FCS Install and Uninstall Script Tips

Dec 5, 2007 at 1:46 AM
This post provides some information and tips around the sample FCS scripts supplied with the Service Kit. Hopefully it will help you configure them for your specific requirements. First remember that these are sample scripts. They were not designed nor were they intended to be comprehensive fully operational scripts. In every instance where I have used them, it has been necessary to modify them to fit the client’s particular situation. However, I have never had an instance where the processes in these scripts could not be modified to remove existing AV products.

General Information

The scripts were designed to be run as silent installation script using a software distribution system like SMS. They are written in a self documenting style, in other words the object and variable names were chosen to make the code easy to read and understand.

Common Framework

All the scripts begin by defining the same set of constants and creating the same three system objects. These objects are common to all the subroutines called by the Main Routine. This means that you can combine the functionality of these scripts into a single script just by adding the subroutines in. For example you can take the Install FCS Client script and append AV and Spyware removal subroutines to create a script that uninstalls old AV and Spyware products and installs and configures the new FCS client. The existing code show these options as:
* Call FCS_InstallXPSP2Hotfix
* Call UninstallMcAfee, Trend, Symantec, Sophos, eTrust...
* Call UninstallAntiSpywareProducts
* Call InstallFCSAgents
Where “Call UninstallMcAfee, Trend, Symantec, Sophos, eTrust...” is the name of the appropriate vendor uninstall script (e.g., Call UninstallMcAfeeAV)
Important Note About Script Configuration
While there are a number of constants, variables and objects common to all the scripts, some subroutine have installation specific constants. Make sure to review the constants and variables defined in the subroutines to ensure they have been set properly.

Local Execution

The scripts are designed to be executed locally on the client and assume all required resources are in the local directory or executable via the system PATH variable. They could be configured to execute on a remote system by changing the ThisComputer constant from "." to the name of a remote system. This may also require adding a user name and password to the system object creations.

Debug Option

While the scripts are designed to run silently (display no messages) a debug option is included to assist with interactive testing and troubleshooting. The second code line in each script defines the debug variable (bDEBUG) and sets it to False. By setting this value to True the scripts will generate a series of status and progress messages to assist with troubleshooting.
It is important to note, that debugging code makes the scripts larger and slower to execute. Once the scripts have been tested and verified, the debugging code should be removed from the scripts as part of the production deployment.

Error Handling

Error handling is minimized to keep the code base simple and small. If an error is generated the code will resume execution on the next line. In some instances it may be advantageous to add error checking to detect failures and generate notifications and/or log events.

Logging Messaging

Some of the uninstall scripts log informational events to the application event log. For example,
WshShell.LogEvent 4, "Uninstalled McAfee AV Framework"
However, the log is not an indication of the success or failure of the uninstall, it is merely shows that an uninstall was attempted.

Install Subroutines

The package contains two install subroutines: InstallFCSAgents in the FCS-SampleScript Install FCS Client script and FCSInstallXPSP2Hotfix_ in the FCS-SampleScript-XPSP2 HotFix Install script.
InstallFCSAgents installs the FCS and MOM agents on the client and triggers a signature update. It will also install a set of FCS policies on the machine if the system hasn’t receive them via GPO.
Important Note: This subroutine contain one constant that must be configured for your specific environment. The constant CollectionServerName must be set to the name of the collection server this client will use.
FCS_InstallXPSP2Hotfix checks for a prerequisite XPSP2 Hotfix (KB914882) and installs it if it is missing. This script does not require any configuration

Uninstall Scripts

The package contains a number of uninstall scripts for various vendor AV products as well as a consolidated script to uninstall Spyware/Adware products. All these scripts take one of three possible actions.
1) Calls the uninstall string stored in the SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall registry key. This process looks up the display name string (e.g., “CA eTrust Antivirus”) and invokes the string contained in the UninstallString value.
2) Uses MSIEXE to uninstall the product based on the GUID (e.g. MSIEXE /X{C6F5B6CF-609C-428E-876F-CA83176C021B})
3) Calls the vendors uninstall process

For newer products the first option usually works fine. Option two covers vendors that use MSI but bypass the standard installation process so their products do not show up in the uninstall registry key. The third option covers vendor proprietary installation processes (i.e., do not use MSI) to call vendor specific uninstall scripts. Whenever possible use option 1; it is implemented in the RegBasedUninstall subroutine.
Important Note: This subroutine take one input parameter which must be configured in the uninstall routine. The value is the Display Name of the product as it appears in the uninstall registry key (e.g., “CA eTrust Antivirus”). Scripts that use this option will usually have a constant defined with this value. For example in the CA eTrust script the constant eTrustDisplayName is set to the display name, "CA eTrust Antivirus". However some scripts have the string hard coded into the call statement. For example, the McAfee script contains this line: Call RegBasedUninstall("McAfee VirusScan")
Warning! This routine uses the in string InStr() function to locate the input value in the registry display name. It does not do a direct match. Since all enterprise versions of McAfee contain "McAfee VirusScan" in the display name this routine will find and uninstall multiple versions of the AV client.

However passing a poorly formed parameter to this routine could have some very bad unintended consequences. For example, if you pass the letter “a” to this routine it will uninstall every product on the system with an "a" in the display name!
Tip: Before you uninstall an AV product it is highly recommended that you stop any of the services and dependent services this product uses. (See the McAfee script for examples of this)

The UninstallAntiSpywareProducts subroutine is essentially the same as the RegbasedUninstall except checks are made for a number of different display name strings. Depending on the version of the product if may be necessary to alter the display name value in the code line
- If InStr(DisplayName, "Spybot - Search & Destroy") > 0 Then
or create a new section for uninstalling the new version or product. In some instances it may be necessary to use option 2 or option 3 type actions to uninstall these products if they do not contain uninstall registry values.


To test and configure the scripts I’d suggest running them interactively using cscript on a test system that has the software you want to remove installed. First using Regedit to find the DisplayName value of the product you want to uninstall. Second find the DisplayName constant or hardcoded value in the script and set it to match the value in the registry. For example: Const eTrustDisplayName = "CA eTrust Antivirus". Then run the script and see if the product get uninstalled successfully.
Tip: Successfully means the product gets uninstalled without any interaction with the user and no reboot. It should be the software distribution system that controls the reboot not the product uninstall routine.
Some products are more difficult to uninstall than others, for example McAfee has a McAfeeFramework service that needs to be stopped before the AV product can be removed. The current script uses a MSI ExecQuery to get the service object and dependencies and stop them but it could just as easily be done with calls to the SC.EXE utility. For example: WshShell.Run "sc.exe stop McAfeeFramework”


It’s virtually impossible to write a script that is going to cover every possible system configuration. There are any number of situations and/or system configurations that could cause the scripts to fail including:
• WMI configurations
• Permissions of the account running the script
• Version of the software being removed
• Etc.
Adding some code to display the error when the script fails can help troubleshoot the issue.