IBM Support

IBM Security Guardium Windows STAP uninstallation using Registry

Troubleshooting


Problem

IBM Security Guardium STAP in Add/Remove programs is grayed out and uninstallation using cmd doesn't work

Symptom

Removal of IBM Guardium STAP grayed out in Programs and Features and running the following command also doesn't remove the STAP

 


setup.exe" /s /z" --host=g10.guardium.com --remove=true

Diagnosing The Problem

Warning!

The below steps require in depth knowledge of Windows operating system. Do not attempt unless the normal uninstall methods for Windows S-TAP have all failed. It is recommended for an administrator knowledgeable with the server to assist.

 

Run the below command to check if STAP and the Kernel drivers are running or not

sc query Guardium_STAP


Note for v10 there is  a "Guardium Resource Monitor" service that should be handled in the same way as the S-TAP.


For v10:

driverquery | findstr "GUARDIUM wfp NpPrc NtTdi"

 


Example:

 

C:\Users\>driverquery | findstr "GUARDIUM wfp NpPrc NtTdi"

Correlator IBM Security Guardium Kernel 4/13/2017 11:40:47 AM
drvtrc IBM Security Guardium Kernel 4/13/2017 11:40:46 AM
FsMonitor IBM Security Guardium File System 4/13/2017 11:40:50 AM
mfewfpk McAfee Inc. mfewfpk Kernel 7/12/2016 5:38:40 PM
NmpMonitor IBM Security Guardium Kernel 4/13/2017 11:40:51 AM
NmpProxy IBM Security Guardium Kernel 4/13/2017 11:40:48 AM
WfpMonitor IBM Security Guardium Kernel 4/13/2017 11:40:55 AM

 

For v9:

driverquery | findstr "Guardium Lhmon NpProxy Nptrc NtTdi”


For each driver found in driverquery run sc query to check the status if it's running or stopped

sc query wfpMonitor

If all the Kernel drivers are running then you must stop them first before cleaning the registry. If all the drivers are showing in stopped state then you can proceed to clean the registry.

Resolving The Problem

1. Stop the Kernel drivers and Guardium service by running the below command for each driver and service found running in driverquery

Important Note: Only stop the Guardium related drivers and services

Example:

net stop wfpMonitor

 


Run the below command to verify that the driver is stopped

sc query wfpMonitor

 



2. Once all the drivers are stopped then run the below script in Powershell to remove entries from registry

Guardium_ForceUninstall_0.zip
 

To remove Guardium resource monitor service, add the following command to the above attached script, or run it on the server:

  remove-item 'HKLM:\System\CurrentControlSet\Services\Guardium Resource Monitor'

3. Reboot the server

4. After the server reboot perform the below steps. These are required to delete stale records or else when you try to install STAP it will ask to perform upgrade from existing version

i) On Run prompt > regedit.exe

ii)  Go to below location

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

iii) Search for IBM InfoSphere Guardium STAP by navigating across GUID folders and delete the folder

 

iv) Perform the same for other Guardium services like GIM, Resource Monitor etc.

 


 

5. After performing the above steps reboot again. After the reboot you should be able to install new STAP

Guardium_ForceUninstall.zip

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Component":"Guardium S-TAP","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.0;10.0.1;10.1;10.1.2;10.1.3;10.1.4;10.5;9.1;9.5","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
04 September 2019

UID

swg22005313

Page Feedback