This works rather well with the .EXE installer:
installer.exe --dont_fail_on_config_preserving_failures -t "site-token-in-quotes" /qn
Do make sure the site token is in quotes.
This works rather well with the .EXE installer:
installer.exe --dont_fail_on_config_preserving_failures -t "site-token-in-quotes" /qn
Do make sure the site token is in quotes.
The hidden NTFS “System Volume Information” folders on Windows machines, can build up and up and up in size. I’ve seen instances ranging from 20G to hundreds of gigabytes, and every time this occurs, the overall system slows down, and often slows down a whole lot. SpaceSniffer is my favorite method of identifying this situation, but there are many. The only preventative I have been able to identify so far, is here.
But here we are discussing cleanup. If you have SentinelOne (S1) installed on this machine, you need to know that S1 considers deletion of volume shadows to be very bad actor behavior. This is because it often is a way that cryptolockers and others delete last-known-good checkpoints. S1 will not let you clear SVI, unless you disable it first, and it will complain very loudly if you try. Instructions for disabling S1, are at the end of this article. There may well be other security tools which will behave similarly, and need similar interaction beforehand.
wmic shadowcopy delete /nointeractive
vssadmin delete shadows /all
diskshadow
delete shadows all
Any of these can take a while, especially if SVI is big, e.g., more than 20-30 gigabytes. It can get huge occasionally, hundreds of gigabytes. I recently saw 1,022 shadow copies deleted (the first and third methods tell you the count) from one server.
Special cases do occur. Here are steps which can help a lot.
vssadmin resize shadowstorage
for the relevant drive(s) (try /? for syntax…), first to 10%, then back to whatever it was. Sometimes Windows will do a lot of steady cleanup for you, sometimes over hours of time. You’ll see it by watching File Explorer.cd "C:\Program Files\SentinelOne\Sentinel*"
.\sentinelctl.exe unload -slam -k "<passphrase>"
Then, and only then, will the cleanup commands above work.
.\sentinelctl.exe load -slam
If you should need to reenable S1 and your command prompt is not where you need it, here’s a paste:
cd "C:\Program Files\SentinelOne\Sentinel*" .\sentinelctl.exe load -slam
For a long time the standard was, contact your S1 support and receive a removal tool. I don’t know if this always works, but it did for one corrupt agent:
SentinelOneInstaller_windows_64bit_v22_2_4_558.exe --clean_only --dont_preserve_config_dir --dont_preserve_agent_uid -t xyzpdqxyzpdq
where xyzpdqxyzpdq is the site token (much longer of course). Not entirely sure the -t xyzpdqxyzpdq is needed.