Windows - Software Lifecycle - Uninstall Kaspersky Software

What the Kaspersky removal Worklet does

This Automox Worklet™ removes every Kaspersky product detected on a Windows endpoint. The evaluation phase enumerates the Windows uninstall registry under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, matches any DisplayName beginning with "Kaspersky," and reports the affected endpoint as out of compliance. The remediation phase then drives each product's native uninstaller through to a clean exit code.

The Worklet handles Kaspersky Endpoint Security for Business, Kaspersky Endpoint Security for Windows, Kaspersky Total Security, Kaspersky Internet Security, Kaspersky Small Office Security, Kaspersky Anti-Virus, Kaspersky Security Cloud, and Kaspersky Free. It also handles legacy installations left behind by failed upgrades, where the product no longer launches but still owns a registered uninstaller. Both the native registry view and the 32-bit Wow6432Node hive are scanned on every run.

The Worklet normalizes each uninstall string before execution. MSI-format entries are routed through msiexec /x {ProductCode} /qn /norestart. EXE-format entries call the publisher uninstaller with silent flags, typically /s, /silent, or /VERYSILENT plus /NORESTART. When the Kaspersky self-defense password is unset on the endpoint, the uninstall completes unattended. When self-defense is enabled and a removal password has been distributed, you can pass that password to the Worklet through a policy parameter so the silent uninstall succeeds without an end user prompt.

Why remove Kaspersky from US Windows endpoints

On 20 June 2024, the US Department of Commerce Bureau of Industry and Security issued a Final Determination prohibiting AO Kaspersky Lab and its affiliates from selling antivirus software or providing cybersecurity services in the United States. Sales of new licenses ended 20 July 2024. The order also blocked the delivery of antivirus signature updates and software upgrades to US endpoints after 29 September 2024, leaving any still-installed Kaspersky agent unable to receive new detections. A Kaspersky binary that no longer updates is no longer protecting the endpoint; it is an unmanaged kernel-mode service that needs to come off. Failure to remove the software also creates a measurable compliance gap for any organization subject to federal contracting requirements, CMMC, or the ICT supply-chain controls established under Executive Order 13873.

The September 2024 BIS final determination set a hard date for removing Kaspersky from US endpoints, but the operational gap between that directive and the last laptop in the building actually being clean is what trips compliance audits. Scheduling this Worklet against the Windows group walks both 32-bit and 64-bit Uninstall registry hives at evaluation time, calls the registered Kaspersky uninstaller with /quiet /norestart against every detected product, and reports per-host exit codes. Discovery, evaluation, and silent uninstall happen entirely through the Automox agent context, with the activity log producing the per-endpoint evidence trail a regulator expects.

How Kaspersky removal works

1. Evaluation phase: The Worklet uses Get-ChildItem and Get-ItemProperty against HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall to collect every registered uninstaller. It filters DisplayName values that match "Kaspersky*" and emits each match with its DisplayVersion and UninstallString. If the result set is empty, the endpoint is compliant and the Worklet exits 0. If any Kaspersky entry is present, the Worklet exits 1 and Automox queues remediation.

2. Remediation phase: For each detected Kaspersky product, the Worklet parses the UninstallString. MSI entries are rewritten to msiexec.exe /x {ProductCode} /qn /norestart so the install completes without UI. EXE entries are invoked with the publisher's silent switches, falling back to /s and /VERYSILENT /NORESTART when the original string lacks them. Optionally, the Worklet downloads and invokes Kaspersky's official kavremover.exe utility to clear leftover services, drivers, and registry artifacts that the in-place uninstaller can miss. Exit codes 0, 1605 (already removed), 1641 (success with reboot pending), and 3010 (success with reboot pending) are treated as successful.

Kaspersky removal requirements

• Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, or Windows Server 2022. Older builds running Kaspersky may still uninstall but are not test-validated.

• PowerShell 5.1 or later. PowerShell 3.0 is the absolute minimum, but registry enumeration is more reliable on 5.1+.

• SYSTEM context, which the Automox agent provides by default. The MSI and EXE uninstallers require elevation.

• If Kaspersky self-defense is enabled with a password, set the policy parameter KasperskyPassword so the silent uninstall flag string can include /pPassword=<value>.

• Outbound HTTPS to support.kaspersky.com if you opt in to the kavremover.exe fallback path. Skip the fallback in air-gapped environments and stage the binary on an internal share instead.

• FixNow compatible. The Worklet can be invoked on demand for incident response or scheduled as a recurring policy so any re-imaged endpoint is caught on the next evaluation.

Expected state after Kaspersky removal

After remediation completes, no DisplayName beginning with "Kaspersky" remains under HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall or HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. The C:\Program Files (x86)\Kaspersky Lab and C:\Program Files\Kaspersky Lab directories are removed. The Kaspersky services – AVP, klnagent, klflt, klif, klhk, and klbg – are no longer registered, which you can confirm with Get-Service AVP* on a remediated endpoint. The Windows Security Center reports no third-party antivirus until a replacement EDR is deployed, which is expected behavior in the interim.

Endpoints that return exit code 3010 or 1641 are flagged for a pending reboot. Schedule a reboot Worklet or wait for the next maintenance window so the final driver-level cleanup completes. A second evaluation run after reboot will confirm no Kaspersky registry residue remains. Track removal progress in Automox by filtering policy results for the success exit codes and exporting the endpoints that still report exit code 1 for targeted follow-up. The reporting view doubles as evidence for compliance auditors reviewing BIS Final Determination implementation.

When a replacement endpoint protection product is part of the rollout plan – CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, or another EDR – queue its deployment Worklet to run after this one in the same maintenance window. The catalog already has the deploy Worklet for the leading vendors; this Worklet clears the legacy footprint that would otherwise block installation.