Sysmon - Uninstall

Summary

This script checks if Sysmon is installed and removes it using the built in uninstall switch.

Sample Run

Dependencies

Solution - Sysmon Solution

Task Creation

Script Details

Step 1

Navigate to Automation ➞ Tasks
step1

Step 2

Create a new Script Editor style task by choosing the Script Editor option from the Add dropdown menu
step2

The New Script page will appear on clicking the Script Editor button:
step3

Step 3

Fill in the following details in the Description section:

Name: Sysmon - Uninstall
Description: This script checks if Sysmon is installed and removes it using the built in uninstall switch.
Category: Application

Script Editor

Click the Add Row button in the Script Editor section to start creating the script
AddRow

A blank function will appear:
BlankFunction

Row 1 Function: `PowerShell Script`

Search and select the PowerShell Script function.

PowerShell Function Selected

The following function will pop up on the screen:
PowerShell Function Example

Paste in the following PowerShell script and set the Expected time of script execution in seconds to 600 seconds. Click the Save button.

<#
.SYNOPSIS
Uninstalls Sysmon from the system.

.DESCRIPTION
This script checks if Sysmon is installed and removes it using the built-in uninstall switch.

#>


    Write-Output "Checking for Sysmon service..."

    $sysmonService = Get-Service -Name "Sysmon64","Sysmon" -ErrorAction SilentlyContinue

    if ($sysmonService) {
        Write-Output "Sysmon detected. Attempting uninstall..."

        # Try Sysmon64 first, fallback to Sysmon
        if (((Get-CimInstance Win32_OperatingSystem).OSArchitecture) -match '64') {
            $sysmonExePaths = @(
                "$env:SystemRoot\System32\Sysmon64.exe",
                "$env:SystemRoot\Sysmon64.exe"
            )
        }else {
               $sysmonExePaths = @(
                "$env:SystemRoot\System32\Sysmon.exe",
                "$env:SystemRoot\Sysmon.exe"  
            )
        }

        $found = $false

        foreach ($path in $sysmonExePaths) {
            if (Test-Path $path) {
                Write-Output "Using: $path"
                & $path -u force
                $found = $true
                break
            }
        }

        if (-not $found) {
            Write-Warning "Sysmon executable not found. Attempting service removal..."

            sc.exe stop Sysmon | Out-Null
            sc.exe delete Sysmon | Out-Null
            sc.exe stop Sysmon64 | Out-Null
            sc.exe delete Sysmon64 | Out-Null
        }
    }
    else {
        Write-Output "Sysmon is not installed."
    }

Row 2 Function: Script Log

Add a new row by clicking the Add Row button.
Add Row

A blank function will appear.

Search and select the Script Log function.
Script Log Search

In the script log message, simply type %output% and click the Save button.
Script Log Save

Save Task

Click the Save button at the top-right corner of the screen to save the script.
SaveButton

Completed Task

Output

Script Logs

Changelog

2026-03-26

Initial version of the document

Summary​

Sample Run​

Dependencies​

Task Creation​

Script Details​

Step 1​

Step 2​

Step 3​

Script Editor​

Row 1 Function: PowerShell Script​

Row 2 Function: Script Log​

Save Task​

Completed Task​

Output​

Changelog​

2026-03-26​