Sysmon 11.10 - force uninstall causes system reboot

Question

We were having severe memory issues on multiple production servers running version 11.10. These systems are running Server 2016. We have since halted Sysmon use and were trying to move to a newer version, 12.03. When we attempted the uninstall on one of the servers, we were presented with the following:

Aborting uninstall: Sysmon service named Sysmon64 is not installed, but Sysmon driver named SysmonDrv is.
Make sure you name the Sysmon binary to match the name used for installation.
Use '-u force' to force an uninstall of the driver and manifest.

When we used the force option, it caused the server to abruptly restart. Due to the type of system, we cannot have this happen.

We found this TechNet article: https://social.technet.microsoft.com/Forums/en-US/46ebb057-4b5e-448e-99a4-df661ec5be53/sysmon-problem-with-sysmon-removal?forum=miscutils

In this article, the user mariora_ shares the following to assist with manual Sysmon removal:

Always remember that Services and drivers can be stopped/started using Net Stop/Net STart
Net stop sysmon
net stop sysmondrv
del c:\windows\sysmon.exe
del c:\windows\sysmondrv.sys
reg delete HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv /f
reg delete HKLM\SYSTEM\CurrentControlSet\Services\Sysmon /f

Are these steps still accurate and/or are there any other steps we can take to remedy the situation?

Thanks in advance!

Answer 1

This looks good, you could also delete the contents of C:\Sysmon, but it's not essential.

Answer 2

Yes, they are still valid..

HTH
-mario

Answer 3

Thank you both, I will work on trying these steps and hopefully will get 12.03 installed and running.