azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from HOWARD-HOME at 2026-06-02 17:51:53

Browse Source 
Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-02 17:51:53
This commit is contained in:
Howard Enos
2026-06-02 17:52:00 -07:00
parent 3d613b58a2
commit 35b227ec8e
4 changed files with 375 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

258
clients/lonestar-electrical/scripts/Remove-Sophos-Offline-PE.ps1 Normal file
View File

@@ -0,0 +1,258 @@
<#
.SYNOPSIS
Offline (WinPE / WinRE) neutralization of Sophos Endpoint tamper protection
so that SophosZap can complete removal after a single reboot.
.DESCRIPTION
Inherited-MSP Sophos installs with NO Sophos Central access cannot be removed
from inside Windows: tamper protection is enforced by a boot-start kernel
driver (SophosED.sys / SophosEL.sys), and SophosZap refuses to run while the
registry flag SEDEnabled = 1.
Run this from a PowerShell prompt in WinPE / WinRE (NOT normal Windows),
pointed at the OFFLINE Windows volume. It performs every edit needed so that
after ONE reboot, SophosZap --confirm runs cleanly:
1. Renames Sophos*.sys driver files -> .old (cannot load at boot)
2. Sets the "Sophos Endpoint Defense" service Start = 4 (Disabled)
3. Clears the tamper flags SEDEnabled = 0 and IgnoreSAV = 0
It asks for the Windows drive letter, proves the volume is really Windows
(not the ~600 MB recovery partition), shows you the current values before
changing anything, and confirms at every destructive step.
.NOTES
Origin : Built from the Lone Star Electrical LS-1 removal, 2026-06-02.
Run from : WinPE / WinRE -> Command Prompt -> powershell (or a PE with PS).
Requires : the target Windows volume must be UNLOCKED. If BitLocker is on,
System32\config\SYSTEM is unreadable -- unlock with the recovery
key first (manage-bde -unlock X: -RecoveryPassword <key>), or
confirm BitLocker OFF from normal Windows before booting to PE.
AFTER this script:
a. Remove the PE USB.
b. Reboot into normal Windows.
c. Run: SophosZap.exe --confirm (pass 1 -- bulk removal)
d. Reboot when it says "reboot and re-execute".
e. Run: SophosZap.exe --confirm (pass 2 -- finishes the job)
f. Verify: no Sophos services, drivers, folders, or Add/Remove entries;
Windows Defender real-time protection ON.
#>
[CmdletBinding()]
param()
$ErrorActionPreference = 'Stop'
$HiveMount = 'HKLM\OFFSYS' # temporary mount point for the offline SYSTEM hive
function Write-Head([string]$t) { Write-Host ""; Write-Host "==== $t ====" -ForegroundColor Cyan }
function Write-Ok ([string]$t) { Write-Host " [OK] $t" -ForegroundColor Green }
function Write-Warn([string]$t) { Write-Host " [WARN] $t" -ForegroundColor Yellow }
function Write-Err ([string]$t) { Write-Host " [ERROR] $t" -ForegroundColor Red }
function Confirm-Step([string]$Message) {
$ans = Read-Host "$Message [y/N]"
return ($ans.Trim() -match '^(y|yes)$')
}
Write-Host @"
============================================================
Sophos Offline Removal (PE) - tamper-protection neutralizer
============================================================
This edits an OFFLINE Windows volume. Make sure you are in
WinPE/WinRE, NOT the live Windows you want to clean.
"@ -ForegroundColor White
try {
# ---------------------------------------------------------------------------
# 1. Identify and validate the Windows drive letter
# ---------------------------------------------------------------------------
Write-Head "Step 1 - Identify the offline Windows volume"
Write-Host "Volumes visible in this PE session:"
Get-Volume -ErrorAction SilentlyContinue |
Where-Object DriveLetter |
Select-Object DriveLetter, FileSystemLabel,
@{n='Size(GB)';e={[math]::Round($_.Size/1GB,1)}},
@{n='Free(GB)';e={[math]::Round($_.SizeRemaining/1GB,1)}} |
Format-Table -AutoSize | Out-String | Write-Host
$drive = $null
do {
$entry = (Read-Host "Enter the Windows drive letter as shown HERE in PE (e.g. C, D, E)").Trim().TrimEnd(':')
if ($entry -notmatch '^[A-Za-z]$') { Write-Warn "Enter a single letter."; continue }
$win = "${entry}:\Windows"
$hive = "${entry}:\Windows\System32\config\SYSTEM"
if (-not (Test-Path $win)) { Write-Warn "$win not found -- that is not the Windows volume."; continue }
if (-not (Test-Path $hive)) { Write-Warn "$hive not found -- volume locked by BitLocker? Unlock it first."; continue }
$drive = $entry.ToUpper()
} while (-not $drive)
# Prove it is the real OS volume, not the recovery partition
Write-Host ""
Write-Host "Evidence that ${drive}: is the real Windows volume:"
foreach ($p in 'Windows','Windows\System32','Windows\System32\config','Users','Program Files') {
$present = Test-Path "${drive}:\$p"
"{0,-28} {1}" -f $p, $(if ($present) {'present'} else {'MISSING'}) | Write-Host
}
Write-Host ""
if (-not (Confirm-Step "Is ${drive}: definitely the Windows install you want to clean?")) {
Write-Err "Aborted by user. No changes made."; return
}
$driversDir = "${drive}:\Windows\System32\drivers"
$systemHive = "${drive}:\Windows\System32\config\SYSTEM"
# ---------------------------------------------------------------------------
# 2. Find Sophos kernel driver files
# ---------------------------------------------------------------------------
Write-Head "Step 2 - Sophos driver files on disk"
$sophosDrivers = @(Get-ChildItem $driversDir -Filter 'Sophos*.sys' -ErrorAction SilentlyContinue)
if ($sophosDrivers.Count -eq 0) {
Write-Warn "No Sophos*.sys driver files found (already removed, or different names)."
} else {
$sophosDrivers | Select-Object Name, Length, LastWriteTime | Format-Table -AutoSize | Out-String | Write-Host
}
# Note: *.man files are ETW manifests, not drivers -- SophosZap removes them. Ignore here.
# ---------------------------------------------------------------------------
# 3. Load the offline SYSTEM hive and resolve the active ControlSet
# ---------------------------------------------------------------------------
Write-Head "Step 3 - Load the offline registry hive"
# Clean up a stale mount from a previous aborted run, if any.
reg unload $HiveMount 2>$null | Out-Null
$loaded = $false
try {
& reg load $HiveMount $systemHive | Out-Null
if ($LASTEXITCODE -ne 0) { throw "reg load failed (exit $LASTEXITCODE). Is the hive in use / volume locked?" }
$loaded = $true
Write-Ok "Loaded $systemHive as $HiveMount"
# Offline hives have ControlSet001/002 + Select\Current -- NOT CurrentControlSet.
$controlSet = 'ControlSet001'
$sel = & reg query "$HiveMount\Select" /v Current 2>$null
if ($sel -match 'Current\s+REG_DWORD\s+0x([0-9a-fA-F]+)') {
$controlSet = "ControlSet{0:D3}" -f [Convert]::ToInt32($matches[1], 16)
}
Write-Ok "Active control set: $controlSet"
$svcKey = "$HiveMount\$controlSet\Services\Sophos Endpoint Defense"
$tpKey = "$svcKey\TamperProtection\Config"
# -----------------------------------------------------------------------
# 4. Show current values BEFORE changing anything
# -----------------------------------------------------------------------
Write-Head "Step 4 - Current Sophos tamper state (offline hive)"
$svcExists = $false
& reg query $svcKey 2>$null | Out-Null
if ($LASTEXITCODE -eq 0) {
$svcExists = $true
Write-Host "Service 'Sophos Endpoint Defense' -> Start:"
& reg query $svcKey /v Start 2>$null | Where-Object { $_ -match 'Start' } | Write-Host
Write-Host "TamperProtection flags:"
& reg query $tpKey /v SEDEnabled 2>$null | Where-Object { $_ -match 'SEDEnabled' } | Write-Host
& reg query $tpKey /v IgnoreSAV 2>$null | Where-Object { $_ -match 'IgnoreSAV' } | Write-Host
} else {
Write-Warn "Service key 'Sophos Endpoint Defense' not found under $controlSet (already removed?)."
}
Write-Host ""
Write-Host "Planned changes:" -ForegroundColor White
Write-Host " - rename $($sophosDrivers.Count) Sophos*.sys driver file(s) to .old"
Write-Host " - set service 'Sophos Endpoint Defense' Start = 4 (Disabled)"
Write-Host " - set SEDEnabled = 0 and IgnoreSAV = 0"
Write-Host ""
if (-not (Confirm-Step "Apply these changes to ${drive}: now?")) {
Write-Err "Aborted by user before changes. Unloading hive, no edits made."
return
}
# -----------------------------------------------------------------------
# 5. Apply registry edits (hive still loaded)
# -----------------------------------------------------------------------
Write-Head "Step 5 - Apply registry edits"
if ($svcExists) {
& reg add $svcKey /v Start /t REG_DWORD /d 4 /f | Out-Null
if ($LASTEXITCODE -eq 0) { Write-Ok "Service Start set to 4 (Disabled)" } else { Write-Err "Failed to set Start" }
& reg add $tpKey /v SEDEnabled /t REG_DWORD /d 0 /f | Out-Null
if ($LASTEXITCODE -eq 0) { Write-Ok "SEDEnabled set to 0" } else { Write-Warn "Could not set SEDEnabled (key may not exist on this version)" }
& reg add $tpKey /v IgnoreSAV /t REG_DWORD /d 0 /f | Out-Null
if ($LASTEXITCODE -eq 0) { Write-Ok "IgnoreSAV set to 0" } else { Write-Warn "Could not set IgnoreSAV" }
Write-Host ""
Write-Host "Read-back after edit:"
& reg query $svcKey /v Start 2>$null | Where-Object { $_ -match 'Start' } | Write-Host
& reg query $tpKey /v SEDEnabled 2>$null | Where-Object { $_ -match 'SEDEnabled' } | Write-Host
} else {
Write-Warn "No SED service key to edit -- skipping registry changes."
}
}
finally {
if ($loaded) {
[gc]::Collect(); Start-Sleep -Milliseconds 300
& reg unload $HiveMount 2>$null | Out-Null
if ($LASTEXITCODE -eq 0) { Write-Ok "Unloaded offline hive ($HiveMount)" }
else { Write-Warn "reg unload reported a non-zero exit -- if it stayed mounted, close regedit/handles and run: reg unload $HiveMount" }
}
}
# ---------------------------------------------------------------------------
# 6. Rename the driver files (after the hive is unloaded)
# ---------------------------------------------------------------------------
Write-Head "Step 6 - Rename Sophos driver files"
if ($sophosDrivers.Count -gt 0) {
if (Confirm-Step "Rename $($sophosDrivers.Count) Sophos*.sys file(s) to .old so they cannot load?") {
foreach ($f in $sophosDrivers) {
$target = "$($f.FullName).old"
try {
if (Test-Path $target) { Remove-Item $target -Force }
Rename-Item -LiteralPath $f.FullName -NewName "$($f.Name).old" -Force
Write-Ok "Renamed $($f.Name) -> $($f.Name).old"
} catch {
Write-Err "Could not rename $($f.Name): $($_.Exception.Message)"
}
}
} else {
Write-Warn "Skipped driver rename (service Start=4 alone should still stop it loading)."
}
} else {
Write-Host " (nothing to rename)"
}
# ---------------------------------------------------------------------------
# 7. Next steps
# ---------------------------------------------------------------------------
Write-Head "DONE - offline edits complete"
Write-Host @"
Next, in NORMAL Windows (not PE):
1. Remove the PE USB so the box boots to Windows.
2. Reboot into Windows.
3. Run: SophosZap.exe --confirm (pass 1)
4. Reboot when it reports 'reboot and re-execute'.
5. Run: SophosZap.exe --confirm (pass 2)
6. Verify clean:
Get-Service *sophos* -> nothing
dir C:\Windows\System32\drivers\Sophos* -> nothing (or only *.old)
'C:\Program Files\Sophos','C:\ProgramData\Sophos' -> gone
Get-MpComputerStatus -> RealTimeProtectionEnabled = True
If SophosZap still says 'tamper protection on', the SEDEnabled flag did not
clear -- re-check HKLM\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\
TamperProtection\Config\SEDEnabled in live Windows and set it to 0.
"@ -ForegroundColor White
}
catch {
Write-Host ""
Write-Err "Script stopped on an error:"
Write-Host " $($_.Exception.Message)" -ForegroundColor Red
if ($_.InvocationInfo) { Write-Host " at line $($_.InvocationInfo.ScriptLineNumber): $($_.InvocationInfo.Line.Trim())" -ForegroundColor DarkGray }
# Best-effort: make sure we never leave the offline hive mounted after a crash.
reg unload $HiveMount 2>$null | Out-Null
}
finally {
Write-Host ""
[void](Read-Host "Press Enter to close this window")
}

73
clients/lonestar-electrical/session-logs/2026-06-02-session.md
View File

@@ -115,3 +115,76 @@ Separately, a `/sync` exposed a fleet repo-coordination problem: the `.claude/sk
- Mike's deletion commit: `c759f04` "chore(memory): re-apply consolidation deletions + lift additive-only constraint".
- HEAD after sync: `dd414c4`.
- Full LS-1/LS-2 offline procedure: `clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md`.
---
## Update: 17:39 PT — Sophos removal COMPLETE (LS-1 + LS-2) + Unraid ticket
## User
- **User:** Howard Enos (howard)
- **Machine:** Howard-Home
- **Role:** tech
### Session Summary
Completed the long-pending Sophos Endpoint removal on both Lone Star Norris workstations (LS-1 and LS-2), then created/closed the Syncro ticket for the earlier Unraid boot-USB replacement. Both removal jobs were driven remotely through GuruRMM once each machine was back in Windows.
LS-1 was resumed from the offline-PE prep done earlier (driver renamed, BitLocker confirmed off). The blocker turned out to be more than the kernel driver: SophosZap refuses to run while the registry flag `HKLM\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled = 1`. Because the SophosED tamper driver was not loaded this boot (renamed offline), the flag could be cleared live as SYSTEM (`SEDEnabled=0`). SophosZap v1.9.158.0 then ran two passes (with a reboot between) via RMM and reported clean — no Sophos services, drivers, folders, or Add/Remove entries; Windows Defender real-time protection active.
LS-2 was done via the manual offline (WinRE) procedure since it was offline in RMM at the start. Howard loaded the offline SYSTEM hive and set the SED service `Start=4` + `SEDEnabled=0`, then renamed the Sophos driver files. On reboot the machine dropped into Automatic Repair. The `SrtTrail.txt` root cause was explicit: "Boot critical file C:\WINDOWS\system32\DRIVERS\SophosEL.sys is corrupt" — i.e. missing because it was renamed. `SophosEL.sys` is the **Sophos ELAM** (Early Launch Anti-Malware) driver: `Start=0` (Boot), `ErrorControl=3` (Critical), so its absence aborts boot. Recovery: booted back to PE and renamed `SophosEL.sys.old` back to `SophosEL.sys`; the machine then booted.
Once LS-2 was back in Windows, an RMM read of the service config showed the earlier offline edits had actually landed correctly: `Select\Current = 0x1` (ControlSet001 IS active), the SED tamper driver service (`Sophos Endpoint Defense`, SophosED.sys) was already `Start=4`, and `SEDEnabled` was 0 — so tamper protection was already neutralized. SophosZap then ran two passes via RMM (with a verified-safe reboot between — `SophosEL.sys` confirmed present on disk and no pending Sophos file-renames before rebooting) and reported clean. Defender active on LS-2.
Billing: created/closed two Syncro tickets against the Lone Star prepaid block (customer 33809612). #32347 (Sophos removal LS-1+LS-2): 2.0h in-shop, invoiced $0.00, block 17.0 -> 15.0, Closed. #32372 (Unraid boot-USB replacement, documenting the earlier 2026-06-02 server fix): 1.5h in-shop, invoiced $0.00, block 15.0 -> 13.5, Closed.
### Key Decisions
- Cleared `SEDEnabled=0` (the SophosZap tamper gate) rather than only relying on the driver rename — the registry flag, not the driver presence, is what SophosZap checks.
- LS-2: after the boot failure, did NOT re-rename the boot-critical `SophosEL.sys`. Restored it and relied on the (already-correct) SED service `Start=4` + `SEDEnabled=0` to neutralize tamper, letting SophosZap remove the ELAM driver itself the boot-safe way.
- Verified `SophosEL.sys` present + no pending Sophos file-renames BEFORE the pass-2 reboot on LS-2, to avoid repeating the boot failure.
- Drove both machines via GuruRMM (read service config, set registry, run SophosZap, reboot) rather than hands-on once each was in Windows.
### Problems Encountered
- **LS-2 boot failure (Automatic Repair).** Root cause (SrtTrail.txt): boot-critical `SophosEL.sys` (Sophos ELAM, Start=0/ErrorControl=3) was renamed and thus "corrupt"/missing. Resolved by booting to PE and renaming `SophosEL.sys.old` back to `SophosEL.sys`.
- **SophosZap blocked by tamper flag, not driver.** First LS-1 run errored "SophosZap does not run with tamper protection on" with the driver already renamed — the `SEDEnabled=1` registry flag was the gate. Resolved by setting `SEDEnabled=0`.
- **Offline ControlSet correctness.** The offline edit used `ControlSet001`; this only worked because `Select\Current=0x1`. Documented that the active control set must be read from `HKLM\OFFSYS\Select\Current` before editing; `CurrentControlSet` does not exist in an offline hive.
- **PE PowerShell script closed on error.** The first-draft `Remove-Sophos-Offline-PE.ps1` exited (window closed) on an unhandled error. Hardened with a top-level try/catch + guaranteed `Read-Host` pause; abandoned in favor of the manual walkthrough for this job.
### Configuration Changes
- LS-1, LS-2: Sophos Endpoint Protection fully removed (services, drivers, `C:\Program Files\Sophos`, `C:\Program Files (x86)\Sophos`, `C:\ProgramData\Sophos`, Add/Remove entries, catalogs, certs). Windows Defender now the active AV on both.
- LS-2 registry (offline, ControlSet001): `Sophos Endpoint Defense` service `Start=4`; `...\TamperProtection\Config\SEDEnabled=0`, `IgnoreSAV=0`.
- Created `clients/lonestar-electrical/scripts/Remove-Sophos-Offline-PE.ps1` (offline PE removal helper; hardened error handling).
### Credentials & Secrets
- None created or changed. (Lone Star Unraid root password still not vaulted — pre-existing TODO.)
### Infrastructure & Servers
- **LS-1** GuruRMM agent id `6b9617fa-5c77-40e1-8b64-a1545e730895` (windows).
- **LS-2** GuruRMM agent id `97fe5582-aa3d-4132-94a6-f4c8582bca31` (windows).
- Sophos drivers (LS-2): `SophosED.sys` (2,561,552 B) = "Sophos Endpoint Defense" tamper driver, Type 2, ended at Start=4; `SophosEL.sys` (28,616 B) = "Sophos ELAM", Type 1, Start=0/ErrorControl=3 (BOOT-CRITICAL).
- SophosZap: v1.9.158.0; log at `C:\WINDOWS\SystemTemp\SophosZap log.txt`; staged to `C:\Windows\Temp\SophosZap.exe` for pass 2.
### Commands & Outputs
- Tamper gate (per SophosZap log): `Value 'SEDEnabled' ... is set to 1. Tamper-protected by SED. ERROR: SophosZap does not run with tamper protection on`.
- Clear it (live, SYSTEM): `reg add "HKLM\SYSTEM\CurrentControlSet\services\Sophos Endpoint Defense\TamperProtection\Config" /v SEDEnabled /t REG_DWORD /d 0 /f`.
- Offline (PE): `reg load HKLM\OFFSYS X:\Windows\System32\config\SYSTEM` -> edit under `HKLM\OFFSYS\ControlSet001\Services\...` -> `reg unload HKLM\OFFSYS`. Active set from `reg query HKLM\OFFSYS\Select /v Current`.
- LS-2 boot root cause: `Boot critical file C:\WINDOWS\system32\DRIVERS\SophosEL.sys is corrupt` (SrtTrail.txt). Fix: `ren X:\Windows\System32\drivers\SophosEL.sys.old SophosEL.sys`.
- Removal run: `SophosZap.exe --confirm` x2 (reboot between); final outcome `error flag: 0`, services/drivers/folders NONE, Defender RTP True.
### Pending / Incomplete Tasks
- Vault the Lone Star Unraid root password + document the server (hostname, IP, Unraid 7.1.4, license type) in the wiki — still open.
- Keep the old failing Unraid USB stick as backup until the new stick is confirmed stable, then retire.
- Optional: delete leftover `SophosEL.sys.old` on LS-2 if any remained (cleanup attempted in pass 2).
### Reference Information
- Syncro: #32347 (Sophos removal, id 111423954, invoice 1650552617) and #32372 (Unraid USB, id 112022651, invoice 1650552739) — both Closed, prepaid, customer 33809612. Block now 13.5 hrs.
- RMM API base `http://172.16.3.30:3001`.
- PE removal script: `clients/lonestar-electrical/scripts/Remove-Sophos-Offline-PE.ps1`.
- Offline procedure reference: `clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md`.