Remove Phantom Antivirus from Vista WMI Repository

Mark Berry April 18, 2008

Problem

In testing Spiceworks today, I discovered that a Vista machine was reporting that it had two antivirus products installed. Even after following the instructions Manually uninstalling the Client/Server Security Agent from a computer running Windows Vista, Spiceworks was still reporting Trend as installed as well as NOD32 (which really is installed). I downloaded and ran WMI Diagnosis Utility from Microsoft, but that didn't fix it either.

Solution 

Finally I found a Microsoft forum post that led me down the right path. With many thanks to its author prabhu_hv, here is a modified procedure to only delete one antivirus product:

1. Click Start, go to Command Prompt, and right-click to Run as administrator.
2. Run the command wbemtest and click Connect button.
3. Enter “root\SecurityCenter” in the Namespace field and click OK.
4. Click on “Enum Instances” button. Enter “AntivirusProduct” as the superclass name and click on OK.
5. You should see two AntiVirusProduct.instanceGuid entries. Double-click on each one and review the properties to determine which Guid corresponds to the antivirus product that is no longer installed. Then close the Object Editor.
6. In the Query Result window, highlight the incorrect AntivirusProduct and click on the Delete button. Then click Close to close the Query Result window.
7. Click the Exit button to exit the Windows Management Instrumentation Tester.

At this point, WMI and thus Spiceworks should only report the “real” antivirus product.