Removing ghost installs

From WolfTech
Jump to navigation Jump to search

Notes:

  • Always delete from the left-hand side (the registry keys), not the right-hand side (the values, strings, etc)
  • If you're not sure, DON'T DELETE IT
  • Make sure you remove the ghost or program from Add/Remove before you edit the registry

  • Remove the ghost from Add/Remove Programs
    • You could also use the Windows Installer Cleanup Utility if Add/Remove does not work.
  • Open regedit
  • Navigate to HKEY_CLASSES_ROOT\Installer\Products
    • Expand Products and scroll through the list of keys under it. Keep an eye on the "ProductName" value on the right until you find the program you want to remove. Once you find it, delete its key from the list.


EXAMPLE:

I want to remove WinSCP from my machine. I scroll through and find it as HKEY_CLASSES_ROOT\Installer\Products\0DB7031DE3F217D43A9A34AF9D6B157F. I then delete HKEY_CLASSES_ROOT\Installer\Products\0DB7031DE3F217D43A9A34AF9D6B157F


  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt
    • Expand AppMgmt and scroll through the list like you did before. The values "Deployment Name" and "GPO Name" will tell you what programs they are. When you find the one you want, first double-click on "GPO Name" and copy the value data to the clipboard. Hit Cancel, then delete the key from under AppMgmt.


EXAMPLE:

Continuing, I search for WinSCP under AppMgmt and find it as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\{4594bfb5-d165-41a1-9f60-190bcc8fb474}. I first copy the value data from its GPO Name, which is FW-NCSU-Martin Prikryl-WinSCP-4.0.3-20070808. Then I delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\{4594bfb5-d165-41a1-9f60-190bcc8fb474}


  • Search for remaining keys
    • Hit CTRL+F to bring up the Find window, and paste in the GPO Name that you copied from the previous step. Now just search through the rest of the registry for any remaining instances of that GPO Name, and if you find one, delete the key that the value is for.
    • Keys that you usually find stuff under are:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Shadow
      • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List


EXAMPLE:

To finish, I bring up the Find window and paste in FW-NCSU-Martin Prikryl-WinSCP-4.0.3-20070808, then I start searching. If I find a value that matches that GPO name, I delete the key it is for. I use F3 to keep searching until I hit the end of the registry.


  • Once you hit the end of the registry, close regedit, gpupdate, then restart the machine