This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TechnoJock
Explorer
‎2021-03-30 11:45 AM
Jump to solution

Uninstall Check Point Endpoint Security without Uninstall Password

I found a conversation very similar to my situation.

In this case - there was no registry entry for HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security and adding two entries allowed the default password to be used to uninstall this software.

I'm trying to remove the software - without knowing the uninstall password - but when I check my registry I have a bunch of entries under:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\Endpoint Security

There are UninstPwdHash & UninstPwdSalt entries along with others.

I added the suggested UninstPwdSaltDA & UninstPwdHashDA with values of 0 but I am still receiving the error of invalid password.

I'm hoping someone can help me in that I see that I can either:

  • Remove these existing values & hope the new DA values will be in effect
  • Update these existing values to 0
  • Remove the newly added DA entries - change the existing to add DA suffix to their name and set their value to 0

I'm afraid if I mess something up too bad then I may not be able to get back into my machine.

Any/all help is welcome.

 

1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2021-04-01 06:26 AM
Jump to solution

I see the following solution possibilities, but they all require access to an EPS Server, the first two to the EPS that also deployed your agent.

- if your EPS client is connected to the Server and an E84.30 client or above, configure uninstall by Push Operation > Add > Agent Settings > Uninstall Client. This is pushed to the client and you will see the status in EPS.

- if your EPS client is connected to the Server, simply change the uninstall password in Common Client policy in the Policies tab (sk61168), client will update the registry values and uninstall is possible

- if not, deploy a new client with known uninstall password to another machine and copy the 2 UninstPwdHash & UninstPwdSalt entries from it to your registry. Now you should be able to uninstall using sk118233. This does not need the original EPS Server at all, so you could also do a eval lab deployment.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
‎2021-03-30 07:47 PM
Jump to solution

I recommend engaging with the TAC on this.

0 Kudos
(2)
Luiz_
Collaborator
‎2021-03-31 05:17 PM
Jump to solution

You already followed this sk right? 

0 Kudos
TechnoJock
Explorer
‎2021-04-01 05:03 AM
In response to Luiz_
Jump to solution

Yes - the solution assumes I have the uninstall password - which I do not. In fact, this is where I started before I added the two entries with DA suffixes. Thanks.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-04-01 06:26 AM
Jump to solution

I see the following solution possibilities, but they all require access to an EPS Server, the first two to the EPS that also deployed your agent.

- if your EPS client is connected to the Server and an E84.30 client or above, configure uninstall by Push Operation > Add > Agent Settings > Uninstall Client. This is pushed to the client and you will see the status in EPS.

- if your EPS client is connected to the Server, simply change the uninstall password in Common Client policy in the Policies tab (sk61168), client will update the registry values and uninstall is possible

- if not, deploy a new client with known uninstall password to another machine and copy the 2 UninstPwdHash & UninstPwdSalt entries from it to your registry. Now you should be able to uninstall using sk118233. This does not need the original EPS Server at all, so you could also do a eval lab deployment.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
gfassauer
Explorer
‎2021-04-28 02:36 AM
In response to G_W_Albrecht
Jump to solution

Hello,

I'm in a similar situation as TechnoJock: my uninstall password does not work.

I already created a new uninstall password and pushed this out to the clients. I consider that this was successesful as I can see that the new policy is shown on the client. But even with this new password it does not work.

@G_W_Albrecht: you mentioned in your last post that there is a possibility to push out a client uninstall task. But I don't have this option available in my console. Can you maybe specify with version of the management server/console is necessary to have this option?

We are in the process of re-deploying > 100 windows clients. Due to the COVID situation these clients are spread across Europe and the removing the CheckPoint client is one of the major obstacles in this process.

Unfortunately Management decided not to continue with CheckPoint so I don't have the possibility to open a TAC case.

So any help is much apreciated.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-05-26 02:42 AM
In response to gfassauer
Jump to solution

Better use method three (changing Win Registry values to set uninstall password) using your deployment tools - because you would have to upgrade SMS/EPSS and all clients to a version enabling push uninstall, which is rather hard to do...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Joost_CP
Explorer
‎2021-05-26 12:17 AM
In response to G_W_Albrecht
Jump to solution

I  evaluated the endpoint security solution, changed and deployed a custom uninstall password but did not remember or write down what I changed it to. I did not have access to the harmony portal anymore because our evaluation was over. Whoops. I did not want to reinstall my laptop.

I succeeded in uninstalling my endpoint security by using your 3rd option, copying the hash and salt from client with default password. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-05-26 02:37 AM
In response to Joost_CP
Jump to solution

Yes, that is a good workaround in such a case ! I do appreciate Kudos 😎 btw.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
erikc_soda
Explorer
‎2022-04-19 06:00 AM
In response to Joost_CP
Jump to solution

Are you able to post the default keys?  I have 3 clients left over that I am trying to uninstall and having the exact same issue as you. (wish I had copied key from one of my other machines, if i had only known)  They are using some legacy software and will be a real PITA to try and reformat and reload.

mmorales7456789
Explorer
‎2023-05-19 01:07 PM
In response to Joost_CP
Jump to solution

Hi, do you have this values? "the hash and salt from client with default password" can you share with me this?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-19 03:16 PM
In response to mmorales7456789
Jump to solution

You might try: https://support.checkpoint.com/results/sk/sk173647 
The other option is to contact the TAC, who may be able to assist here: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events