-
Notifications
You must be signed in to change notification settings - Fork 3
/
Uninstall-EventProviders.ps1
42 lines (34 loc) · 1.34 KB
/
Uninstall-EventProviders.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<#
.SYNOPSIS
Uninstalls ETW providers given a valid manifest xml file.
.DESCRIPTION
Uninstalls ETW providers as defined in a valid manifest xml file.
This script needs to be run as admin as the providers are uninstalled system wide.
If the script is called in a non-elevated session wevtutil will be run as admin.
Note that in this case the output of wevtutil hidden and user input is required!
.PARAMETER ManifestFile
The path to the manifest file to uninstall.
#>
param (
[Parameter(Mandatory=$true)]
[ValidateScript({
if( -Not ($_ | Test-Path -PathType Leaf) ){
throw "Manifest file not found"
}
return $true
})]
[System.IO.FileInfo]
$ManifestFile
)
$IsElevated = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if(!$IsElevated) {
Write-Warning "The script is called in a non-elevated session. The output of wevtutil will be hidden and user input is required!"
}
# Make path absolute
$ManifestFile = (Resolve-Path -Path $ManifestFile).Path
Write-Host "Uninstalling $ManifestFile..."
if (!$IsElevated) {
Start-Process -FilePath wevtutil.exe -ArgumentList "uninstall-manifest $ManifestFile" -Verb RunAs -Wait
} else {
wevtutil uninstall-manifest $ManifestFile
}