000033607 - How to uninstall/reinstall RSA ECAT agents remotely for Troubleshooting issues

Document created by RSA Customer Support Employee on Aug 2, 2016Last modified by RSA Customer Support Employee on May 31, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033607
Applies ToRSA Product Set: ECAT, NetWitness Endpoint
RSA Version/Condition: 4.x
Platform: Windows Server 2012 R2
IssueDue to issues such as a hung agent, incorrect version information in the UI, or general troubleshooting problems, the ECAT agent may need to be removed from a target client. The challenge with this is that the agent machine may not allow for an RDP or other remote session to the device. In this scenario, it is useful to have a means to remotely run commands against the target machine to try and remove the ECAT agent from the machine remotely to avoid disruption to other users at the time.
Resolution

UNINSTALLING AGENTS REMOTELY


To uninstall a single agent:
1. Install psexec from the Microsoft sysinternals tools
2. Run the following command. It is not necessary to use the -u or -p flags if the current user has administrative priveleges on the target machine. It is more reliable generally to use an IP address for the connection to the remote machine than a hostname but either is possible. You will see an error code 0 if the update is successful.

>psexec \\<insert_ip_address> -u <username> -p <password> cmd /c msiexec /q /x {63AC4523-5F19-42F0-BC43-97C8B5373589}

cmd exited on 192.168.0.2 with error code 0.

To uninstall multiple agents:

>psexec @textfile.txt -u <username> -p <password> cmd /c msiexec /q /x {63AC4523-5F19-42F0-BC43-97C8B5373589}


Note: You must create a text file in the current directory with a list of IP addresses which is passed into the list of agents. Be aware of the username requirements for updating multiple agents before running this command, as otherwise it may feel to update some or all of the agents.


 

INSTALLING AGENTS REMOTELY


To install a single agent:
1. Ensure you have installed psexec and it is in the current directory (or else System32 folder) and place the ECAT agent installer package in the same directory (this avoids needing to specify an exact path to the package file when running the command).
2. Run the following command to upload the file in your current directory to the remote system:


>psexec \\<insert_ip_address> -u <username> -p <password> -c <packagefile>



To install multiple agents at once:


>psexec @textfile.txt -u <username> -p <password> -c <packagefile>


Note: You must create a text file in the current directory with a list of IP addresses which is passed into the list of agents. Be aware of the username requirements for updating multiple agents before running this command, as otherwise it may feel to update some or all of the agents.


It is useful to check and verify with the sc command the status of the agent service following the update: sc //IP_address query "service_name


NotesThis article should be updated once a similar method is available for Mac and Linux agents.

Attachments

    Outcomes