Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
23
SECRET//NOFORN
9. (U) Removal
(S) Uninstalling Elsa varies by mode and essentially mirrors the installation process. The
following sections describe each mode individually.
9.1 (S) SvcHost Mode Uninstall
(S) To uninstall Elsa in SvcHost mode you must (1) stop the service, (2) unregister it and
(3) clean up the Elsa dll and log file.
1) Stop the service, substituting the service name you chose during patching
(this can also be done using the services.msc panel):
> net stop wmidx
2) Silently unregister the service using the RegSvr32 utility:
> RegSvr32 /u /s ELSA.DLL
3) Remove the dll and log files
9.2 (S) DllHost/Task Scheduler Mode Uninstall
(S) To uninstall Elsa in DllHost mode you must (1) stop the running task, (2) unregister it
and (3) clean up the Elsa dll and log file.
1) Stop the task:
> schtasks /end /tn "Test Daily Trigger"
2) Rename the uninstall script <dll name without '.dll'
extension>.uninstall.vbs and place it in the same directory as the Elsa dll
3) Silently unregister the service using the RegSvr32 utility:
> RegSvr32 /u /s C:\ELSA.DLL
4) Remove the dll and log files. The uninstall script should have disappeared.
5) Verify that the task is no longer in the scheduler:
> schtasks /query /tn "Test Daily Trigger"
9.3 (S) RunDll32 Mode Uninstall
(S) Simply kill the rundll32 process that loaded Elsa:
1) Find which rundll32 process is running Elsa:
> tasklist /m Elsa.dll