Share via

Can't uninstall Sysmon 15.5 - access denied

chivaz 1 Reputation point
2024-09-09T20:23:32.8766667+00:00

Hello,

I've tried multiple suggestions of other posts, nothing worked. When I try to uninstall sysmon using the same installer used to install it, I get:

Stopping the service failed:
The system cannot find the file specified
Deleteervice failed:
Access is denied.
Removing service files.

I did run:

cmd.exe /c "Sysmon64 -u force 2>&1"

cmd /c "net stop Sysmon64 2>&1"

cmd /c "net stop sysmondrv 2>&1"

Remove-Item -Path "C:\Windows\Sysmon64.exe" -Force

Remove-Item -Path "C:\Windows\SysmonDrv.sys" -Force

Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\SysmonDrv" -Recurse -Force

Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sysmon64" -Recurse -Force

fltmc unload SysmonDrv

cmd /c "sc delete sysmon64"

cmd /c "sc delete sysmondrv"

And rebooted and tried again. Same issue.

My question is very simple, how can sysmon be removed and why is it so difficult for an administrator account to remove it.

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,525 questions
Sysinternals
Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,169 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 25,061 Reputation points Microsoft Vendor
    2024-09-11T07:53:16.9733333+00:00

    Hello chivaz,

    Thank you for posting in Q&A forum.

    This issue can occur due to insufficient permissions or other security settings. Here are some steps you can try to resolve this:

    First

    Use PsExec to Gain Higher Privileges: Sysmon installs its service with high integrity and might resist being stopped or uninstalled by processes with a lower integrity level, even when run as an administrator. You can use Sysinternals PsExec to run commands with NT AUTHORITY SYSTEM privileges. Here's how:

    1. Download PsExec from the Sysinternals website.

    PsExec - Sysinternals | Microsoft Learn

    https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

    1. Open Command Prompt as Administrator.
    2. Run the following command to start a new command line with NT AUTHORITY SYSTEM privileges:
    3. psexec -accepteula -i -s cmd.exe
    4. In the new command line window, try uninstalling Sysmon again:
    5. sysmon -u

    Second

    Delete Sysmon Registry Entries: If the above method doesn't work, you can try deleting the Sysmon registry entries manually:

    1. Open Registry Editor (regedit) as Administrator.
    2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ and delete the Sysmon entries.
    3. Reboot your server and check if Sysmon is uninstalled.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.