azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wiki: compile lonestar-electrical (full) + reconstruct Sophos removal log

Browse Source 
Reconstructs the 2026-05-28/29 Sophos removal work on LS-1/LS-2 that was
never saved to a session log (survived only in a gitignored temp draft +
coord message). Adds the kernel-driver tamper-protection removal pattern
and WinRE completion steps; refreshes live Syncro data (17.0 prepaid hrs).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-06-01 18:01:07 -07:00
parent c8f0006d25
commit 5bba410450
3 changed files with 104 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
clients/lonestar-electrical/session-logs/2026-05-29-sophos-removal.md Normal file
View File

@@ -0,0 +1,84 @@
# Lone Star Electrical — Sophos Endpoint Removal (LS-1 / LS-2)
**Date:** 2026-05-28 / 2026-05-29
**Client:** Lone Star Electrical Systems LLC (Syncro customer `33809612`)
**Machines:** LS-1, LS-2 (Windows 11, Norris site)
**Status:** IN PROGRESS — offline (WinRE) completion step still required on both machines
> Reconstructed and committed 2026-06-01. The original work (~May 28-29) was never saved
> to a session log; details survived only in a gitignored temp draft
> (`.claude/tmp/ollama_prompt.txt`) and coord message `8a5cb25c`. This log closes that gap.
## User
- **User:** Mike Swanson (mike)
- **Machine:** GURU-5070
- **Role:** admin
---
## Situation
Two newly added Win11 machines (LS-1, LS-2) at the Norris site arrived from the **previous MSP**
with **Sophos Endpoint Protection** installed, managed via **Sophos Central in the previous MSP's
account**. We have **no Central access** — so no remote uninstall and no way to disable tamper
protection from the management plane.
Tamper protection is enforced by the **`SophosED.sys` kernel boot driver** (`Start` type = `0`,
loads before `smss.exe`). This is the root blocker for every standard removal path.
**LS-2 presenting symptom:** mouse clicks unresponsive on the desktop until Ctrl+Alt+Del, and
Start-menu right-click dead. **Root cause:** Sophos shell extensions + the Datto Cloud Continuity
`/pop` startup entry competing during logon.
---
## Work performed (both machines unless noted)
- Enrolled LS-1 and LS-2 in **GuruRMM** for remote management
- Removed the **Datto Cloud Continuity** startup registry entry (LS-2)
- Registered **ScreenConnect + GuruRMM agent for Safe Mode** (`SafeBoot\Network` registry keys) on
both, so the agents survive a Safe Mode boot
- Sophos removal attempts — **all blocked by tamper / kernel protection:**
- `SophosZap` — blocked by tamper protection (TP check)
- `SophosUninstall.exe` — partially ran, removed most user-mode components
- `PendingFileRenameOperations` delete — failed (`SophosED.sys` loads before `smss.exe`)
- `sc config` — blocked by kernel callback
- ACL reset — blocked at kernel level
- Disabled MCS Agent/Client; removed SntpService registration
- Booted both machines to **WinRE** in preparation for offline driver removal
---
## Current state
`SophosED.sys` kernel boot driver is **still present and active** on both machines. Most user-mode
Sophos services are removed from LS-2. Completion requires the offline WinRE step below.
---
## Follow-up: WinRE completion steps (run on EACH machine)
1. WinRE -> Troubleshoot -> Advanced Options -> Command Prompt
2. Find the real Windows drive (NOT the ~600MB recovery partition):
`dir C:\ & dir D:\ & dir E:\`
3. Substitute the actual Windows drive letter (shown as `D:` below) and run:
- `del /f D:\Windows\System32\drivers\SophosED.sys`
- `reg load HKLM\TEMPSYS D:\Windows\System32\config\SYSTEM`
- `reg add "HKLM\TEMPSYS\CurrentControlSet\services\Sophos Endpoint Defense" /v Start /t REG_DWORD /d 4 /f`
- `reg unload HKLM\TEMPSYS`
- `exit`
4. Reboot normally — `SophosED.sys` gone, SED service `Start=4` (disabled), tamper protection no
longer loads.
5. From Downloads, run `SophosZap.exe --confirm` — the TP check now passes, so it clears the
remaining registry entries.
**Tooling staged:** Ventoy USB flashed to `E:`, helper scripts at `claudetools-data/scripts/`.
---
## Billing / client notes
- Prepaid hour block. Live-check remaining hours via `GET /customers/33809612` before logging time.
- A Syncro ticket was drafted ("Sophos Endpoint Removal - LS-1 and LS-2") — **verify it actually
exists** before logging against it.
- Handed off to Howard via coord message `689cfb7c` (2026-06-01).