Windows - Software - Uninstall Agent Ransack

What the Agent Ransack removal Worklet does

This Automox Worklet™ uninstalls Agent Ransack, the Mythicsoft file search and grep-style utility, from Windows endpoints. The evaluation script scans the Windows uninstall registry hives for any DisplayName that matches Agent Ransack and reports back whether the application is present on the endpoint. The remediation script then captures the matching product code or vendor uninstall string and runs a silent removal so no end user prompt appears on the endpoint.

The Worklet handles both architectures. On 64-bit Windows it reads HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for native-bit installs and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall for the 32-bit installer that Mythicsoft ships by default. For MSI-based copies, removal runs through msiexec.exe /x {ProductCode} /qn /norestart. For EXE-based copies, the Worklet reads the QuietUninstallString or appends a silent switch to the captured UninstallString. Get-Package -Name 'Agent Ransack*' is used as a secondary verification path on PowerShell 5.1 and newer.

The evaluation phase is idempotent. Endpoints already free of Agent Ransack report compliant without applying remediation, and endpoints where a user reinstalls the utility are caught on the next evaluation window. The Worklet exits 0 on a clean removal and returns a non-zero exit code with stderr detail if msiexec reports a failure code such as 1603 or 1605, so failures surface in Automox activity logs rather than going silent.

Why remove Agent Ransack from Windows endpoints

Agent Ransack is a freeware file search and content-grep tool that often arrives on a workstation when a developer needs to scan a large source tree or an administrator wants a faster alternative to the Windows Explorer search box. The tool itself is legitimate, but unmanaged copies create three problems for IT and security teams. Allowlist policies (CIS Control 2, NIST 800-53 CM-7) require an inventory of every installed binary, and Agent Ransack rarely makes that list. Indexing-heavy search utilities can also surface file paths users would otherwise overlook, accelerating discovery of sensitive data in directories they already have read access to but never noticed. Older installs may carry the previous Mythicsoft signing certificate, which fails modern trust validation.

Running this Worklet on a recurring policy walks every Windows endpoint in scope at evaluation time, locates the registered Agent Ransack UninstallString or MSI ProductCode, and calls it with quiet flags. The activity log records exit code 0 for endpoints that were already clean and per-host removal evidence for those that needed remediation. A developer laptop that reinstalls the utility next quarter is caught on the next agent check-in rather than waiting for an annual inventory sweep.

How Agent Ransack uninstallation works

1. Evaluation phase: The Worklet enumerates HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall using Get-ChildItem and Get-ItemProperty, filtering on DisplayName -like 'Agent Ransack*'. It also runs Get-Package -Name 'Agent Ransack*' as a cross-check on PowerShell 5.1 or later. If any installed copy is found, the endpoint is flagged non-compliant and the PSChildName (product code for MSI installs) or UninstallString (for EXE installs) is recorded for the remediation phase.

2. Remediation phase: For each detected copy, the remediation script runs Start-Process msiexec.exe -ArgumentList "/x $($version.PSChildName) /qn /norestart" -Wait when the install is MSI-based. For EXE-based installs, it executes the QuietUninstallString verbatim, or appends /S (NSIS) or /VERYSILENT (Inno Setup) to the standard UninstallString when no quiet variant is published. The script then re-queries the registry and Get-Package output to confirm the application is gone and exits 0 on success or non-zero with the msiexec return code on failure.

Agent Ransack removal requirements

• Windows 10, Windows 11, or Windows Server 2016 and later with PowerShell 5.1 available

• Local administrator rights on the endpoint (the Automox agent runs as SYSTEM by default, which satisfies this)

• Supports both 32-bit and 64-bit Agent Ransack installs, including side-by-side copies on the same endpoint

• Handles both MSI installations (via msiexec.exe /x {ProductCode}) and EXE installations (via QuietUninstallString or appended silent switch)

• Compatible with Automox FixNow for on-demand removal during incident response, in addition to scheduled policy execution

• Exit code 0 indicates a clean removal; 1603 indicates a fatal MSI error and 1605 indicates the product code was already absent at uninstall time

Expected endpoint state after Agent Ransack removal

After remediation completes, Agent Ransack no longer appears in Settings → Apps → Installed apps or in appwiz.cpl. The uninstall key under both HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall is deleted, Get-Package -Name 'Agent Ransack*' returns no results, and the installation directory under %ProgramFiles%\Mythicsoft\Agent Ransack or %ProgramFiles(x86)%\Mythicsoft\Agent Ransack is removed. Start menu shortcuts, the file association for .arx saved searches, and the right-click Explorer context menu entry are all cleared by the vendor uninstaller.

To verify on a pilot endpoint, run Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object DisplayName -like 'Agent Ransack*' from an elevated PowerShell prompt and confirm it returns nothing. Subsequent Automox evaluation runs report the endpoint as compliant without re-running the remediation script, because the registry check finds no matching uninstall keys. If a user reinstalls Agent Ransack outside of policy, the next evaluation window flags the endpoint non-compliant again and the Worklet repeats the silent uninstall – closing the patch gap without requiring a help-desk ticket per laptop.