Which process is locking the ability to delete files
This tool may help to that end.
--please don't forget to Accept as answer if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I've removed Windows Defender from Server 2016, since it is turned off by Symantec and it was causing extended patching restart times. Problem is, it is showing removed in Server Manager and with PowerShell, but there are still a lot of files in the file system and registry entries, which Rapid 7 is showing the system is vulnerable. When I try to manually delete the files and registry keys, they are currently locked by System. Which process is locking the ability to delete files that shouldn't even be present. And since the app is removed, as you can tell, the version left behind is not getting updated, and therefore shows lots of vulnerabilities.
C:\Program Files\Windows Defender\Platform\4.18.1904.1-0 (all files were removed from the root Defender folder here, just Platform remains)
C:\ProgramData\Microsoft\Windows Defender
HKLM\SOFTWARE\Microsoft\Windows Defender\ (all registry keys appear to be left after the removal. Rapid 7 is seeing InstallLocation REG_SZ key with the path to ProgramData)
I know the program is removed, and therefore, my systems are not susceptible to the vulnerabilities Rapid 7 are showing, but I'm concerned that I cannot completely remove these files and keys. Any pointers would be appreciated.
Thanks,
Joe
Which process is locking the ability to delete files
This tool may help to that end.
--please don't forget to Accept as answer if the reply is helpful--
@Joe IT
Hi,
You can't uninstall the Windows Security app, you can just disable the interface with these instructions.
Hope above information can help you.
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the responses, but I'm not seeing any instruction???
Thanks,
Joe
That doesn't answer my question. First off, this is Server 2016 1607. Second, Security / Windows Defender shows the app has been installed from the server, which is good. However, C:\ProgramData\Microsoft\Windows Defender\ exists, as well as HKLM\Software\Microsoft\Windows Defender and all of it's subkeys still exist. Under C:\ProgramData\Microsoft\Windows Defender\, Platform contains two old versions of Defender. These are detected as vulnerability.
I guess the best I can do is, after removal of the "feature", I have to manually delete C:\ProgramData\Microsoft\Windows Defender\platform and HKLM\Softwware\Microsoft\Windows Defender\ InstallLocation & BackupLocation keys. Everything else cannot be deleted as they are locked by System.