-TeamsRegistry {
        param (
            [string]$hiveName
        )
    
        $registryPaths = @(
            "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams"
        )
    
        foreach ($path in $registryPaths) {
            $fullPath = "Registry::HKEY_USERS\$hiveName\$path"
            if (Test-Path -Path $fullPath) {
                return $true
            }
        }
    
        return $false
    }
    
    # Get all user profiles except system profiles and Public/Default profiles
    $userProfiles = Get-ChildItem 'C:\Users' | Where-Object { $_.PSIsContainer -and $_.Name -notlike "ITAdmin" -and $_.Name -notlike "zzzadmin" -and $_.Name -notlike "yyyadmin" -and $_.Name -notlike "xxxadmin" -and $_.Name -notlike "Public" -and $_.Name -notlike "Default*" }
    
    $registryCheck = $false
    
    foreach ($userProfile in $userProfiles) {
        $userName = $userProfile.Name
        $userProfilePath = $userProfile.FullName
        $ntUserDatPath = "$userProfilePath\NTUSER.DAT"
    
        if (Test-Path -Path $ntUserDatPath) {
            $hiveName = "TEMP_HIVE_$userName"
            
            try {
                # Load the user hive
                reg load "HKEY_USERS\$hiveName" "$ntUserDatPath" 2>&1 | Out-Null
                Write-Host "Loaded hive for $userName" -ForegroundColor Green
                
                if (Check-TeamsRegistry -hiveName $hiveName) {
                    Write-Host "Teams installation found for user: $userName" -ForegroundColor Green
                    $registryCheck = $true
                } else {
                    Write-Host "No Teams installation found for user: $userName" -ForegroundColor Yellow
                }
            } catch {
                $errorMessage = $_.Exception.Message
                Write-Host "Failed to load hive for '$userName': $errorMessage" -ForegroundColor Red
            } finally {
                # Unload the user hive
                reg unload "HKEY_USERS\$hiveName" 2>&1 | Out-Null
                Write-Host "Unloaded hive for $userName`n" -ForegroundColor Green
            }
        } else {
            Write-Host "NTUSER.DAT not found for user: $userName`n" -ForegroundColor Red
        }
    }
    
    # Get Teams installation paths
    $TeamsClassic = Get-ChildItem -Path "C:\Users\*\AppData\Local\Microsoft\Teams\current" -Filter "Teams.exe" -ErrorAction SilentlyContinue
    $TeamsPersonal = Get-AppxPackage -Name MicrosoftTeams -AllUsers
    $TeamsNew = Get-ChildItem "C:\Program Files\WindowsApps" -Filter "MSTeams_*"
    
    # Check if Classic Teams is installed from registry
    $ClassicTeamsRegistry = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Teams" -ErrorAction SilentlyContinue
    
    # Check if Classic Teams is installed from registry Current Users
    $ClassicTeamsRegistry_CurrentUser = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams" -ErrorAction SilentlyContinue
    
    # Check if Teams registry path exists for current user
    $ClassicTeamsRegistry_CurrentUserExists = Test-Path -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\Teams"
    
    # Output values of the registry checks
    Write-Host "ClassicTeamsRegistry: $ClassicTeamsRegistry" -ForegroundColor Yellow
    Write-Host "ClassicTeamsRegistry_CurrentUser: $ClassicTeamsRegistry_CurrentUser" -ForegroundColor Yellow
    Write-Host "ClassicTeamsRegistry_CurrentUserExists: $ClassicTeamsRegistry_CurrentUserExists" -ForegroundColor Yellow
    
    # Output values of the Teams installation paths
    Write-Host "`nTeamsClassic: $TeamsClassic" -ForegroundColor Yellow
    Write-Host "TeamsPersonal: $TeamsPersonal" -ForegroundColor Yellow
    Write-Host "TeamsNew: $TeamsNew" -ForegroundColor Yellow
    
    # Determine result based on detection checks
    if (-not $TeamsClassic -and -not $TeamsPersonal -and $TeamsNew -and -not $registryCheck -and -not $ClassicTeamsRegistry -and -not $ClassicTeamsRegistry_CurrentUser -and -not $ClassicTeamsRegistry_CurrentUserExists) {
        Write-Host "`nClassic and Personal Teams Not Found, ClassicTeamsRegistry not found, or Teams registry path not found for current user.`nNew Teams Only!" -ForegroundColor Yellow
    } else {
        Write-Host "`nClassic and Personal Teams Found!`nClassicTeamsRegistry found." -ForegroundColor Yellow
    }
    
    # Output success message
    Write-Host "`nDetection script completed."

     

  • kcelmer's avatar
    kcelmer
    Copper Contributor

    durairaj1991 

     

    I'm having the same problem. I can't find Classic Teams installed on any of our endpoints, but Sentinel One keeps reporting CVEs from it on them all. Was there ever a fix? 

    • IS_Osayi's avatar
      IS_Osayi
      Copper Contributor

      kcelmer 

      I have a script that detects and cleans teams classic from endpoint.

      You can test this on few of your endpoints to see if it works for you.

      Remember to open powershell with admin priviledges

       

      # Get all user profiles on the machine (excluding special/system profiles)

      $users = Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }

       

      foreach ($user in $users) {

      $sid = $user.SID

      $profilePath = $user.LocalPath

      $ntUserDatPath = "$profilePath\NTUSER.DAT"

      $teamsLocalAppDataPath = "$profilePath\AppData\Local\Microsoft\Teams"

       

      Write-Host "Processing user profile: $profilePath (SID: $sid)"

       

      # Remove Teams data folder from LocalAppData for each user

      if (Test-Path $teamsLocalAppDataPath) {

      Write-Host "Removing Teams application data from $teamsLocalAppDataPath"

      Remove-Item -Path $teamsLocalAppDataPath -Recurse -Force

      } else {

      Write-Host "Teams data folder not found for user: $profilePath"

      }

       

      # Check if NTUSER.DAT file exists for the user profile (for registry cleanup)

      if (Test-Path $ntUserDatPath) {

      # Load the user's registry hive into HKEY_USERS

      reg load "hku\$sid" "$ntUserDatPath" | Out-Null

       

      # Set the path to the Teams uninstall registry key for the loaded hive

      $uninstallKey = "Registry::HKEY_USERS\$sid\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teams"

       

      # Check if the Teams uninstall registry key exists

      if (Test-Path -Path $uninstallKey) {

      Write-Host "Removing Teams uninstall registry entry for user: $profilePath"

       

      # Remove the Teams uninstall entry

      Remove-Item -Path $uninstallKey -Recurse -Force

      } else {

      Write-Host "No Teams uninstall entry found for user: $profilePath"

      }

       

      # Unload the user's registry hive from HKEY_USERS

      reg unload "hku\$sid" | Out-Null

      } else {

      Write-Host "NTUSER.DAT not found for user profile: $profilePath, skipping..."

      }

      }

       

      # Remove Teams from the machine-wide installed applications

      Write-Host "Uninstalling Teams Classic from the machine..."

      $app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Microsoft Teams*" }

      if ($app) {

      $app.Uninstall()

      Write-Host "Teams Classic uninstalled from the machine."

      } else {

      Write-Host "Teams Classic is not installed at the machine-wide level."

      }

       

      Write-Host "Teams Classic cleanup complete for all users."

Resources