Skip to content
  • There are no suggestions because the search field is empty.

How to uninstall/reinstall RSA ECAT agents remotely for Troubleshooting issues

Issue

Due to issues such as an unavailable agent, incorrect version information in the UI, or general troubleshooting problems, the ECAT agent may need to be removed from a target client. The challenge with this is that the agent machine may not allow for an RDP or other remote sessions to the device. In this scenario, it is useful to have a means to remotely run commands against the target machine to try and remove the ECAT agent from the machine remotely to avoid disruption to other users at the time.


Resolution

UNINSTALLING AGENTS REMOTELY

To uninstall a single agent:
  1. Install psexec from the Microsoft Sysinternals tools.
  2. Run the following command. It is not necessary to use the -u or -p flags if the current user has administrative privileges on the target machine. It is more reliable generally to use an IP address for the connection to the remote machine than a hostname but either is possible. You will see an error code 0 if the update is successful.
>psexec \\<insert_ip_address> -u <username> -p <password> cmd /c msiexec /q /x {63AC4523-5F19-42F0-BC43-97C8B5373589}


cmd exited on 192.168.0.2 with error code 0.

To uninstall multiple agents:
>psexec @textfile.txt -u <username> -p <password> cmd /c msiexec /q /x {63AC4523-5F19-42F0-BC43-97C8B5373589}

Note: You must create a text file in the current directory with a list of IP addresses which is passed into the list of agents. Be aware of the username requirements for updating multiple agents before running this command, as otherwise, it may fail to update some or all of the agents.

 

INSTALLING AGENTS REMOTELY

To install a single agent:
1. Ensure you have installed psexec and it is in the current directory (or else System32 folder) and place the ECAT agent installer package in the same directory (this avoids needing to specify an exact path to the package file when running the command).
2. Run the following command to upload the file in your current directory to the remote system:
>psexec \\<insert_ip_address> -u <username> -p <password> -c <packagefile>

To install multiple agents at once:
>psexec @textfile.txt -u <username> -p <password> -c <packagefile>

Note: You must create a text file in the current directory with a list of IP addresses which is passed into the list of agents. Be aware of the username requirements for updating multiple agents before running this command, as otherwise, it may fail to update some or all of the agents.

It is useful to check and verify with the sc command the status of the agent service following the update: sc //IP_address query "service_name


Notes

Additional Information:
The utility "psexec" was developed by Mark Russinovich of Sysinternals (now part of Microsoft).
This KB article was prepared to demonstrate a specific use case with the RSA NW Endpoint product.
More details on use of this tool can be found with below link.

https://adamtheautomator.com/psexec-ultimate-guide/



This article should be updated once a similar method is available for Mac and Linux agents.

Product Details

RSA Product Set: ECAT, NetWitness Endpoint
RSA Version/Condition: 4.x
Platform: Windows Server 2012 R2

Summary

It is sometimes necessary to remotely install/uninstall ECAT agents to try and resolve issues without having direct access to the machine in question.


Approval Reviewer Queue

KCS Approval queue