You dont have javascript enabled! Please enable it! How To Uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core? #ATA - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

How To Uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core? #ATA

3 Min. Read

Microsoft Advanced Threat Analytics (ATA) is a security product that helps to protect an enterprise network from advanced forms of cyberattack.

In this article, we will show you how to uninstall Microsoft Advanced Threat Analytics Gateway From Windows Server Core.


A while ago, I wrote a step-by-step guide on how to install and evaluate Microsoft Advanced Threat Analytics (ATA).

Microsoft Advanced Threat Analytics or ATA gathers information from Windows logs and uses deep packet inspection techniques to evaluate trends in network traffic to and from domain controllers and the behavior of users, devices, and resources. This way, ATA can detect suspicious activity generated by the various phases of an attack and generate alerts that specify the type of attack that might be in progress and the systems that are involved.

You can learn more about Microsoft Advanced Threat Analytics here.

The ATA product is divided into the following components:

  • ATA Center is the focal point of the ATA product and requires a dedicated server known as the ATA Center. This computer is the receiver of the information gathered from your domain controllers, and the place
    where the threat analysis occurs.

The ATA product also supports two types of gateways, as follows:

  • ATA Gateway runs on a standalone server and gathers information from domain controllers using port mirroring and event forwarding.
  • ATA Lightweight Gateway runs on a domain controller itself and gathers information locally.

Both gateway types perform many of the same functions. The standalone ATA Gateway can service multiple domain controllers, up to a maximum of 50,000 packets per second of domain controller traffic. However, the ATA Lightweight Gateways service only the domain controllers on which they are installed, and support up to 10,000 packets per second.


To increase your domain controllers’ security further, it’s recommended to use Windows Server Core when possible.

In my environment, I have AD installed on Windows Server Core and I am leveraging the ATA Lightweight Gateway. The ATA architecture looks something like this:


As the network started growing, I decided to move the ATA Gateway to a dedicated server instead of using the Lightweight approach.

The new ATA architecture looks something like this:


In this scenario, I need to uninstall the ATA Lightweight Gateway service from the domain controller. And since I am using Windows Server Core, we don’t have a Programs and Features applet (appwiz.cpl) to uninstall the program.

Uninstall ATA Lightweight Gateway

To check the list of installed applications on Windows Server Core, you can run the following PowerShell command:

Get-WmiObject Win32_Product | Format-List


By default, you can see the list of installed applications in the Registry located under the following path:


You can open the Registry in Windows Server Core by running the “regedit” or “regedt32.exe” command. In this example, we will use PowerShell.

Open Windows PowerShell as Administrator and run the following command:

Get-ChildItem -Path Registry::HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -Recurse `
 | Get-ItemProperty | Where-Object {$_.DisplayName -eq "Microsoft Advanced Threat Analytics Gateway"} `
 | Select DisplayVersion, InstallDate, DisplayName, UninstallString, QuietUninstallString, PSPath, PSParentPath

This command uses the Get-ChildItem cmdlet to show all items directly within Windows PowerShell drive HKLM:, which corresponds to the HKEY_LOCAL_MACHINE registry hive. It pipes the output to the Get-ItemProperty cmdlet to view the registry entries in a more readable form. Then, it pipes the results to the Where-Object cmdlet, which filters the Windows PowerShell-related properties and displays only “Microsoft Advanced Threat Analytics Gateway” details.


Note the key properties “UninstallString” and “QuietUninstallString“ in the screenshot above.

To uninstall the ATA Gateway, you need to copy the value of “UninstallString” or “QuietUninstallString“, run it in an elevated command prompt and then press Enter.

In this example, I will use uninstall option.

"C:\ProgramData\Package Cache\{1073abb4-4e39-4b2b-b0bf-e98331eb0941}\Microsoft ATA Gateway Setup.exe" /uninstall


As you can see below, Microsoft Advanced Threat Analytics Uninstall wizard will launch. Click Uninstall.


Wait a couple of seconds and the ATA gateway uninstallation will complete successfully. Click Finish and then reboot your machine.


I hope this helps!

Until next time…

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.

Install System Center Data Protection Manager Agent on Windows Server Core #SCDPM #DPM

How To Enable Virtual TPM (vTPM) in Windows Server 2016 Hyper-V VM? #HyperV #WS2016


Let us know what you think, or ask a question...