Getting Data In

Universal Forwarder can't be uninstalled by another user

jan_wohlers
Path Finder

Dear Splunkys,

I installed the Universal Forwarder on 3 different machines in the same domain testwise (all windows 2008 r2). A few days later my collegue tried to uninstall them but he couldn't find the uninstaller in the control center. As I tried to uninstall the software I found the uninstaller in control center -> Programs & ...

Is this normal? Both of us are Serveradmins with exactly the same priviledges (both accounts were created at the same time). There should be a way, that also other server admins could uninstall this piece of software. Otherwise we have to create a special "install software account".

Are there any other facing this problem?

regards

Jan

Tags (1)
1 Solution

abonuccelli_spl
Splunk Employee
Splunk Employee

I've written this batch script, did the trick for me.
Running the command pointed by UninstallString REG_SZ in registry would just show "This action is only valid for products that are currently installed."
So the trick is to rerun the Installer then stop and remove service then grab that UninstallString command and launch it.
If you have 100s of UF to uninstall might become a bit trick so here is the batch script customUFUninstall.bat:

rem First argument is full path to the installer name (must be same used during previous installation)
rem Second argument is full existing installation path (where it is currently installed and needs to be removed)
sc stop SplunkForwarder
sc delete SplunkForwarder
call MsiExec /i %1 AGREETOLICENSE=Yes INSTALLDIR=%2 LAUNCHSPLUNK=0 /quiet
reg query HKLM\Software\Microsoft /t REG_SZ /s /f %2% | findstr InstallProperties > temp.txt
set /p splunkKey=<temp.txt
reg query %splunkKey% /s | findstr UninstallString > temp.txt
for /F "tokens=3,4* delims= " %%i in (temp.txt) do %%i %%j
del temp.txt
echo Uninstall Complete

Istructions:

  1. Login to the host where the UF is installed using Administrator account
  2. Create a folder Y:\myscript 

  3. Drop the attached customUFUninstall.bat script in Y:\myscript 

  4. Copy the same binary (e.g. splunkforwarder-4.3.6-153775-x64-release.msi) used to install existing UF forwarder installation to Y:\myscript 

  5. Locate full path to existing installation which has to be removed (e.g. H:\Programs\Splunk\Splunk_Universal_Forwarder_436) 

  6. CD to Y:\myscript and launch the command below: 
customUFUninstall.bat 
e.g. 
customUFIUninstall.bat splunkforwarder-4.3.6-153775-x64-release.msi H:\Programs\Splunk\Splunk_Universal_Forwarder_436 

  7. Click 'Yes' or 'OK' at any window.

View solution in original post

abonuccelli_spl
Splunk Employee
Splunk Employee

I've written this batch script, did the trick for me.
Running the command pointed by UninstallString REG_SZ in registry would just show "This action is only valid for products that are currently installed."
So the trick is to rerun the Installer then stop and remove service then grab that UninstallString command and launch it.
If you have 100s of UF to uninstall might become a bit trick so here is the batch script customUFUninstall.bat:

rem First argument is full path to the installer name (must be same used during previous installation)
rem Second argument is full existing installation path (where it is currently installed and needs to be removed)
sc stop SplunkForwarder
sc delete SplunkForwarder
call MsiExec /i %1 AGREETOLICENSE=Yes INSTALLDIR=%2 LAUNCHSPLUNK=0 /quiet
reg query HKLM\Software\Microsoft /t REG_SZ /s /f %2% | findstr InstallProperties > temp.txt
set /p splunkKey=<temp.txt
reg query %splunkKey% /s | findstr UninstallString > temp.txt
for /F "tokens=3,4* delims= " %%i in (temp.txt) do %%i %%j
del temp.txt
echo Uninstall Complete

Istructions:

  1. Login to the host where the UF is installed using Administrator account
  2. Create a folder Y:\myscript 

  3. Drop the attached customUFUninstall.bat script in Y:\myscript 

  4. Copy the same binary (e.g. splunkforwarder-4.3.6-153775-x64-release.msi) used to install existing UF forwarder installation to Y:\myscript 

  5. Locate full path to existing installation which has to be removed (e.g. H:\Programs\Splunk\Splunk_Universal_Forwarder_436) 

  6. CD to Y:\myscript and launch the command below: 
customUFUninstall.bat 
e.g. 
customUFIUninstall.bat splunkforwarder-4.3.6-153775-x64-release.msi H:\Programs\Splunk\Splunk_Universal_Forwarder_436 

  7. Click 'Yes' or 'OK' at any window.

rgcurry
Contributor

I have not seen this on Win2K8 but I have seen it with other apps on older versions of Windows. A few years ago, I had a co-worker tell me he could not remove an app from one of our servers (Win2k) but when I logged onto the server, it was listed. We were in the same domain group and defined as admins on the server. Go figure. We never did figure out why this happened.

Did you check the registry to see if there was any thing odd about the application's definitions?

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...