Uninstall flow not working

Question

Uninstall flow not working

alexgumo7 opened this issue 3 years ago · comments

Environment

How did you install GRR? N/A
What GRR version are you running?: 3.4.2.4
What operating system does the GRR server run on? N/A
What operating system does the affected GRR client run on, if applicable? Windows 10

Describe the issue
I have tried to kill the GRR process and remove the persistence in a client by using the administrative flows Kill and Uninstall (with the kill flag). When executing, the client crashes but after that, the connection is still active.
Is this a known problem? Or maybe there's a requisite for these flows to work that I am not aware of?

mol123 · Answer 1 · Thu Jun 10 2021 02:38:24 GMT+0800 (China Standard Time)

I'm assuming that the installation is not using fleetspeak (the next generation, experimental, communication framework, which can be enabled at install time).

TL;DR: A restart of the client machine is necessary.

The GRR installation installs a Windows service. The service runs the nanny / the GRR monitor. The nanny starts the GRR agent and monitors it. If the agent crashes, the monitor restarts it.

My understanding is that the Uninstall flow disables the Windows Service, but doesn't actively stop it. So it won't get automatically started at the next boot.

The Kill flow kills the client, but it will be respawned automatically by the nanny.

alexgumo7 · Answer 2 · Thu Jun 10 2021 16:59:16 GMT+0800 (China Standard Time)

This clarifies why it wasn't working. However, in most of the cases the machines cannot be restarted. Is there another approach in order to kill and stop the service without restarting?

mol123 · Answer 3 · Fri Jun 11 2021 01:31:48 GMT+0800 (China Standard Time)

There is functionality to execute arbitrary Python code on the client:

https://grr-doc.readthedocs.io/en/latest/investigating-with-grr/pushing-code.html#deploying-arbitrary-python-code

So it would be possible to upload and then execute the following snippet:

import subprocess
subprocess.check_call(["sc", "stop", "GRR Monitor"])

However, I'm not completely sure if this will work, since it would stop the service from within GRR itself.

Note, that the actual service name ("GRR Monitor") in the above example can be customized using the config and might differ in your installation. The respective config variable is Nanny.service_name.

mol123 · Answer 4 · Fri Jun 11 2021 01:50:32 GMT+0800 (China Standard Time)

Actually, I think the python snippet might be worth a try.

alexgumo7 · Answer 5 · Fri Jun 11 2021 19:32:10 GMT+0800 (China Standard Time)

I've tried ExecutePythonHack and it's working. The procedure would be the following:

Launch flow Uninstall to disable the service.
Launch ExecutePythonHack with the snippet provided previously to stop the service.

However, I would suggest changing the description of the flow Uninstall as it says that it stops the service when actually it's not doing that.

Thanks!

mol123 · Answer 6 · Sat Jun 12 2021 05:52:56 GMT+0800 (China Standard Time)

I agree that the description should be adapted, I'll make the respective change.