Manually uninstalling Deep Freeze workstation through ubcdlive

[microzee]

I was given a computer that came installed with a deepfreeze workstation program.

The password was not known, so deep freeze can not be uninstalled the traditional way. I am determined to uninstall it manually so none of the files are lost.

The workstation was from an licensed enterprise deepfreeze console. If you don't know much about deepfreeze it can be found here:

System Restore Software for Enterprise: Deep Freeze Enterprise â

I installed a trial version of enterprise and created my own workstation executable on another computer. I then installed the workstation executable on a virtual machine and traced the install using revo uninstaller.

I read the trace and wrote down all of the files and registry items that looked important.

Then I booted the computer using ubcd live beta found here:

https://www.ultimatebootcd.com/ubcdlive.html

The reason for using this is it comes with a built in gui registry editor.


Here are the list of important looking files that it installs:

C:/
Persi0.sys
Persi0.dsk
Soft~on.dsk

Program Files (x86)/
Faronics (whole folder)

System32/Drivers/
DeepFrz.sys
DfDiskLo.sys
DFFilter.sys
FarDisk.sys
FarSpace.sys

Windows/SysWOW64/
DFC.exe

I can delete all of those just fine. But then the mouse and keyboard is frozen on the computer screen.

On to the important looking registry entries:

HKLM/system/currentcontrolset/control/class:

They are also created in all of the currentcontrolsets e.g. currentcontrolset001 and 003. Still a little confused as to why.

Starting with:
4D36E967: this is the Disk Drives class
4D36E96B: this is Keyboard class
4D36E96F: this is Mouse class
71A27CDD: this is Storage Volumes class


In the Disk Drives class, it adds LowerFilters with a multi_sz of DfDiskLo. It modifies the already existing UpperFilters by appending DeepFrz to the beginning.

In the Keyboard it modifies the already existing UpperFilters by appending DeepFrz to the beginning.

In the Mouse class it modifies the already existing UpperFilters by appending DeepFrz to the beginning.

In the Storage Volumes class, it adds UpperFilters with a multi_sz of DeepFrz and FarSpace.

Those are the main registry entries that I believe do all of the dirty work. Some more though that are still important:

system/currentcontrolset/control/services:

DeepFrz
DfDiskLo
DFFilter
FarDisk
Farspace


What I did next was delete all of the upperfilters and lower filters, and add them back with their default windows values. Then windows would say starting windows, never load the logo and give me a bsod.


What now? The registry was what I thought would fix it. I created a backup of the registry by copying system in system32/config so I could restore it.

Here I've attached the workstation file so you can try tracing it as well.

https://drive.google.com/file/d/0B_u6weYp5wTCQTFuS0pCOUc4a1U/view?usp=sharing

 

[rvcjew]

It is designed to not be able to be removed without disabling it like Norton ghost is. You can try this I installed Deep Freeze and forgot my password; can you give me a password to turn Deep Freeze off? - Powered by Kayako Help Desk Software see if you can generate a OTP.

 

[microzee]

Yes, but deep freeze is disabled if you boot the computer with something other than windows. I am booting it with a debian linux based live cd, which boots the computer with deep freeze disabled. Now I just need to figure out which files are the right files to delete, which I believe I have already achieved. It's the registry class stuff that I need help with.

Thank you for your input, but that answer is not possible without the access to the original enterprise console (which I don't have).

If someone could take the same steps I took, and look at the trace, maybe I'm missing something.

You can trace it using a trial of revo uninstaller. Just make sure you install it on a vm so you dont freeze your own machine.

 

[pricetech]

My experience with Deep Freeze tells me it's bullet proof. Your best option is to ask for an installer from the console that originally installed Deep Freeze on the machine. That's the best way to remove it.
If you specified, I missed it; Is the machine "frozen" or "thawed" ??

 

[microzee]

it's thawed, if I boot with something other than windows
I can change any file I want and it will stick when I start windows.

But when the machine boots windows, its of course in its frozen state. Unless I delete all the deep freeze files. Then deep freeze is off of the computer but the mouse and keyboard are frozen. because of the registry things I can't figure out how to fix.

 

[pricetech]

Something doesn't sound right. It's incredibly irresponsible of someone to sell, or give away, a computer with protection like Deep Freeze installed, without wiping the hard drive first.

Are you sure this computer isn't stolen ?? Not suggesting any wrongdoing on your part, but it just doesn't make sense. Frankly, I'd expect to lose my job if I let a computer out of here with an intact hard drive.

My suggestion, at this point, is to look more closely at the source of this computer and maybe even contact local law enforcement to determine if there is something amiss. That's what I'd do anyway.

I hope everything turns out okay and it's just a boneheaded move on the part of the previous owner.

 

[microzee]

It was a mean prank someone pulled on one of my friends computers. They used a pirated version of deep freeze enterprise. Anyways, could someone please trace this program and see if you can do better?

 

[pricetech]

Oh wow. Nice "friend". I wish I could help, but I don't know of any way around the protection Deep Freeze offers.

 

[Layback Bear]

From post #7

pirated version of deep freeze enterprise.

At this point Deep Freeze doesn't matter one way or the other.

Its a pirated version so the way out is to Clean Install Windows 7 and activate using a proper Windows 7 COA legal key.

We do not help fix systems using a pirated version of any anything.

Please read the forum rules.

http://www.sevenforums.com/misc.php?do=showrules

 

[david808]

The settings for Deep Freeze *are* in the registry. They have done something to make the most important ones invisible to the user. Anyone who searches the registry will find the entries you mentioned. And you will still get blue-screened if you delete what you think is all of them. But to prove to yourself that those important entries are indeed in the registry you can backup the entire registry on a clean machine without Deep Freeze. Then install Deep Freeze. Then thaw Deep Freeze. Then restore the backup registry and delete the five Deep Freeze drivers in c:\windows\system32\drivers and the Program Files (x86) folder with the deepfreezeadapter.dll. Now restart and Deep Freeze is gone. And CurrentControlSet is just a link to CurrentControlSet001 (the real control set). Note: Faronics provides a couple of NUL drivers to properly remove Deep Freeze if you are a legitimate customer and forgot your password.

 

[torchwood]

this thread started 7 years ago
and was a pirate install who knows what was changed