Skip to content

Instantly share code, notes, and snippets.

@xtrasimplicity
Last active May 21, 2024 05:46
Show Gist options
  • Save xtrasimplicity/8387a4178100375910fd031130a53657 to your computer and use it in GitHub Desktop.
Save xtrasimplicity/8387a4178100375910fd031130a53657 to your computer and use it in GitHub Desktop.
Carbon Black Cloud Sensor - Agent removal
$ErrorActionPreference = "Stop" # This prevents the registry key from being removed if it couldn't be backed up.
$name = "Carbon Black Cloud Sensor"
$cbProducts = Get-ChildItem "Registry::HKEY_CLASSES_ROOT\Installer\Products" | Where { $_.GetValue('ProductName') -imatch $name }
$regBackups = New-Object System.Collections.ArrayList
function Base64-Encode($file) {
$fileContent = Get-Content -Path $file -Raw
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($fileContent));
}
foreach($cbProduct in $cbProducts) {
Write-Host "Found $($cbProduct.GetValue('ProductName')) in $($cbProduct)"
$backupFilename = (($cbProduct.Name | Split-Path -Leaf) + "_backup_$(New-Guid).reg")
$regKeyBackupFileParentFolder = Join-Path $pwd -ChildPath "action1_registry_key_backups"
mkdir -Path $regKeyBackupFileParentFolder -Force
$regKeyBackupFile = Join-Path -Path $regKeyBackupFileParentFolder -ChildPath $backupFilename
Write-Host "Backing up key to $($regKeyBackupFile)..."
reg export "$($cbProduct)" $regKeyBackupFile
$regContentBase64 = Base64-Encode $regKeyBackupFile # We base64 encode this so that we keep the correct formatting etc, when decoding from Base64.
$regBackups.Add($regContentBase64)
# Write-Host "Removing the registry key..."
# Remove-Item -Path "Registry::$($cbProduct)" -Force -Recurse
}
Write-Host "Base64-encoded Registry backups can be found below:"
foreach($regBackup in $regBackups) {
Write-Host $regBackup
Write-Host ""
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment