Jump to content
scrolldown

How can I block LabTech from installing & another question?

Recommended Posts

Part of our network uses Avast Managed Workplace (good stuff), and part of it is partially managed by an IT vendor using Labtech (pushing out Eset).  There are several workstations that we DO NOT WANT Labtech software on.  Our vendor tells us that the only way to exclude these workstations is to give them the computer name and IP address.  Is this true?  It is an issue because we don't want to have to static IP every computer, and they change IP addresses and names frequently.  Is there a way to block it at the computer level or server level for these workstations where we don't want this software installed? 

Also, does someone have a link for a thorough Labtech uninstall (Labtech, ScreenConnect, WeOnlyDo, version of vnc and whatever else it installs)?  I have tried the CWAutomate Agent Executioner script, but I swear the next day the software was back (could have been user error though).  

Thank you for your help!

Share this post


Link to post
Share on other sites

I was actually about to link the Executioner script. I haven't seen it fail before, so I'm curious what's going on. You probably know this already, but the magic behind the executioner script works like this.

If Automate is installed, then it will uninstall it and remove the folders and reg keys associated with it.
Then it recreates those same folders and reg keys with no information in them
Finally it restricts the permissions of those folders/keys so that not even SYSTEM has the authority to read/write/delete them

What really seems like a head scratcher in your case is the fact that it runs as a scheduled task, so even if by some miracle it was able to auto-install again, the next time that task runs (hourly I believe) it will go through the same process again. It doesn't make sense at all that they would keep coming back. When you notice them in CWA are they showing as online or offline? Online would make zero sense, but it they were showing as offline then it's possible that you have an extremely robust installation script that keeps fighting against the executioner script creating an endless loop of mutilation and restoration. 

 

First step I would take is hopping on one of the problematic machines where the executioner script isn't working and check to see if the scheduled task is on and running. The task is called 'CWAutoMaintenance.' If that's not on the machine, then the script did not run correctly on the machine.

Share this post


Link to post
Share on other sites

Thank you for your reply.  I am going to try it on another machine.  Before I ran it, I ran a handy little utility, installedpackageview, that showed what Labtech installed (see below).  So after running the program, I went into the regisry to see which keys remained (most of them were there).  So I deleted them manually, but could delete the LabTech key (even with domain admin credentials).  But I understand now that the software blocks that key from being tampered with (and I tried!).  How did you do that?  

Anyway, like I mentioned, maybe I didn't run things in the right order.  I downloaded a generic uninstaller from the internet, and then ran your program.  I'll try it on another one and let you know.  

Also, do you know if the only way for the LabTech parter to exclude computers is for us to give them the computer name and IP address?  Makes me crazy(er).   

Thanks! 

ID            Type      Path       Registry Time    

02C9212940606F89D84B9CB6FF4DD30B                Filename             C:\WINDOWS\LTSvc\Interfaces.dll           1/7/2019 8:55:43 AM       

0C018815D3778FCEB20C0ADC755F7AAC               Registry                HKLM\SOFTWARE\Software\LabTech\Service\ServerPassword   1/7/2019 8:55:43 AM    

0E3B959BB88671F4ABBAF9E8EDC64A3C                Registry                HKLM\SOFTWARE\Software\LabTech\Service\BasePath 1/7/2019 8:55:44 AM    

0FD9B10DCBE2C21439B360C451330B7F                Filename             C:\WINDOWS\LTSvc\LTSVC.exe.config   1/7/2019 8:55:44 AM       

23F50AA03D2AF6B4AA953D01E314B852                Registry                HKLM\SOFTWARE\Software\LabTech\Service\TrayPort  1/7/2019 8:55:45 AM    

4040406370149634B8C8883951B73252                  Registry                HKLM\SOFTWARE\Software\LabTech\Service\FullSystemFunction            1/7/2019 8:55:46 AM    

473B295C66832A54CB2DA97C56EEB97E                Registry                HKLM\SOFTWARE\Software\LabTech\UUID                1/7/2019 8:55:47 AM    

55916DA8E7AD5C84096C938E58B67753                Filename             C:\WINDOWS\LTSvc\LTTray.exe.config  1/7/2019 8:55:47 AM       

6551A6A3223A42145A8DBEC276546CBE                Filename             C:\          1/7/2019 8:55:48 AM    

66E827B89F91CA79D30354A24E0EAF58                 Filename             C:\WINDOWS\LTSvc\LTTray.exe 1/7/2019 8:55:48 AM               

79CA03B1F97BD9BB1271CF8A53D2B560                Filename             C:\WINDOWS\LTSvc\LabTeCh.ico             1/7/2019 8:55:49 AM       

81AF359D0D8A56741BAFB64E89A63A46                Filename             C:\          1/7/2019 8:55:50 AM    

B455A89A0B71C33488DAFC4180C139A0                Filename             C:\WINDOWS\LTSvc\LTSvcMon.exe        1/7/2019 8:55:52 AM       

CF848E4CB21F8A410E41B77A2E46FA85                  Registry                HKLM\SOFTWARE\Software\LabTech\Service\Server Address 1/7/2019 8:55:54 AM    

DA9A3F3A41516144A86556CFB521A82E                Filename             C:\WINDOWS\LTSvc\LTSvcMon.exe.config                1/7/2019 8:55:54 AM    

DAA106851640BF949B10F74B459C9FCC                Registry                HKLM\SOFTWARE\Software\LabTech\Service\VNCServiceName 1/7/2019 8:55:54 AM    

DD1C4366D971A459C2A075D7DD8BEF26              Filename             C:\WINDOWS\LTSvc\LTSVC.exe 1/7/2019 8:55:54 AM               

E167A30CF58B8B944BDA71A5E87BF41E                 Registry                HKLM\SOFTWARE\Software\LabTech\Service\Template 1/7/2019 8:55:55 AM    

ED44F809C12C28B3E933B9020D3B093A                Registry                HKLM\SOFTWARE\Software\LabTech\Service\ProductCode         1/7/2019 8:55:55 AM    

EEA49E539F7DBD8E33453098C484EFC8                 Registry                HKLM\SOFTWARE\Software\LabTech\Service\LocationID              1/7/2019 8:55:55 AM    

 

Share this post


Link to post
Share on other sites

The thing about needing the name/IP would be based on how they are deploying.  Depending on their deployment method, they may need that information to prevent the install. (When we deploy we do it via a GPO, so if we adjusted the GPO to exclude a machine it would not get the agent... But that's just how we do it..)

The Agent Executioner makes it harder but not impossible to reinstall the agent.. However the first time it is run it only installs the task, it doesn't take action to remove or cripple until the task is called (after a reboot). So if you uninstalled the agent and then ran the script but didn't restart, it's completely possible for the agent to get back on there. Once you reboot however it should lock down.

Automate (Labtech) doesn't lock the LabTech registry key. If you can't remove it, either a running program has it open, or the Agent Executioner has done it's work.

Share this post


Link to post
Share on other sites

Thank you very much for your reply and explanation.  It all makes sense to me now.  I have one more quick question.  We were told that computers could not be excluded by MAC address, but I read a post back from 2017 saying this, "You can block their mac addresses from signing up once deleted by adding them into a comma delimited list in the registry key on the LabTech Server: HKEY_LOCAL_MACHINE\SOFTWARE\LabTech\Global\MacBlackList".  Is this statement still applicable today? 

Again, I really appreciate your kind responses to my questions.  

Share this post


Link to post
Share on other sites

It is true, but their statement is true also.

The MACBlackList will prevent the server from accepting your computer as an agent. It will do nothing to stop the software from being installed (although it would never "do" anything, it would continue to attempt to register)

You can do things like use the AgentExecutioner script which makes installing impossible, but it wouldn't stop them from trying. The only way (based on how it sounds like they are deploying agents) to prevent your machines from being targeted would be if they are at known IPs, or in a known range of IPs. Depending on the balance of managed/unmanaged, perhaps you could use DHCP reservations for one group and so they can either target or exclude the reserved IPs. Certainly it's best when you can work together instead of resorting to steps that break management tools.

Share this post


Link to post
Share on other sites

If they're using the Network Probe push to deploy, as opposed to say, a GPO. They can ignore the MAC Addresses of the machines to prevent probe-based installation of agent software. Just a thought.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...