Windows
View all Worklets
WindowsWindows

Windows - Software - Uninstall DBeaver

Removes the DBeaver database client from Windows endpoints with a single silent uninstall in one policy run

Worklet Details

What the DBeaver uninstaller does

This Automox Worklet™ removes the DBeaver database client from Windows endpoints. The Worklet reads the Windows Uninstall registry hive, identifies any system-wide DBeaver installation by DisplayName, and runs the bundled silent uninstaller to delete the program files, registry keys, and Start menu shortcuts.

DBeaver is an open-source SQL client with broad driver coverage across Oracle, SQL Server, PostgreSQL, MySQL, MongoDB, and dozens of other engines. The Worklet targets the system-wide MSI-style install under Program Files, which is the install path created by the standard Windows installer. It does not touch portable copies extracted to user folders or per-user installs under AppData, by design – those are out of scope for a fleet-wide removal policy.

On 64-bit Windows, the Worklet inspects two registry hives in a single pass: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for native 64-bit applications, and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall for 32-bit applications running under WOW64. On 32-bit Windows, only the first hive applies. Each install variant is removed using its own uninstall executable, so mixed-architecture fleets are handled in one policy run.

The Worklet is idempotent. Endpoints without DBeaver exit 0 immediately with a clear log line, and a successful uninstall also exits 0. Run it once to clear the install, leave it on a recurring policy to keep the endpoint clean if a user reinstalls the client outside of approved channels.

Why remove DBeaver from approved endpoints

A SQL client with persistent connection profiles on a developer laptop persists a credential and data-egress surface that long outlives the developer's need for it. DBeaver stores connection metadata in the user profile, and saved passwords (when the master password is bypassed or weak) can be recovered from disk. An attacker who lands on a workstation with DBeaver already configured for a production database has a fully featured query and export tool waiting for them, with no install step to trip an EDR rule. Removing the client from endpoints that should not reach production databases is a direct surface-area reduction tied to PCI-DSS Requirement 7 (least privilege on cardholder data access) and SOC 2 CC6.1 (logical access controls).

The DBeaver client lives across hundreds of workstations because someone installed it for one task a year ago, and removing it at scale is the kind of last-mile remediation that gets deferred until an audit forces the issue. Scheduling this Worklet against the workstation group walks both 64-bit and 32-bit Uninstall registry hives at evaluation time, runs the recorded UninstallString with /S, and reports the result through the Automox activity log. The activity stream becomes the evidence trail when a PCI-DSS Requirement 7 reviewer asks which endpoints still had the client at audit close.

How DBeaver removal works

  1. Evaluation phase: The Worklet opens the LocalMachine registry hive in 64-bit view using [Microsoft.Win32.RegistryKey]::OpenBaseKey and enumerates subkeys under SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall. Each subkey's DisplayName is matched against the wildcard *DBeaver*. If the 64-bit hive returns a match the script exits 1 (Flagging for remediation). If not, it walks HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall using Get-ChildItem piped through Get-ItemProperty and the same DisplayName filter. Exit 1 on any hit, exit 0 with "DBeaver was not found" otherwise.

  2. Remediation phase: For a 64-bit install, the script runs Start-Process "C:\Program Files\DBeaver\Uninstall.exe" -ArgumentList ('/S', '/allusers') -Wait -PassThru. The /S switch puts the bundled NSIS uninstaller into silent mode, and /allusers scopes the removal to the system-wide install rather than the calling user's profile. For a 32-bit install on 64-bit Windows, the same call targets "C:\Program Files (x86)\DBeaver\uninstall.exe". Each path is wrapped in try/catch: a clean exit writes "DBeaver 64-bit uninstall was successful" (or the 32-bit equivalent) and exits 0, while a failure captures the exception message and source line, writes them to the Automox activity log, and exits 1.

DBeaver removal requirements

  • Windows 10, Windows 11, Windows Server 2016, 2019, or 2022 with PowerShell 5.1 or later

  • DBeaver installed system-wide via the standard Windows installer (DisplayName registered in HKLM Uninstall hive). Per-user installs under %LOCALAPPDATA% and portable zip extracts are out of scope

  • Administrative context for the Automox agent (the default agent service account meets this)

  • Uninstall.exe present at C:\Program Files\DBeaver\Uninstall.exe (64-bit) or C:\Program Files (x86)\DBeaver\uninstall.exe (32-bit). Endpoints where the file has been deleted but the registry entry remains will need a manual cleanup pass first

  • No interactive user holding DBeaver open. The /S /allusers uninstaller will close a running instance, but a locked file in a saved workspace folder can still block the cleanup of user-data directories

Expected state after DBeaver removal

On a successful run, C:\Program Files\DBeaver and C:\Program Files (x86)\DBeaver are removed by the NSIS uninstaller, including dbeaver.exe, the bundled JRE, and the installed driver cache under the program directory. The matching subkey under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall (or its Wow6432Node sibling) is deleted, so DBeaver no longer appears in Settings > Apps > Installed apps or in Control Panel > Programs and Features. The Start menu shortcut under C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DBeaver is also removed.

Per-user data is intentionally left in place. The %AppData%\DBeaverData and %UserProfile%\.dbeaver workspace folders persist, which preserves connection profiles in case the application is reinstalled later under a sanctioned policy. If your removal policy is to scrub all DBeaver traces, pair this Worklet with a follow-up Worklet that walks each user profile and removes those directories explicitly.

Validate the result on a pilot endpoint by running Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object DisplayName -like '*DBeaver*' – the command should return nothing. Confirm Test-Path 'C:\Program Files\DBeaver' and Test-Path 'C:\Program Files (x86)\DBeaver' both return False. The Automox activity log will show exit code 0 with "DBeaver 64-bit uninstall was successful", "DBeaver 32-bit uninstall was successful", or "DBeaver was not found" depending on the endpoint's starting state. A clean endpoint exits 0 immediately because the Uninstall hive enumeration finds no DBeaver DisplayName, so leaving the policy on a weekly cadence acts as a guardrail without rewriting anything on the 99% of endpoints that never see a reinstall.

View in app
evalutation image
remediation image

Consider Worklets your easy button

What's a Worklet?

A Worklet is an automation script, written in Bash or PowerShell, designed for seamless execution on endpoints – at scale – within the Automox platform. Worklets deploy named-CVE mitigations within hours of disclosure, perform configuration, remediation, and install or remove applications and settings across Windows, macOS, and Linux.

do more with worklets