-
Notifications
You must be signed in to change notification settings - Fork 8
/
Remove-UniversalForwarder-BrokenMSI.ps1
134 lines (111 loc) · 4.69 KB
/
Remove-UniversalForwarder-BrokenMSI.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
<#
.Synopsis
Removes Splunk UniversalForwarder from host without windows installer assitance.
.DESCRIPTION
For use only in cases where MSI package install/uninstall routines fail.
.NOTES
Use at your own risk as last resort.
#>
$OrigVerbosePreference = $VerbosePreference
$OrigDebugPreference = $DebugPreference
$VerbosePreference = "Continue"
$DebugPreference = "SilentlyContinue"
########################################
### FUNCTIONS
########################################
function remove-installer-packagekeys {
param ($ProductCode)
if (!(test-path HKCR:)) { New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT }
$Key = "HKCR:\Installer\Products\$($ProductCode)"
if (test-path $Key) {
write-verbose "found installer key: $($Key), removing it."
get-item $Key | Remove-Item -Recurse
}
$Key = "HKCR:\Installer\Features\$($ProductCode)"
if (test-path $Key) {
write-verbose "found feature key: $($Key), removing it."
get-item $Key | Remove-Item -Recurse
}
$keys = Get-ChildItem "HKCR:\Installer\UpgradeCodes"
foreach ($Key in $Keys) {
if ($Key.Property -eq $ProductCode) {
Write-verbose "found upgrade key $($Key), removing it."
$Key | Remove-Item -Recurse
}
}
} # remove-regkey-hkcr
########################################
### MAIN
########################################
### IF SERVICE IS RUNNING, STOP IT
$ServiceName = "SplunkForwarder"
$Service = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
if ($Service) {
Write-Verbose "$($ServiceName) service is running, stopping it."
$Service | Stop-Service -Force
}
### IF SERVICE IS REGISTERED, DELETE IT
$Service = Get-WmiObject -Class Win32_Service -Filter "Name='$($ServiceName)'"
if ($Service) {
Write-Verbose "$($ServiceName) service is present, deleting it."
[void] $service.delete()
}
### IF INSTALLATION DIRECTORY IS PRESENT, REMOVE IT
$InstallDir = "C:\Program Files\SplunkUniversalForwarder"
if (Test-Path -Path $InstallDir) {
Write-Verbose "Found $($InstallDir), removing it."
Remove-Item -Path $InstallDir -Recurse
}
### IF DRIVERS ARE PRESENT, REMOVE THEM
$SearchFor = "Splunk"
$results = @()
$keys = Get-ChildItem "HKLM:\System\CurrentControlSet\Services"
foreach ($Key in $Keys) {
$obj = New-Object psobject
Add-Member -InputObject $obj -MemberType NoteProperty -Name DisplayName -Value $Key.GetValue("DisplayName")
Add-Member -InputObject $obj -MemberType NoteProperty -Name Description -Value $Key.GetValue("Description")
Add-Member -InputObject $obj -MemberType NoteProperty -Name Path -Value $Key.PSPath
$results += $obj
}
$results = $results | where {(($_.DisplayName -match $SearchFor) -or ($_.Description -match $SearchFor))}
foreach ($result in $results) {
Write-Verbose "Found $($result.DisplayName) driver, removing."
$result | Remove-Item -Recurse
}
### IF UNINSTALL KEY IS PRESENT, REMOVE IT
$results = @()
$SearchFor = "UniversalForwarder"
$keys = Get-ChildItem HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
foreach ($Key in $Keys) {
$obj = New-Object psobject
Add-Member -InputObject $obj -MemberType NoteProperty -Name GUID -Value $Key.pschildname
Add-Member -InputObject $obj -MemberType NoteProperty -Name DisplayName -Value $Key.GetValue("DisplayName")
Add-Member -InputObject $obj -MemberType NoteProperty -Name DisplayVersion -Value $Key.GetValue("DisplayVersion")
Add-Member -InputObject $obj -MemberType NoteProperty -Name Path -Value $Key.PSPath
$results += $obj
}
$results = $results | where {$_.DisplayName -match $SearchFor}
foreach ($result in $results) {
Write-Verbose "Found $($result.DisplayName) uninstall key, removing."
$result | Remove-Item -Recurse
}
### IF PRODUCT KEY IS PRESENT, REMOVE IT
if (!(test-path HKCR:)) { New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT }
$results = @()
$SearchFor = "UniversalForwarder"
$keys = Get-ChildItem HKCR:\Installer\Products
foreach ($Key in $Keys) {
$obj = New-Object psobject
Add-Member -InputObject $obj -MemberType NoteProperty -Name Name -Value $Key.PSChildName
Add-Member -InputObject $obj -MemberType NoteProperty -Name ProductName -Value $Key.GetValue("ProductName")
$results += $obj
}
$results = $results | where {$_.ProductName -match $SearchFor}
foreach ($result in $results) {
$ProductCode = $Result.Name
Write-Verbose "Found ProductCode $($ProductCode) for $($SearchFor) product, removing installer references."
remove-installer-packagekeys -ProductCode $ProductCode
}
### SET LOGGING LEVELS BACK TO ORIGINAL STATE
$VerbosePreference = $OrigVerbosePreference
$DebugPreference = $OrigDebugPreference