Remotely Uninstall ESET Antivirus with PowerShell
Recently, one of the companies that I provide support for switched from using ESET to a new antivirus vendor. The problem is that all of their servers had both ESET File Security and the ESET Remote Administrator Agent installed which needed to be uninstalled before installing the new antivirus agent.
I determined that the following commands could be used to uninstall the applications.
1#Uninstall Eset Remote Administrator Agent
2sc.exe delete eraagentsvc
3msiexec.exe /qn /x {41F12F70-5FA9-43F5-94F4-53B54EB4EEC4}
4
5#Uninstall Eset File Security
6msiexec.exe /qn /x {22ED011A-E075-4D3D-AE41-E00F4372470A}
Running msiexec.exe /?
shows the available options.
Based on this information, it appears that /x
is to uninstall and /qn
is for no user input. The
uninstall of ESET File Security using the previous commands that I provided cause the system to
reboot automatically. There appears to be a switch for msiexec.exe
to suppress the reboot, but
it's not something that I tried since the removal process does indeed require a restart.
I initially wrapped those commands inside of the Invoke-Command cmdlet to remotely remove those two applications, but the problem that I ran into is the remoting session didn't wait long enough for the uninstall to complete before ending the session.
The solution was to use
Get-Process
inside of Invoke-Command
with the Wait
parameter to allow the uninstall to complete before the
remoting session ended.
1#Uninstall Eset - Warning: This will reboot the server when complete
2Invoke-Command -ComputerName Server01, Server02, Server03 {
3
4 #Uninstall Eset Remote Administrator Agent
5 Start-Process 'sc.exe' -ArgumentList 'delete eraagentsvc' -Wait
6 Start-Process 'msiexec.exe' -ArgumentList '/qn /x {41F12F70-5FA9-43F5-94F4-53B54EB4EEC4}' -Wait
7
8 #Uninstall Eset File Security
9 Start-Process 'msiexec.exe' -ArgumentList '/qn /x {22ED011A-E075-4D3D-AE41-E00F4372470A}' -Wait
10
11} -Credential (Get-Credential)
You could use Get-Content to read from a list of server names in a text file or Get-ADComputer to read server names from Active Directory.
You could also query the event logs of those remote servers to verify that the applications were indeed uninstalled.
1Invoke-Command -ComputerName Server01, Server02, Server03 {
2 Get-WinEvent -FilterHashtable @{LogName = 'Application'; ID = '1034'; ProviderName = 'MsiInstaller'; StartTime = (Get-Date).AddDays(-1)}
3} -Credential (Get-Credential)
While
Get-WinEvent
has a ComputerName
parameter, it's much more likely that it will be blocked by a firewall on your
network or that the necessary ports to use it won't be open on the server that you're querying.
You'll avoid these problems by wrapping it inside of Invoke-Command
instead. This also allows all
of the remote systems to be queried at once (up to 32 at once by default) instead of one at a time.
µ