Windows - Software Lifecycle - Uninstall Sumo Logic Collector

What the Sumo Logic Collector remover does

This Automox Worklet™ removes the Sumo Logic Collector agent from Windows endpoints, including both x86 and x64 installations. The Worklet inspects the Windows uninstall registry hive to detect a Sumo Logic Collector entry by DisplayName. It then runs the vendor uninstaller in silent mode so the removal completes without an interactive prompt or end user disruption.

Detection reads HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall on 64-bit endpoints and the matching Wow6432Node path for 32-bit installer entries, so the Worklet catches both architectures on the same registry pass. The remediation phase invokes the installer at C:\Program Files\Sumo Logic Collector\uninstall.exe (or the Program Files (x86) location on 32-bit installs) with the documented vendor arguments -console and -q for a non-interactive removal.

Endpoints that no longer carry Sumo Logic Collector return exit code 0 on evaluation and skip remediation. Endpoints flagged for removal exit cleanly on success, treat exit code 3010 as a deferred reboot, and surface a non-zero exit code with the underlying installer error code when the uninstall fails. This keeps the Automox activity log usable as the system of record for fleet-wide collector decommissioning.

Why remove Sumo Logic Collector during a log pipeline migration

Log collectors accumulate quietly. A workstation joins a SIEM pilot, the pilot expires, and the collector keeps running for years against a deprovisioned tenant, consuming CPU and memory on every Windows endpoint it touches. When the security team migrates off Sumo Logic to a different platform, dual-shipping log volume can also drive the new platform's ingest costs past budget. Pulling Sumo Logic Collector cleanly off every endpoint is the cheapest way to stop the dual-shipping, retire the orphaned agent, and reclaim the host resources it was burning.

Scheduling this Worklet against the migration cohort enforces the absence of Sumo Logic Collector on every evaluation pass. The Uninstall hive is checked at agent check-in, the vendor's uninstall.exe runs silently with the -console -q arguments, and exit code 3010 is treated as a deferred reboot rather than a failure. A stray reinstall during a build refresh or workstation imaging cycle is caught and removed on the next policy run, so dual-shipping ingest volume drops off without an admin chasing each endpoint by hand.

How Sumo Logic Collector removal works

1. Evaluation phase: The Worklet opens the Windows uninstall registry hive on HKLM and reads DisplayName for each subkey under SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. The architecture branch is selected from [System.Environment]::Is64BitOperatingSystem, so 64-bit endpoints scan both views and 32-bit endpoints scan only the native view. A regex match against the appName parameter (default Sumo Logic Collector) flags the endpoint for remediation with exit code 2; an absent entry exits 0 as compliant.

2. Remediation phase: The Worklet resolves $appInstallDir to C:\Program Files\Sumo Logic Collector on 64-bit or C:\Program Files (x86)\Sumo Logic Collector on 32-bit and confirms uninstall.exe exists in that directory. It then runs Start-Process -FilePath uninstall.exe -ArgumentList @("-console", "-q") -Wait -PassThru. Exit codes other than 0 and 3010 are treated as failures and re-raised through the catch block; exit code 3010 is treated as a successful removal that requires a reboot. The vendor command-line syntax follows Sumo Logic's documented Windows uninstall procedure.

Sumo Logic Collector removal requirements

• Windows 10 or later on workstations, or Windows Server 2016 or later

• Automox agent running with SYSTEM context (default) for registry read access on HKLM and the right to launch uninstall.exe

• Sumo Logic Collector installed via the official MSI or .exe installer so the vendor uninstall.exe is present in the install directory

• Default Sumo Logic install path: C:\Program Files\Sumo Logic Collector on 64-bit or C:\Program Files (x86)\Sumo Logic Collector on 32-bit; non-default install paths require a manual edit to $appInstallDir in remediation.ps1

• Override the appName parameter only if the deployment renamed the registry DisplayName from the default Sumo Logic Collector

• Outbound network is not required for removal; the Worklet operates entirely against the local registry and filesystem

Expected endpoint state after Sumo Logic Collector removal

After a successful run, the Sumo Logic Collector entry disappears from Add or Remove Programs and from the registry uninstall hive on both views. The sumo-collector Windows service is unregistered and Get-Service sumo-collector returns a ServiceController not found error, confirming the agent process is no longer scheduled at boot. The install directory under Program Files (or Program Files (x86)) is removed by the vendor uninstaller. Residual log fragments under C:\ProgramData\Sumo Logic can be cleared with a follow-up cleanup Worklet if your retention policy requires it.

Validate by running Get-CimInstance -ClassName Win32_Product -Filter "Name LIKE 'Sumo Logic%'" and confirming the query returns nothing, then checking Get-Service sumo-collector for a not-found result. For audit evidence, capture the Automox activity log entries showing the evaluation exit-2 flag followed by the remediation exit-0 success (or exit-3010 reboot pending). Endpoints that hit exit code 3010 finish the removal at the next reboot and report compliant on the following evaluation pass, so a one-off non-zero result during a maintenance window does not require manual intervention.