Add VMware binary discovery and removal tools#2
Open
jamepark4 wants to merge 1 commit into
Open
Conversation
jamepark4
requested review from
YanVugenfirer,
kostyanf14 and
vrozenfe
as code owners
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive toolkit for removing VMware Tools remnants from Windows VMs after v2v migration, including scripts for service management, driver removal, registry cleanup, and binary file deletion. The code review highlights several critical improvements to ensure robustness, portability, and safety. Key feedback includes fixing registry parsing in the binary discovery script, using well-known SIDs instead of localized group names to support non-English Windows installations, replacing the slow and unsafe Win32_Product WMI query with the Windows Installer COM object, and addressing potential command injection vulnerabilities by utilizing delayed expansion for path variables.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Author
|
Based on feedback, converting to draft and re-testing with recommended updates. |
jamepark4
force-pushed
the
feature/binary-removal
branch
9 times, most recently
from
0a12b46 to
e952898
Compare
kostyanf14
reviewed
Jun 9, 2026
| } | ||
|
|
||
| # System32\drivers - using WHITELIST approach (CompanyName verification) | ||
| # Scan for both vm* and vsock* patterns (vsock.sys is VMware vSockets driver) |
Member
There was a problem hiding this comment.
One comment about vsock.
Windows does not support AF_VSOCK out of the box. So, the driver needs to register AF_VSOCK and map it to a user-mode driver (UMD).
Due to this, you can not just remove the UMD file; Windows will still think that AF_VSOCK exists. This will cause an issue with virtio-sock. So, for the VMware vSockets driver, we must: unregister AF_VSOCK and only then remove the UMD.
Author
There was a problem hiding this comment.
Thanks for highlighting this, my current procedure has been:
- Stop VMware services (services/remove_vmware_services.bat)
- Discovery relevant VMware binaries (binaries/discover_vmware_binares.ps1)
- Remove drivers (drivers/remove_vmware_driver_packages.bat)
- Reboot to unload drivers
- Remove the discovered vmware binares (binaries/remove_vmware_binaries.ps1) Any locked binary during this process will be schedule for deletion at next reboot.
- Clean the registry (reg/remvoe_vmware_registry.bat)
- Reboot
- Clean up any remaining protected files (binaries/cleanup_protected_files.ps1)
- Remove any lingering ghost devices (binaries/remove_ghost_devices.ps1)
I will confirm if what I'm doing in step 3 is enough to ensure unregister AF_VSOCK before progressing to the binary removal.
Member
There was a problem hiding this comment.
Can be not be enough, because UMD registration can be done independently of driver installation. Need to check. You can use virtio-sock test application to enumerate all installed socket providers and check.
jamepark4
force-pushed
the
feature/binary-removal
branch
2 times, most recently
from
36e35a3 to
0135e36
Compare
jamepark4
added a commit
to jamepark4/vmwremover
that referenced
this pull request
Jun 12, 2026
Implements a complete 9-step procedure for removing VMware Tools from Windows VMs after v2v migration to KVM/virtio. Addresses critical vSockets conflict, driver cleanup, and empty directory removal. - **discover_vmware_binaries.ps1**: Cryptographic signature verification - Authenticode signature checking (VMware CA validation) - Metadata fallback for WHQL-signed drivers - Scans Program Files, System32, drivers, and ProgramData - 14× faster than batch version (no process spawning) - **remove_vmware_binaries.ps1**: Native MoveFileEx integration - Immediate deletion with automatic reboot scheduling for locked files - Path safety validation prevents system directory accidents - FileRepository orphan cleanup after driver unload - Empty directory removal per customer requirements - **uninstall_vmware_msi.ps1**: Proper MSI uninstall via Windows Installer - Uses official VMware uninstaller for clean removal - Removes files, services, drivers, and registry properly **Problem**: VMware vSockets and virtio-vsock both use AF_VSOCK (40). Windows allows only one provider per address family. If VMware vSockets remains, virtio-vsock fails to register. Simple `netsh winsock remove provider` silently fails. **Solution**: Three-phase cleanup in remove_vmware_registry.bat 1. Delete Services\vsock from ALL ControlSets (not just CurrentControlSet) 2. Delete WinSock2 registry entries from ALL ControlSets 3. Run `netsh winsock reset` to rebuild catalog from cleaned registry 4. Reboot to finalize (network stack reload) - **delete_vsock_all_controlsets.ps1**: Remove vsock service entries - **delete_winsock_registry.ps1**: Remove vSockets from all ControlSets - **cleanup_winsock_after_registry.ps1**: Winsock catalog reset with fallback - **remove_vmware_registry.bat**: Orchestrates cleanup + hardcoded key removal - **remove_vmware_driver_packages.bat**: Enhanced with FileRepository awareness - NOTE: FileRepository cleanup moved to step 6 (after driver unload) - Drivers must be unloaded before directories can be removed - **remove_ghost_devices.ps1**: Remove hidden VMware devices - OS version detection (auto-removal requires Win10 2004+/Server 2022+) - Graceful degradation for older Windows (manual removal guidance) - **verify_complete_removal.ps1**: 14-check comprehensive verification - Services, driver store, binaries (Program Files, System32, drivers) - DriverStore FileRepository and DRVSTORE vsock entries - Registry (VMware, WOW6432Node, Services, Windows Installer) - Winsock catalog (VMware vSockets removed, virtio-vsock available) - Ghost devices with OS version awareness - Directory existence checks (not just file checks) - **test_socket_providers.ps1**: Winsock provider verification - **1_investigate_before_registry_cleanup.ps1**: Baseline capture - **2_investigate_after_cleanup_before_reboot.ps1**: Post-cleanup verification - **3_investigate_after_reboot.ps1**: Identify what reappeared ``` 1. binaries\uninstall_vmware_msi.ps1 → Proper MSI uninstall 2. services\remove_vmware_services.bat → Stop/delete services 3. binaries\discover_vmware_binaries.ps1 → Catalog all files 4. drivers\remove_vmware_driver_packages.bat → Remove from driver store 5. REBOOT virtio-win#1 → Unload kernel drivers 6. binaries\remove_vmware_binaries.ps1 → Delete files + cleanup 7. reg\remove_vmware_registry.bat → Registry + Winsock reset 8. REBOOT virtio-win#2 → Complete file deletion + finalize Winsock 9. drivers\remove_ghost_devices.ps1 → Remove hidden devices ``` **Why Two Reboots?** - REBOOT virtio-win#1: Unloads kernel drivers so files can be deleted - REBOOT virtio-win#2: Completes locked file deletion + finalizes Winsock catalog reset - Primary: Check certificate Subject for O=VMware - Secondary: Check file VersionInfo.CompanyName for "VMware" - Handles WHQL-signed VMware drivers (signed by Microsoft but made by VMware) - Prevents false positives: vmic*.dll, vmbus*.dll (Hyper-V, not VMware) Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery. Cleaning only CurrentControlSet leaves VMware entries in backup sets, which can be restored during system recovery or boot failures. Must clean ALL. - Rejects paths containing: Windows, System32, SysWOW64, Program Files (root) - Length validation (minimum 20 chars for safety) - Prevents accidental `C:\Windows` deletion All items from minimum_customer_cleanup_actions addressed: - ✅ MSI uninstall, services (stop/disable/delete) - ✅ Kernel drivers (System32\drivers\vm*.sys, vsock.sys) - ✅ Driver packages (pnputil + FileRepository + DRVSTORE cleanup) - ✅ Registry (VMware Inc., WOW6432Node, Services, Installer keys) - ✅ Directories (Program Files, Common Files, ProgramData - including empty) - ✅ System32/SysWOW64 binaries (vm3ddevapi64.dll, vmGuestLib.dll, etc.) - ✅ Ghost devices (with OS version awareness) - ✅ GISvc (Guest Introspection Service) - **Removed**: cleanup_protected_files.ps1 (redundant - discover now scans ProgramData) - **File extension change**: .bat → .ps1 for discovery/removal (run via `powershell -ExecutionPolicy Bypass -File`) - **Execution order**: Now 9 steps (was 11) - cleanup_protected_files removed Validated on: - Windows Server 2019 (ghost device auto-removal not supported - expected) - Windows Server 2025 (all 14 verification checks passing) Signed-off-by: James Parker <[email protected]> Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
jamepark4
force-pushed
the
feature/binary-removal
branch
from
0135e36 to
d9c08c9
Compare
jamepark4
added a commit
to jamepark4/vmwremover
that referenced
this pull request
Jun 12, 2026
Implements a complete 9-step procedure for removing VMware Tools from Windows VMs after v2v migration to KVM/virtio. Addresses critical vSockets conflict, driver cleanup, and empty directory removal. - **discover_vmware_binaries.ps1**: Cryptographic signature verification - Authenticode signature checking (VMware CA validation) - Metadata fallback for WHQL-signed drivers - Scans Program Files, System32, drivers, and ProgramData - 14× faster than batch version (no process spawning) - **remove_vmware_binaries.ps1**: Native MoveFileEx integration - Immediate deletion with automatic reboot scheduling for locked files - Path safety validation prevents system directory accidents - FileRepository orphan cleanup after driver unload - Empty directory removal per customer requirements - **uninstall_vmware_msi.ps1**: Proper MSI uninstall via Windows Installer - Uses official VMware uninstaller for clean removal - Removes files, services, drivers, and registry properly **Problem**: VMware vSockets and virtio-vsock both use AF_VSOCK (40). Windows allows only one provider per address family. If VMware vSockets remains, virtio-vsock fails to register. Simple `netsh winsock remove provider` silently fails. **Solution**: Three-phase cleanup in remove_vmware_registry.bat 1. Delete Services\vsock from ALL ControlSets (not just CurrentControlSet) 2. Delete WinSock2 registry entries from ALL ControlSets 3. Run `netsh winsock reset` to rebuild catalog from cleaned registry 4. Reboot to finalize (network stack reload) - **delete_vsock_all_controlsets.ps1**: Remove vsock service entries - **delete_winsock_registry.ps1**: Remove vSockets from all ControlSets - **cleanup_winsock_after_registry.ps1**: Winsock catalog reset with fallback - **remove_vmware_registry.bat**: Orchestrates cleanup + hardcoded key removal - **remove_vmware_driver_packages.bat**: Enhanced with FileRepository awareness - NOTE: FileRepository cleanup moved to step 6 (after driver unload) - Drivers must be unloaded before directories can be removed - **remove_ghost_devices.ps1**: Remove hidden VMware devices - OS version detection (auto-removal requires Win10 2004+/Server 2022+) - Graceful degradation for older Windows (manual removal guidance) - **verify_complete_removal.ps1**: 14-check comprehensive verification - Services, driver store, binaries (Program Files, System32, drivers) - DriverStore FileRepository and DRVSTORE vsock entries - Registry (VMware, WOW6432Node, Services, Windows Installer) - Winsock catalog (VMware vSockets removed, virtio-vsock available) - Ghost devices with OS version awareness - Directory existence checks (not just file checks) - **test_socket_providers.ps1**: Winsock provider verification - **1_investigate_before_registry_cleanup.ps1**: Baseline capture - **2_investigate_after_cleanup_before_reboot.ps1**: Post-cleanup verification - **3_investigate_after_reboot.ps1**: Identify what reappeared ``` 1. binaries\uninstall_vmware_msi.ps1 → Proper MSI uninstall 2. services\remove_vmware_services.bat → Stop/delete services 3. binaries\discover_vmware_binaries.ps1 → Catalog all files 4. drivers\remove_vmware_driver_packages.bat → Remove from driver store 5. REBOOT virtio-win#1 → Unload kernel drivers 6. binaries\remove_vmware_binaries.ps1 → Delete files + cleanup 7. reg\remove_vmware_registry.bat → Registry + Winsock reset 8. REBOOT virtio-win#2 → Complete file deletion + finalize Winsock 9. drivers\remove_ghost_devices.ps1 → Remove hidden devices ``` **Why Two Reboots?** - REBOOT virtio-win#1: Unloads kernel drivers so files can be deleted - REBOOT virtio-win#2: Completes locked file deletion + finalizes Winsock catalog reset - Primary: Check certificate Subject for O=VMware - Secondary: Check file VersionInfo.CompanyName for "VMware" - Handles WHQL-signed VMware drivers (signed by Microsoft but made by VMware) - Prevents false positives: vmic*.dll, vmbus*.dll (Hyper-V, not VMware) Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery. Cleaning only CurrentControlSet leaves VMware entries in backup sets, which can be restored during system recovery or boot failures. Must clean ALL. - Rejects paths containing: Windows, System32, SysWOW64, Program Files (root) - Length validation (minimum 20 chars for safety) - Prevents accidental `C:\Windows` deletion All items from minimum_customer_cleanup_actions addressed: - ✅ MSI uninstall, services (stop/disable/delete) - ✅ Kernel drivers (System32\drivers\vm*.sys, vsock.sys) - ✅ Driver packages (pnputil + FileRepository + DRVSTORE cleanup) - ✅ Registry (VMware Inc., WOW6432Node, Services, Installer keys) - ✅ Directories (Program Files, Common Files, ProgramData - including empty) - ✅ System32/SysWOW64 binaries (vm3ddevapi64.dll, vmGuestLib.dll, etc.) - ✅ Ghost devices (with OS version awareness) - ✅ GISvc (Guest Introspection Service) - **Removed**: cleanup_protected_files.ps1 (redundant - discover now scans ProgramData) - **File extension change**: .bat → .ps1 for discovery/removal (run via `powershell -ExecutionPolicy Bypass -File`) - **Execution order**: Now 9 steps (was 11) - cleanup_protected_files removed Validated on: - Windows Server 2019 (ghost device auto-removal not supported - expected) - Windows Server 2025 (all 14 verification checks passing) Signed-off-by: James Parker <[email protected]> Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
jamepark4
force-pushed
the
feature/binary-removal
branch
from
d9c08c9 to
f8c4f80
Compare
jamepark4
added a commit
to jamepark4/vmwremover
that referenced
this pull request
Jun 15, 2026
Implements a complete 9-step procedure for removing VMware Tools from Windows VMs after v2v migration to KVM/virtio. Addresses critical vSockets conflict, driver cleanup, and empty directory removal. ## Core Improvements ### Binary Discovery & Removal (PowerShell Migration) - **discover_vmware_binaries.ps1**: Cryptographic signature verification - Authenticode signature checking (VMware CA validation) - Metadata fallback for WHQL-signed drivers - Scans Program Files, System32, drivers, and ProgramData - 14× faster than batch version (no process spawning) - **remove_vmware_binaries.ps1**: Native MoveFileEx integration - Immediate deletion with automatic reboot scheduling for locked files - Path safety validation prevents system directory accidents - FileRepository orphan cleanup after driver unload - Empty directory removal per customer requirements - **uninstall_vmware_msi.ps1**: Proper MSI uninstall via Windows Installer - Uses official VMware uninstaller for clean removal - Removes files, services, drivers, and registry properly ### Critical Fix: VMware vSockets Conflict **Problem**: VMware vSockets and virtio-vsock both use AF_VSOCK (40). Windows allows only one provider per address family. If VMware vSockets remains, virtio-vsock fails to register. Simple `netsh winsock remove provider` silently fails. **Solution**: Three-phase cleanup in remove_vmware_registry.bat 1. Delete Services\vsock from ALL ControlSets (not just CurrentControlSet) 2. Delete WinSock2 registry entries from ALL ControlSets 3. Run `netsh winsock reset` to rebuild catalog from cleaned registry 4. Reboot to finalize (network stack reload) ### Registry Cleanup (Modular PowerShell) - **delete_vsock_all_controlsets.ps1**: Remove vsock service entries - **delete_winsock_registry.ps1**: Remove vSockets from all ControlSets - **cleanup_winsock_after_registry.ps1**: Winsock catalog reset with fallback - **remove_vmware_registry.bat**: Orchestrates cleanup + hardcoded key removal ### Driver Management - **remove_vmware_driver_packages.bat**: Enhanced with FileRepository awareness - NOTE: FileRepository cleanup moved to step 6 (after driver unload) - Drivers must be unloaded before directories can be removed - **remove_ghost_devices.ps1**: Remove hidden VMware devices - OS version detection (auto-removal requires Win10 2004+/Server 2022+) - Graceful degradation for older Windows (manual removal guidance) ### Verification & Debugging - **verify_complete_removal.ps1**: 14-check comprehensive verification - Services, driver store, binaries (Program Files, System32, drivers) - DriverStore FileRepository and DRVSTORE vsock entries - Registry (VMware, WOW6432Node, Services, Windows Installer) - Winsock catalog (VMware vSockets removed, virtio-vsock available) - Ghost devices with OS version awareness - Directory existence checks (not just file checks) - **test_socket_providers.ps1**: Winsock provider verification - **1_investigate_before_registry_cleanup.ps1**: Baseline capture - **2_investigate_after_cleanup_before_reboot.ps1**: Post-cleanup verification - **3_investigate_after_reboot.ps1**: Identify what reappeared ## Execution Order (9 Steps, 2 Reboots) ``` 1. binaries\uninstall_vmware_msi.ps1 → Proper MSI uninstall 2. services\remove_vmware_services.bat → Stop/delete services 3. binaries\discover_vmware_binaries.ps1 → Catalog all files 4. drivers\remove_vmware_driver_packages.bat → Remove from driver store 5. REBOOT virtio-win#1 → Unload kernel drivers 6. binaries\remove_vmware_binaries.ps1 → Delete files + cleanup 7. reg\remove_vmware_registry.bat → Registry + Winsock reset 8. REBOOT virtio-win#2 → Complete file deletion + finalize Winsock 9. drivers\remove_ghost_devices.ps1 → Remove hidden devices ``` **Why Two Reboots?** - REBOOT virtio-win#1: Unloads kernel drivers so files can be deleted - REBOOT virtio-win#2: Completes locked file deletion + finalizes Winsock catalog reset ## Key Technical Details ### Authenticode Verification (Anti-Hyper-V False Positives) - Primary: Check certificate Subject for O=VMware - Secondary: Check file VersionInfo.CompanyName for "VMware" - Handles WHQL-signed VMware drivers (signed by Microsoft but made by VMware) - Prevents false positives: vmic*.dll, vmbus*.dll (Hyper-V, not VMware) ### ControlSet Cleanup Rationale Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery. Cleaning only CurrentControlSet leaves VMware entries in backup sets, which can be restored during system recovery or boot failures. Must clean ALL. ### Path Safety (Prevent Accidents) - Rejects paths containing: Windows, System32, SysWOW64, Program Files (root) - Length validation (minimum 20 chars for safety) - Prevents accidental `C:\Windows` deletion ## Customer Requirements Coverage All items from minimum_customer_cleanup_actions addressed: - ✅ MSI uninstall, services (stop/disable/delete) - ✅ Kernel drivers (System32\drivers\vm*.sys, vsock.sys) - ✅ Driver packages (pnputil + FileRepository + DRVSTORE cleanup) - ✅ Registry (VMware Inc., WOW6432Node, Services, Installer keys) - ✅ Directories (Program Files, Common Files, ProgramData - including empty) - ✅ System32/SysWOW64 binaries (vm3ddevapi64.dll, vmGuestLib.dll, etc.) - ✅ Ghost devices (with OS version awareness) - ✅ GISvc (Guest Introspection Service) ## Breaking Changes - **Removed**: cleanup_protected_files.ps1 (redundant - discover now scans ProgramData) - **File extension change**: .bat → .ps1 for discovery/removal (run via `powershell -ExecutionPolicy Bypass -File`) - **Execution order**: Now 9 steps (was 11) - cleanup_protected_files removed ## Testing Validated on: - Windows Server 2019 (ghost device auto-removal not supported - expected) - Windows Server 2025 (all 14 verification checks passing) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
jamepark4
force-pushed
the
feature/binary-removal
branch
from
f8c4f80 to
4f45cc6
Compare
jamepark4
added a commit
to jamepark4/vmwremover
that referenced
this pull request
Jun 15, 2026
Implements a complete 9-step procedure for removing VMware Tools from Windows VMs after v2v migration to KVM/virtio. Addresses critical vSockets conflict, driver cleanup, and empty directory removal. ## Core Improvements ### Binary Discovery & Removal (PowerShell Migration) - **discover_vmware_binaries.ps1**: Cryptographic signature verification - Authenticode signature checking (VMware CA validation) - Metadata fallback for WHQL-signed drivers - Scans Program Files, System32, drivers, and ProgramData - 14× faster than batch version (no process spawning) - **remove_vmware_binaries.ps1**: Native MoveFileEx integration - Immediate deletion with automatic reboot scheduling for locked files - Path safety validation prevents system directory accidents - FileRepository orphan cleanup after driver unload - Empty directory removal per customer requirements - **uninstall_vmware_msi.ps1**: Proper MSI uninstall via Windows Installer - Uses official VMware uninstaller for clean removal - Removes files, services, drivers, and registry properly ### Critical Fix: VMware vSockets Conflict **Problem**: VMware vSockets and virtio-vsock both use AF_VSOCK (40). Windows allows only one provider per address family. If VMware vSockets remains, virtio-vsock fails to register. Simple `netsh winsock remove provider` silently fails. **Solution**: Three-phase cleanup in remove_vmware_registry.bat 1. Delete Services\vsock from ALL ControlSets (not just CurrentControlSet) 2. Delete WinSock2 registry entries from ALL ControlSets 3. Run `netsh winsock reset` to rebuild catalog from cleaned registry 4. Reboot to finalize (network stack reload) ### Registry Cleanup (Modular PowerShell) - **delete_vsock_all_controlsets.ps1**: Remove vsock service entries - **delete_winsock_registry.ps1**: Remove vSockets from all ControlSets - **cleanup_winsock_after_registry.ps1**: Winsock catalog reset with fallback - **remove_vmware_registry.bat**: Orchestrates cleanup + hardcoded key removal ### Driver Management - **remove_vmware_driver_packages.bat**: Enhanced with FileRepository awareness - NOTE: FileRepository cleanup moved to step 6 (after driver unload) - Drivers must be unloaded before directories can be removed - **remove_ghost_devices.ps1**: Remove hidden VMware devices - OS version detection (auto-removal requires Win10 2004+/Server 2022+) - Graceful degradation for older Windows (manual removal guidance) ### Verification & Debugging - **verify_complete_removal.ps1**: 14-check comprehensive verification - Services, driver store, binaries (Program Files, System32, drivers) - DriverStore FileRepository and DRVSTORE vsock entries - Registry (VMware, WOW6432Node, Services, Windows Installer) - Winsock catalog (VMware vSockets removed, virtio-vsock available) - Ghost devices with OS version awareness - Directory existence checks (not just file checks) - **test_socket_providers.ps1**: Winsock provider verification - **1_investigate_before_registry_cleanup.ps1**: Baseline capture - **2_investigate_after_cleanup_before_reboot.ps1**: Post-cleanup verification - **3_investigate_after_reboot.ps1**: Identify what reappeared ## Execution Order (9 Steps, 2 Reboots) ``` 1. binaries\uninstall_vmware_msi.ps1 → Proper MSI uninstall 2. services\remove_vmware_services.bat → Stop/delete services 3. binaries\discover_vmware_binaries.ps1 → Catalog all files 4. drivers\remove_vmware_driver_packages.bat → Remove from driver store 5. REBOOT virtio-win#1 → Unload kernel drivers 6. binaries\remove_vmware_binaries.ps1 → Delete files + cleanup 7. reg\remove_vmware_registry.bat → Registry + Winsock reset 8. REBOOT virtio-win#2 → Complete file deletion + finalize Winsock 9. drivers\remove_ghost_devices.ps1 → Remove hidden devices ``` **Why Two Reboots?** - REBOOT virtio-win#1: Unloads kernel drivers so files can be deleted - REBOOT virtio-win#2: Completes locked file deletion + finalizes Winsock catalog reset ## Key Technical Details ### Authenticode Verification (Anti-Hyper-V False Positives) - Primary: Check certificate Subject for O=VMware - Secondary: Check file VersionInfo.CompanyName for "VMware" - Handles WHQL-signed VMware drivers (signed by Microsoft but made by VMware) - Prevents false positives: vmic*.dll, vmbus*.dll (Hyper-V, not VMware) ### ControlSet Cleanup Rationale Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery. Cleaning only CurrentControlSet leaves VMware entries in backup sets, which can be restored during system recovery or boot failures. Must clean ALL. ### Path Safety (Prevent Accidents) - Rejects paths containing: Windows, System32, SysWOW64, Program Files (root) - Length validation (minimum 20 chars for safety) - Prevents accidental `C:\Windows` deletion ## Customer Requirements Coverage All items from minimum_customer_cleanup_actions addressed: - ✅ MSI uninstall, services (stop/disable/delete) - ✅ Kernel drivers (System32\drivers\vm*.sys, vsock.sys) - ✅ Driver packages (pnputil + FileRepository + DRVSTORE cleanup) - ✅ Registry (VMware Inc., WOW6432Node, Services, Installer keys) - ✅ Directories (Program Files, Common Files, ProgramData - including empty) - ✅ System32/SysWOW64 binaries (vm3ddevapi64.dll, vmGuestLib.dll, etc.) - ✅ Ghost devices (with OS version awareness) - ✅ GISvc (Guest Introspection Service) ## Breaking Changes - **Removed**: cleanup_protected_files.ps1 (redundant - discover now scans ProgramData) - **File extension change**: .bat → .ps1 for discovery/removal (run via `powershell -ExecutionPolicy Bypass -File`) - **Execution order**: Now 9 steps (was 11) - cleanup_protected_files removed ## Testing Validated on: - Windows Server 2019 (ghost device auto-removal not supported - expected) - Windows Server 2025 (all 14 verification checks passing) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
jamepark4
force-pushed
the
feature/binary-removal
branch
from
4f45cc6 to
d315f8f
Compare
jamepark4
added a commit
to jamepark4/vmwremover
that referenced
this pull request
Jun 15, 2026
Implements a complete 9-step procedure for removing VMware Tools from Windows VMs after v2v migration to KVM/virtio. Addresses critical vSockets conflict, driver cleanup, and empty directory removal. ## Core Improvements ### Binary Discovery & Removal (PowerShell Migration) - **discover_vmware_binaries.ps1**: Cryptographic signature verification - Authenticode signature checking (VMware CA validation) - Metadata fallback for WHQL-signed drivers - Scans Program Files, System32, drivers, and ProgramData - 14× faster than batch version (no process spawning) - **remove_vmware_binaries.ps1**: Native MoveFileEx integration - Immediate deletion with automatic reboot scheduling for locked files - Path safety validation prevents system directory accidents - FileRepository orphan cleanup after driver unload - Empty directory removal per customer requirements - **uninstall_vmware_msi.ps1**: Proper MSI uninstall via Windows Installer - Uses official VMware uninstaller for clean removal - Removes files, services, drivers, and registry properly ### Critical Fix: VMware vSockets Conflict **Problem**: VMware vSockets and virtio-vsock both use AF_VSOCK (40). Windows allows only one provider per address family. If VMware vSockets remains, virtio-vsock fails to register. Simple `netsh winsock remove provider` silently fails. **Solution**: Three-phase cleanup in remove_vmware_registry.bat 1. Delete Services\vsock from ALL ControlSets (not just CurrentControlSet) 2. Delete WinSock2 registry entries from ALL ControlSets 3. Run `netsh winsock reset` to rebuild catalog from cleaned registry 4. Reboot to finalize (network stack reload) ### Registry Cleanup (Modular PowerShell) - **delete_vsock_all_controlsets.ps1**: Remove vsock service entries - **delete_winsock_registry.ps1**: Remove vSockets from all ControlSets - **cleanup_winsock_after_registry.ps1**: Winsock catalog reset with fallback - **remove_vmware_registry.bat**: Orchestrates cleanup + hardcoded key removal ### Driver Management - **remove_vmware_driver_packages.bat**: Enhanced with FileRepository awareness - NOTE: FileRepository cleanup moved to step 6 (after driver unload) - Drivers must be unloaded before directories can be removed - **remove_ghost_devices.ps1**: Remove hidden VMware devices - OS version detection (auto-removal requires Win10 2004+/Server 2022+) - Graceful degradation for older Windows (manual removal guidance) ### Verification & Debugging - **verify_complete_removal.ps1**: 14-check comprehensive verification - Services, driver store, binaries (Program Files, System32, drivers) - DriverStore FileRepository and DRVSTORE vsock entries - Registry (VMware, WOW6432Node, Services, Windows Installer) - Winsock catalog (VMware vSockets removed, virtio-vsock available) - Ghost devices with OS version awareness - Directory existence checks (not just file checks) - **test_socket_providers.ps1**: Winsock provider verification - **1_investigate_before_registry_cleanup.ps1**: Baseline capture - **2_investigate_after_cleanup_before_reboot.ps1**: Post-cleanup verification - **3_investigate_after_reboot.ps1**: Identify what reappeared ## Execution Order (9 Steps, 2 Reboots) ``` 1. binaries\uninstall_vmware_msi.ps1 → Proper MSI uninstall 2. services\remove_vmware_services.bat → Stop/delete services 3. binaries\discover_vmware_binaries.ps1 → Catalog all files 4. drivers\remove_vmware_driver_packages.bat → Remove from driver store 5. REBOOT virtio-win#1 → Unload kernel drivers 6. binaries\remove_vmware_binaries.ps1 → Delete files + cleanup 7. reg\remove_vmware_registry.bat → Registry + Winsock reset 8. REBOOT virtio-win#2 → Complete file deletion + finalize Winsock 9. drivers\remove_ghost_devices.ps1 → Remove hidden devices ``` **Why Two Reboots?** - REBOOT virtio-win#1: Unloads kernel drivers so files can be deleted - REBOOT virtio-win#2: Completes locked file deletion + finalizes Winsock catalog reset ## Key Technical Details ### Authenticode Verification (Anti-Hyper-V False Positives) - Primary: Check certificate Subject for O=VMware - Secondary: Check file VersionInfo.CompanyName for "VMware" - Handles WHQL-signed VMware drivers (signed by Microsoft but made by VMware) - Prevents false positives: vmic*.dll, vmbus*.dll (Hyper-V, not VMware) ### ControlSet Cleanup Rationale Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery. Cleaning only CurrentControlSet leaves VMware entries in backup sets, which can be restored during system recovery or boot failures. Must clean ALL. ### Path Safety (Prevent Accidents) - Rejects paths containing: Windows, System32, SysWOW64, Program Files (root) - Length validation (minimum 20 chars for safety) - Prevents accidental `C:\Windows` deletion ## Customer Requirements Coverage All items from minimum_customer_cleanup_actions addressed: - ✅ MSI uninstall, services (stop/disable/delete) - ✅ Kernel drivers (System32\drivers\vm*.sys, vsock.sys) - ✅ Driver packages (pnputil + FileRepository + DRVSTORE cleanup) - ✅ Registry (VMware Inc., WOW6432Node, Services, Installer keys) - ✅ Directories (Program Files, Common Files, ProgramData - including empty) - ✅ System32/SysWOW64 binaries (vm3ddevapi64.dll, vmGuestLib.dll, etc.) - ✅ Ghost devices (with OS version awareness) - ✅ GISvc (Guest Introspection Service) ## Breaking Changes - **Removed**: cleanup_protected_files.ps1 (redundant - discover now scans ProgramData) - **File extension change**: .bat → .ps1 for discovery/removal (run via `powershell -ExecutionPolicy Bypass -File`) - **Execution order**: Now 9 steps (was 11) - cleanup_protected_files removed ## Testing Validated on: - Windows Server 2019 (ghost device auto-removal not supported - expected) - Windows Server 2025 (all 14 verification checks passing) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
jamepark4
force-pushed
the
feature/binary-removal
branch
from
d315f8f to
c082cd8
Compare
Implements a complete 9-step procedure for removing VMware Tools from Windows VMs after v2v migration to KVM/virtio. Addresses critical vSockets conflict, driver cleanup, and empty directory removal. ## Core Improvements ### Binary Discovery & Removal (PowerShell Migration) - **discover_vmware_binaries.ps1**: Cryptographic signature verification - Authenticode signature checking (VMware CA validation) - Metadata fallback for WHQL-signed drivers - Scans Program Files, System32, drivers, and ProgramData - 14× faster than batch version (no process spawning) - **remove_vmware_binaries.ps1**: Native MoveFileEx integration - Immediate deletion with automatic reboot scheduling for locked files - Path safety validation prevents system directory accidents - FileRepository orphan cleanup after driver unload - Empty directory removal per customer requirements - **uninstall_vmware_msi.ps1**: Proper MSI uninstall via Windows Installer - Uses official VMware uninstaller for clean removal - Removes files, services, drivers, and registry properly ### Critical Fix: VMware vSockets Conflict **Problem**: VMware vSockets and virtio-vsock both use AF_VSOCK (40). Windows allows only one provider per address family. If VMware vSockets remains, virtio-vsock fails to register. Simple `netsh winsock remove provider` silently fails. **Solution**: Three-phase cleanup in remove_vmware_registry.bat 1. Delete Services\vsock from ALL ControlSets (not just CurrentControlSet) 2. Delete WinSock2 registry entries from ALL ControlSets 3. Run `netsh winsock reset` to rebuild catalog from cleaned registry 4. Reboot to finalize (network stack reload) ### Registry Cleanup (Modular PowerShell) - **delete_vsock_all_controlsets.ps1**: Remove vsock service entries - **delete_winsock_registry.ps1**: Remove vSockets from all ControlSets - **cleanup_winsock_after_registry.ps1**: Winsock catalog reset with fallback - **remove_vmware_registry.bat**: Orchestrates cleanup + hardcoded key removal ### Driver Management - **remove_vmware_driver_packages.bat**: Enhanced with FileRepository awareness - NOTE: FileRepository cleanup moved to step 6 (after driver unload) - Drivers must be unloaded before directories can be removed - **remove_ghost_devices.ps1**: Remove hidden VMware devices - OS version detection (auto-removal requires Win10 2004+/Server 2022+) - Graceful degradation for older Windows (manual removal guidance) ### Verification & Debugging - **verify_complete_removal.ps1**: 14-check comprehensive verification - Services, driver store, binaries (Program Files, System32, drivers) - DriverStore FileRepository and DRVSTORE vsock entries - Registry (VMware, WOW6432Node, Services, Windows Installer) - Winsock catalog (VMware vSockets removed, virtio-vsock available) - Ghost devices with OS version awareness - Directory existence checks (not just file checks) - **test_socket_providers.ps1**: Winsock provider verification - **1_investigate_before_registry_cleanup.ps1**: Baseline capture - **2_investigate_after_cleanup_before_reboot.ps1**: Post-cleanup verification - **3_investigate_after_reboot.ps1**: Identify what reappeared ## Execution Order (9 Steps, 2 Reboots) ``` 1. binaries\uninstall_vmware_msi.ps1 → Proper MSI uninstall 2. services\remove_vmware_services.bat → Stop/delete services 3. binaries\discover_vmware_binaries.ps1 → Catalog all files 4. drivers\remove_vmware_driver_packages.bat → Remove from driver store 5. REBOOT virtio-win#1 → Unload kernel drivers 6. binaries\remove_vmware_binaries.ps1 → Delete files + cleanup 7. reg\remove_vmware_registry.bat → Registry + Winsock reset 8. REBOOT virtio-win#2 → Complete file deletion + finalize Winsock 9. drivers\remove_ghost_devices.ps1 → Remove hidden devices ``` **Why Two Reboots?** - REBOOT virtio-win#1: Unloads kernel drivers so files can be deleted - REBOOT virtio-win#2: Completes locked file deletion + finalizes Winsock catalog reset ## Key Technical Details ### Authenticode Verification (Anti-Hyper-V False Positives) - Primary: Check certificate Subject for O=VMware - Secondary: Check file VersionInfo.CompanyName for "VMware" - Handles WHQL-signed VMware drivers (signed by Microsoft but made by VMware) - Prevents false positives: vmic*.dll, vmbus*.dll (Hyper-V, not VMware) ### ControlSet Cleanup Rationale Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery. Cleaning only CurrentControlSet leaves VMware entries in backup sets, which can be restored during system recovery or boot failures. Must clean ALL. ### Path Safety (Prevent Accidents) - Rejects paths containing: Windows, System32, SysWOW64, Program Files (root) - Length validation (minimum 20 chars for safety) - Prevents accidental `C:\Windows` deletion ## Customer Requirements Coverage All items from minimum_customer_cleanup_actions addressed: - ✅ MSI uninstall, services (stop/disable/delete) - ✅ Kernel drivers (System32\drivers\vm*.sys, vsock.sys) - ✅ Driver packages (pnputil + FileRepository + DRVSTORE cleanup) - ✅ Registry (VMware Inc., WOW6432Node, Services, Installer keys) - ✅ Directories (Program Files, Common Files, ProgramData - including empty) - ✅ System32/SysWOW64 binaries (vm3ddevapi64.dll, vmGuestLib.dll, etc.) - ✅ Ghost devices (with OS version awareness) - ✅ GISvc (Guest Introspection Service) ## Breaking Changes - **Removed**: cleanup_protected_files.ps1 (redundant - discover now scans ProgramData) - **File extension change**: .bat → .ps1 for discovery/removal (run via `powershell -ExecutionPolicy Bypass -File`) - **Execution order**: Now 9 steps (was 11) - cleanup_protected_files removed ## Testing Validated on: - Windows Server 2019 (ghost device auto-removal not supported - expected) - Windows Server 2025 (all 14 verification checks passing) Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
jamepark4
force-pushed
the
feature/binary-removal
branch
from
c082cd8 to
77c3356
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Complete VMware Tools removal toolkit with comprehensive cleanup
Implements a complete 9-step procedure for removing VMware Tools from
Windows VMs after v2v migration to KVM/virtio. Addresses critical
vSockets conflict, driver cleanup, and empty directory removal.
discover_vmware_binaries.ps1: Cryptographic signature verification
remove_vmware_binaries.ps1: Native MoveFileEx integration
uninstall_vmware_msi.ps1: Proper MSI uninstall via Windows Installer
Problem: VMware vSockets and virtio-vsock both use AF_VSOCK (40).
Windows allows only one provider per address family. If VMware vSockets
remains, virtio-vsock fails to register. Simple
netsh winsock remove providersilently fails.Solution: Three-phase cleanup in remove_vmware_registry.bat
netsh winsock resetto rebuild catalog from cleaned registryAssociated scripts:
Why Two Reboots?
Identifying binaries to remove
Windows maintains multiple ControlSets (001, 002, etc.) for boot recovery.
Cleaning only CurrentControlSet leaves VMware entries in backup sets, which
can be restored during system recovery or boot failures. Must clean ALL.
C:\WindowsdeletionAll items from minimum_customer_cleanup_actions addressed:
Validated on:
Signed-off-by: James Parker [email protected]
Co-Authored-By: Claude Sonnet 4.5 [email protected]