What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Uninstalling Sysmon and Wazuh Agent

    Taylor Walton

    24-Oct-2025

    Uninstalling Sysmon and Wazuh Agent

    This article explains how to properly remove the Sysmon (or Sysmon64) service and the Wazuh Agent from a Windows system using the SOCFortress uninstall script.

    🧾 Overview

    The PowerShell script automates cleanup by:

    • Stopping and uninstalling any Sysmon/Sysmon64 services
    • Uninstalling the Wazuh Agent MSI package
    • Deleting any leftover directories
    • Running entirely unattended from an elevated PowerShell session

     

    Important: You must run this script from an elevated PowerShell prompt (Run as Administrator).

    📦 Download the Script

    The uninstall script is hosted in the official SOCFortress GitHub repository:

    https://raw.githubusercontent.com/socfortress/Wazuh-Rules/refs/heads/main/prexisting_sysmon_wazuh_uninstall.ps1

    ⚙️ Steps to Execute

    1. Open PowerShell as Administrator:
      Press Start, type PowerShell, right-click it, and choose Run as Administrator.
    2. Download the script:
      Run the following command: 
      Invoke-WebRequest -Uri "https://raw.githubusercontent.com/socfortress/Wazuh-Rules/refs/heads/main/prexisting_sysmon_wazuh_uninstall.ps1" -OutFile "$env:TEMP\prexisting_sysmon_wazuh_uninstall.ps1"
    3. Run the uninstall script: 
      PowerShell -ExecutionPolicy Bypass -File "$env:TEMP\prexisting_sysmon_wazuh_uninstall.ps1"

      Optionally, you can include the -Transcript switch to generate a log file in %TEMP%:

      PowerShell -ExecutionPolicy Bypass -File "$env:TEMP\prexisting_sysmon_wazuh_uninstall.ps1" -Transcript
    4. Wait for completion:
      The script will:
      • Identify and uninstall Sysmon or Sysmon64 using -u force
      • Remove the Wazuh Agent via MSI uninstall
      • Delete any remaining folders (e.g., C:\Program Files (x86)\ossec-agent)

    ✅ Expected Output

    You should see green success messages such as:

    Sysmon removed cleanly (exit code 0)
Wazuh Agent removed cleanly.
✅ Cleanup completed successfully.

    🧩 Troubleshooting

    • If you receive This script must be run from an elevated prompt, re-open PowerShell as Administrator.
    • If the Wazuh Agent directory persists, you can manually delete C:\Program Files (x86)\ossec-agent.
    • Review %TEMP%\sysmon_uninstall_*.log if you ran with -Transcript for detailed logs.

    🔒 Security Note

    This script makes no changes outside of Sysmon and Wazuh components. It should only be executed on hosts where these agents were intentionally deployed.

    © SOCFortress — Open Source Security Operations
    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.