Forum Discussion

Noel Fairclough's avatar
Noel Fairclough
Brass Contributor
Aug 28, 2018

Manually uninstall the Azure ATP sensor

Hi all, Just looking for a bit of guidance on the following.   Deploying the Azure ATP sensor to all our domain controllers, we've had one installation fail.  Looking in Programs and Features it i...
Noel Fairclough's avatar
Noel Fairclough
Brass Contributor
Sep 21, 2018

Hi Eli,

I've actually had the same issue occur now on a separate domain controller.  It looks like when the ATP Sensor went to self update, it broke itself during the install process.  And again the same result - it reports as not responding in the portal.  On the Domain Controller, there is no ATP service listed in services.msc, and the sensor is unable to be uninstalled (because it doesn't exist) and it's unable to be reinstalled because it thinks it already is.

 

I have some more information this time.  It appears to have happened on August 29th (a while ago I know - I only just got around to doing a better look into it).  I can see the following events in the application log.

 

Event ID 1040 (MSI Installer)

Beginning a Windows Installer transaction: C:\ProgramData\Package Cache\{D3EE6325-F634-4C55-9AA8-A197DB7781A4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. Client Process Id: 5644.

 

Event ID 10000 (RestartManager)
Starting session 0 - ?2018?-?08?-?29T04:54:37.351639000Z.

Event ID 1026 (.NET Runtime)
Application: rundll32.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: exception code c0000005, exception address 00007FFE6D3034D2
Stack:
 
Event ID 1000 (Application Error)
Faulting application name: rundll32.exe_MSIE9AD.tmp, version: 6.3.9600.17415, time stamp: 0x54504eb8
Faulting module name: MSIE9AD.tmp, version: 2.43.5215.24283, time stamp: 0x590746fd
Exception code: 0xc0000005
Fault offset: 0x00000000000034d2
Faulting process id: 0xbdc
Faulting application start time: 0x01d43f5463b51c8a
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\Installer\MSIE9AD.tmp
Report Id: addfe5ab-ab47-11e8-810b-000d3ad01b38
Faulting package full name:
Faulting package-relative application ID:

Event ID 11707 (MSIINSTALLER)
Product: Azure Advanced Threat Protection Sensor -- Installation completed successfully.
 
Event ID 1033 (MSIINSTALLER)
Windows Installer installed the product. Product Name: Azure Advanced Threat Protection Sensor. Product Version: 2.0.0.0. Product Language: 1033. Manufacturer: Microsoft Corporation. Installation success or error status: 0.
 
Event ID 1042 (MSIINSTALLER)
Ending a Windows Installer transaction: C:\ProgramData\Package Cache\{D3EE6325-F634-4C55-9AA8-A197DB7781A4}v2.0.0.0\Microsoft.Tri.Sensor.Deployment.Package.msi. Client Process Id: 5644.
 
Event ID 10001 (RestartManager)
Ending session 0 started ?2018?-?08?-?29T04:54:37.351639000Z.

 

 

 So it's at this point the installation has failed - but actually finishes with a success code.   It looks as though this is another instance that will need to be manually cleaned up and then reinstalled.

 

I'm not sure if it makes any difference - but in the ATP portal I can see the failed sensor as last reporting v2.43.5215.  On the DC under C:\Program Files\Azure Advanced Threat Protection - I can see v2.47.544.8863 and 2.48.5521.36675

 

 

 

 

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Sep 21, 2018

I had a similar issue with another customer  back than, the new sensor will know how to handle this case better, but if you are still stuck with the old version, the only way to uninstall it,

is to copy the binary exe from another sensor, and  register the service manually so the uninstall can find it. (the new code should not fail if it does not find it).

sc create  AATPSensor binPath= "C:\Program Files\Azure Advanced Threat Protection Sensor\XXXXXX\Microsoft.Tri.Sensor.exe"

 

where XXXXXX is the exact number of the version we try to uninstall, for example: 2.39.5033.27241

 

Once you have that, you can try to uninstall again (don't need to actually run the service).

 

Let me know how it goes.

  • Abigaille's avatar
    Abigaille
    Copper Contributor
    May 02, 2023

    EliOfek This worked for me. I had to run that command with the old version and then copy another folder in C:\Program Files\Azure Advanced Threat Protection Sensor (there were newer version folders in there) and rename the folder to the old version number then I was able to fully uninstall and reinstall the sensor. 

     

  • woodrum335's avatar
    woodrum335
    Copper Contributor
    Aug 05, 2019

    EliOfek 

    I ran into a similar issue today on a 2008 R2 DC (I know...).  It was listed in programs and features list that it wasn't installed, but the installer wouldn't let me run.  Found 2 entries in the registry with "Azure Advanced" that were related to this, removed them, and then the installer went through.  Experienced an issue with the installer not being able to find msvcr120_clr0400.dll as well.  I installed the .Net Framework 2013 redistributables and then had to re-install .Net 4.7 and finally it's all good. 

    Also... any idea why the 2019 DC's are reporting an error that NetBIOS over 137 isn't working properly?  The 2008 R2's, 2012's, and 2016's are all "healthy" in the console, but I've noticed 3 different 2019 DC's (with Windows Firewall disabled) are reporting an error.

     

    Thanks.

  • Dennis_Peabody's avatar
    Dennis_Peabody
    Copper Contributor
    Jul 29, 2019
    This fixed it up for me. Many thanks.

Resources