We'd love to hear about it! Click here to go to the product suggestion community
I am trying to uninstall Sophos Endpoint Agent from a Server 2008 R2 computer. Tamper Protection is off. I have tried stopping all Sophos services first. I have logged into the server as both the Administrator and the user that installed the Endpoint Agent.
When I try to uninstall I get this message: The computer must be restarted before Sophos Endpoint Agent can be uninstalled.
I have tried restarting the server but it does not clear the message. I need to move the agent to a different server.
The installer and the uninstaller both check for the presence of the registry value PendingFileRenameOperations under:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
If this exists it will show the message you see.
It should be that on start-up of the computer, the Windows Session Manager checks for this key, and then carries out the renamed or deletion and logs failures to \windows\pfro.log.
If you check out the values in the registry key you can see if they are related to Sophos.
2 lines together is a rename pair. A line and then an empty line is a delete. See https://docs.microsoft.com/en-us/sysinternals/downloads/movefile for more info.
In reply to jak:
Thanks for your response. The computer has the registry entry and the value refers to Sophos (
\??\C:\ProgramData\Sophos\Web Intelligence\del81CC.tmp). I then went to the pfro.log and see 13 entries - all except one are delete operations. However, I'm not clear about what my next step should be (I read your link). Can I delete the registry entry in order to remove Sophos from this server?
In reply to Sophos User2223:
I downloaded the pendmoves file and ran it. It came up with one file (ProgramData\Sophos\Web Intelligence\delC071.tmp), so I tried to delete the file. Well it won't delete as the file is open in a remote procedure call. I stopped all the Sophos services but it didn't help. What next?