Mike Swanson
5bba410450
Reconstructs the 2026-05-28/29 Sophos removal work on LS-1/LS-2 that was never saved to a session log (survived only in a gitignored temp draft + coord message). Adds the kernel-driver tamper-protection removal pattern and WinRE completion steps; refreshes live Syncro data (17.0 prepaid hrs). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
3.7 KiB
Lone Star Electrical — Sophos Endpoint Removal (LS-1 / LS-2)
Date: 2026-05-28 / 2026-05-29
Client: Lone Star Electrical Systems LLC (Syncro customer 33809612)
Machines: LS-1, LS-2 (Windows 11, Norris site)
Status: IN PROGRESS — offline (WinRE) completion step still required on both machines
Reconstructed and committed 2026-06-01. The original work (~May 28-29) was never saved to a session log; details survived only in a gitignored temp draft (
.claude/tmp/ollama_prompt.txt) and coord message8a5cb25c. This log closes that gap.
User
- User: Mike Swanson (mike)
- Machine: GURU-5070
- Role: admin
Situation
Two newly added Win11 machines (LS-1, LS-2) at the Norris site arrived from the previous MSP with Sophos Endpoint Protection installed, managed via Sophos Central in the previous MSP's account. We have no Central access — so no remote uninstall and no way to disable tamper protection from the management plane.
Tamper protection is enforced by the SophosED.sys kernel boot driver (Start type = 0,
loads before smss.exe). This is the root blocker for every standard removal path.
LS-2 presenting symptom: mouse clicks unresponsive on the desktop until Ctrl+Alt+Del, and
Start-menu right-click dead. Root cause: Sophos shell extensions + the Datto Cloud Continuity
/pop startup entry competing during logon.
Work performed (both machines unless noted)
- Enrolled LS-1 and LS-2 in GuruRMM for remote management
- Removed the Datto Cloud Continuity startup registry entry (LS-2)
- Registered ScreenConnect + GuruRMM agent for Safe Mode (
SafeBoot\Networkregistry keys) on both, so the agents survive a Safe Mode boot - Sophos removal attempts — all blocked by tamper / kernel protection:
SophosZap— blocked by tamper protection (TP check)SophosUninstall.exe— partially ran, removed most user-mode componentsPendingFileRenameOperationsdelete — failed (SophosED.sysloads beforesmss.exe)sc config— blocked by kernel callback- ACL reset — blocked at kernel level
- Disabled MCS Agent/Client; removed SntpService registration
- Booted both machines to WinRE in preparation for offline driver removal
Current state
SophosED.sys kernel boot driver is still present and active on both machines. Most user-mode
Sophos services are removed from LS-2. Completion requires the offline WinRE step below.
Follow-up: WinRE completion steps (run on EACH machine)
- WinRE -> Troubleshoot -> Advanced Options -> Command Prompt
- Find the real Windows drive (NOT the ~600MB recovery partition):
dir C:\ & dir D:\ & dir E:\ - Substitute the actual Windows drive letter (shown as
D:below) and run:del /f D:\Windows\System32\drivers\SophosED.sysreg load HKLM\TEMPSYS D:\Windows\System32\config\SYSTEMreg add "HKLM\TEMPSYS\CurrentControlSet\services\Sophos Endpoint Defense" /v Start /t REG_DWORD /d 4 /freg unload HKLM\TEMPSYSexit
- Reboot normally —
SophosED.sysgone, SED serviceStart=4(disabled), tamper protection no longer loads. - From Downloads, run
SophosZap.exe --confirm— the TP check now passes, so it clears the remaining registry entries.
Tooling staged: Ventoy USB flashed to E:, helper scripts at claudetools-data/scripts/.
Billing / client notes
- Prepaid hour block. Live-check remaining hours via
GET /customers/33809612before logging time. - A Syncro ticket was drafted ("Sophos Endpoint Removal - LS-1 and LS-2") — verify it actually exists before logging against it.
- Handed off to Howard via coord message
689cfb7c(2026-06-01).