Uninstall .NET Runtime 5.0.17 and Below

What the .NET Runtime 5.0 Uninstaller does

This Automox Worklet™ removes .NET Runtime version 5.0.17 and any earlier versions from Windows endpoints. The Worklet detects vulnerable installations across 32-bit and 64-bit registry hives, as well as per-user installations, verifying comprehensive coverage across your infrastructure.

The Worklet addresses CVE-2023-33128, a critical security vulnerability affecting end-of-life .NET Runtime versions. By uninstalling these deprecated versions, you eliminate a significant attack vector that attackers could exploit to compromise endpoints.

The Worklet detects vulnerable installations across 32-bit and 64-bit registry hives, as well as per-user installations, providing comprehensive coverage across your infrastructure.

Why remove .NET Runtime 5.0 vulnerabilities

.NET Runtime 5.0 reached end of life on May 10, 2022, and no longer receives security patches. Organizations that fail to remove these versions remain vulnerable to CVE-2023-33128 and other known exploits that attackers actively use in the wild.

Running unpatched software creates compliance violations across multiple regulatory frameworks. PCI-DSS, HIPAA, and SOC 2 controls explicitly require removal of end-of-life software from production systems. Many managed security service providers flag .NET Runtime 5.0 as a critical risk in their vulnerability assessments.

Automating the removal process eliminates manual tracking and deployment delays. The Worklet runs silently across your fleet without requiring user interaction or system restarts, allowing you to maintain compliance without disrupting operations.

How .NET Runtime 5.0 removal works

1. Evaluation phase: The Worklet scans the Windows registry across multiple locations: the 64-bit HKLM hive, the 32-bit Wow6432Node hive for 32-bit applications on 64-bit systems, and per-user registry hives (HKU) for user-context installations. It identifies all .NET Runtime 5.0.x versions and compares them against the target version 5.0.17. Any installations at or below this version are flagged for remediation.

2. Remediation phase: The Worklet executes the uninstaller for each vulnerable version using the appropriate silent parameters. For MSI-based installations, it uses msiexec with /qn (quiet, no UI) and /norestart flags. For executable-based installers, it appends /quiet and /norestart parameters. The Worklet monitors exit codes and logs success or failure for each uninstall operation, providing a summary of removed versions.

.NET Runtime 5.0 removal requirements

• Windows 7 and above (tested on Windows 7, Windows 10, Windows 11, Server 2016 and later)

• PowerShell 2.0 and above

• Local Administrator privileges to access registry and execute uninstallers

• Supports both 32-bit and 64-bit architectures

• No system restart required (uninstallers run with /norestart parameter)

Expected state after .NET Runtime removal

After successful remediation, .NET Runtime 5.0.17 and earlier versions are completely removed from your endpoint. The Windows registry no longer contains entries in the Uninstall hive for these versions, and any associated application directories are cleaned up by the respective uninstallers.

Endpoints remain compliant with security standards and pass vulnerability assessments that flag end-of-life .NET Runtime versions. Applications depending on newer .NET versions (5.0.18 and above, or .NET 6.0 and later) continue to function normally. Verify successful remediation by confirming that no .NET Runtime 5.0.x versions appear in Control Panel > Programs and Features or by querying the registry directly.

How to validate uninstall .net runtime 5.0.17 and below changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for uninstall .net runtime 5.0.17 and below.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Test-DotNetMatch, Write-Output, Get-ChildItem.

4. Validate remediation effects from script operations such as Write-Output, Start-Process, Test-Path, then rerun evaluation for compliance.