Remove-SentinelOne
Overview
This script is designed to uninstall the SentinelOne agent from a Windows system. If Anti-Tamper is enabled, a passphrase must be provided.
Requirements
- PowerShell v5 or higher
- Administrative privileges are required for execution
Process
-
Environment Setup:
- Configures PowerShell preferences to suppress progress output.
- Ensures secure communication protocols are enabled.
- Bootstraps the NuGet package provider and sets the PowerShell Gallery repository as trusted.
- Installs or updates the
Strappermodule and sets up the environment.
-
Locate SentinelOne Agent:
- Dynamically searches for the SentinelOne agent installation directory under
C:\Program Files\SentinelOne\. - Selects the most recently created directory matching the name "Sentinel Agent."
- Dynamically searches for the SentinelOne agent installation directory under
-
Verify Uninstall File:
- Checks if the
uninstall.exefile exists in the SentinelOne agent directory. - Logs an error and exits if the file is not found.
- Checks if the
-
Construct Uninstall Command:
- Builds the uninstall command with default arguments for silent and non-restarting uninstallation.
- If a passphrase is provided, it is included in the uninstall command.
- If no passphrase is provided, the script assumes Anti-Tamper protection is disabled and proceeds without it.
-
Execute Uninstallation:
- Runs the
uninstall.exefile with the constructed arguments. - Waits for the uninstallation process to complete.
- Runs the
-
Post-Uninstallation Verification:
- Checks if the SentinelOne agent directory or
uninstall.exefile still exists after the uninstallation process. - Logs success if the agent is successfully removed.
- Logs an error if the directory or file still exists.
- Checks if the SentinelOne agent directory or
-
Error Handling:
- Catches and logs any exceptions that occur during the process.
Payload Usage
Uninstalls the SentinelOne agent using the provided passphrase. This is required if Anti-Tamper protection is enabled.
.\Remove-SentinelOne.ps1 -PassPhrase "YourPassphraseHere"
Attempts to uninstall the SentinelOne agent without a passphrase. This assumes that Anti-Tamper protection is disabled. If Anti-Tamper protection is enabled, the uninstallation will fail.
.\Remove-SentinelOne.ps1
Parameters
| Parameter | Alias | Required | Default | Type | Description |
|---|---|---|---|---|---|
-PassPhrase | False | String | Passphrase for disabling anti-tampering |
Output
- .\Remove-SentinelOne-log.txt
- .\Remove-SentinelOne-error.txt