This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to uninstall Endpoint Agent - keeps telling me I need to restart the computer

I am trying to uninstall Sophos Endpoint Agent from a Server 2008 R2 computer. Tamper Protection is off. I have tried stopping all Sophos services first. I have logged into the server as both the Administrator and the user that installed the Endpoint Agent.

When I try to uninstall I get this message: The computer must be restarted before Sophos Endpoint Agent can be uninstalled.

I have tried restarting the server but it does not clear the message. I need to move the agent to a different server.

Thanks,

Sally



This thread was automatically locked due to age.
Parents
  • The installer and the uninstaller both check for the presence of the registry value PendingFileRenameOperations under:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

    If this exists it will show the message you see.

    It should be that on start-up of the computer, the Windows Session Manager checks for this key, and then carries out the renamed or deletion and logs failures to \windows\pfro.log.

    If you check out the values in the registry key you can see if they are related to Sophos.

    2 lines together is a rename pair.  A line and then an empty line is a delete.  See https://docs.microsoft.com/en-us/sysinternals/downloads/movefile for more info.

    Regards,

    Jak

     

Reply
  • The installer and the uninstaller both check for the presence of the registry value PendingFileRenameOperations under:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

    If this exists it will show the message you see.

    It should be that on start-up of the computer, the Windows Session Manager checks for this key, and then carries out the renamed or deletion and logs failures to \windows\pfro.log.

    If you check out the values in the registry key you can see if they are related to Sophos.

    2 lines together is a rename pair.  A line and then an empty line is a delete.  See https://docs.microsoft.com/en-us/sysinternals/downloads/movefile for more info.

    Regards,

    Jak

     

Children
  • Hi,

    Thanks for your response. The computer has the registry entry and the value refers to Sophos (

    \??\C:\ProgramData\Sophos\Web Intelligence\del81CC.tmp). I then went to the pfro.log and see 13 entries - all except one are delete operations. However, I'm not clear about what my next step should be (I read your link). Can I delete the registry entry in order to remove Sophos from this server?

    Thanks,

    Sally

  • Hi Again,

    I downloaded the pendmoves file and ran it. It came up with one file (ProgramData\Sophos\Web Intelligence\delC071.tmp), so I tried to delete the file. Well it won't delete as the file is open in a remote procedure call. I stopped all the Sophos services but it didn't help. What next?

    Thanks,

    Sally