How To Uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core? #ATA

| , ,

Published on | Updated on December 30, 2020

3 Min. Read

Introduction

A while ago, I wrote a step by step guide on how to install and evaluate Microsoft Advanced Threat Analytics (ATA).

In summary, Microsoft Advanced Threat Analytics (ATA) is a security product that helps to protect an enterprise network from advanced forms of cyberattack. ATA gathers information from Windows logs and uses deep packet inspection techniques to evaluate trends in network traffic to and from domain controllers and the behavior of users, devices, and resources. This way, ATA can detect suspicious activity generated by the various phases of an attack and generate alerts that specify the type of attack that might be in progress and the systems that are involved.

You can learn more about Microsoft Advanced Threat Analytics here.

The ATA product is divided into the following components:

  • ATA Center is the focal point of the ATA product, and requires a dedicated server known as the ATA Center. This computer is the receiver of the information gathered from your domain controllers, and the place
    where the threat analysis occurs.

The ATA product also supports two types of gateways, as follows:

  • ATA Gateway runs on a standalone server and gathers information from domain controllers using port mirroring and event forwarding.
  • ATA Lightweight Gateway runs on a domain controller itself and gathers information locally.

Both gateway types perform many of the same functions. The standalone ATA Gateway can service multiple domain controllers, up to a maximum of 50,000 packets per second of domain controller traffic. However, the ATA Lightweight Gateways service only the domain controllers on which they are installed, and support up to 10,000 packets per second.

Situation

To increase your domain controllers security further, it’s recommended to use Windows Server Core when possible.

In my environment, I have AD installed on Windows Server Core and I am leveraging the ATA Lightweight Gateway. The ATA architecture looks something like this:

Uninstall-ATA-ServerCore-02

As the network start growing, I decided to move the ATA Gateway to a dedicated server instead of using the Lightweight approach.

The new ATA architecture looks something like this:

Uninstall-ATA-ServerCore-14

In this scenario, I need to uninstall the ATA Lightweight Gateway service from the domain controller. And since I am using Windows Server Core, we don’t have Programs and Features applet (appwiz.cpl) to uninstall the program.

Uninstall ATA Lightweight Gateway

To check the list of installed applications on Windows Server Core, you can run the following PowerShell command:

Get-WmiObject Win32_Product | Format-List

Uninstall-ATA-ServerCore-06

By default, you can see all the list of installed applications in the Registry located under the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

You can open the Registry in Windows Server Core by running “regedit” or “regedt32.exe” command. In this example, we will use PowerShell.

Open Windows PowerShell as Administrator and run the following command:

Get-ChildItem -Path Registry::HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -Recurse | Get-ItemProperty | Where-Object {$_.DisplayName -eq "Microsoft Advanced Threat Analytics Gateway"} | Select DisplayVersion, InstallDate, DisplayName, UninstallString, QuietUninstallString, PSPath, PSParentPath

This command uses the Get-ChildItem cmdlet to show all items directly within Windows PowerShell drive HKLM:, which corresponds to the HKEY_LOCAL_MACHINE registry hive. It pipes the output to the Get-ItemProperty cmdlet to view the registry entries in a more readable form. Then, it pipes the results to the Where-Object cmdlet, which filter the Windows PowerShell-related properties and display only “Microsoft Advanced Threat Analytics Gateway” details.

Uninstall-ATA-ServerCore-09

Note the key properties “UninstallString” and “QuietUninstallString“ in the screenshot above.

To uninstall the ATA Gateway, you need to copy the value of “UninstallString” or “QuietUninstallString“ and run it in an elevated command prompt and then press Enter.

In this example, I will use uninstall option.

"C:\ProgramData\Package Cache\{1073abb4-4e39-4b2b-b0bf-e98331eb0941}\Microsoft ATA Gateway Setup.exe"  /uninstall

Uninstall-ATA-ServerCore-10

As you can see below, Microsoft Advanced Threat Analytics Uninstall wizard will launch. Click Uninstall.

Uninstall-ATA-ServerCore-11

Wait couple of seconds and the ATA gateway uninstallation will complete successfully. Click Finish and then reboot your machine.

Uninstall-ATA-ServerCore-12

Hope this helps!

Until next time…

Cheers,
[email protected]

Previous

Installing System Center Data Protection Manager 2016 Agent on Windows Server 2016 Core #SCDPM #DPM #WS2016

How To Enable Virtual TPM (vTPM) in Windows Server 2016 Hyper-V VM? #HyperV #WS2016

Next

Leave a comment below...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Charbel Nemnom’s Blog

Get the latest posts delivered right to your inbox

The content of this website is copyrighted from being plagiarized! However, you can copy from the 'Code Blocks'.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!