Windows - Software - Uninstall TeamViewer

What the TeamViewer removal Worklet does

This Automox Worklet™ detects and removes TeamViewer and TeamViewer Host from Windows endpoints. The Worklet reads the Windows uninstall registry hive, locates every entry whose DisplayName matches TeamViewer, and runs the vendor-supplied UninstallString with the correct silent switch for that install method.

The evaluation script opens the 64-bit registry view through Microsoft.Win32.RegistryKey to walk HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, then falls back to HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall for 32-bit installs. On a 32-bit operating system, the Worklet checks HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall directly. Any matching DisplayName flags the endpoint for remediation.

The remediation script re-enters a 64-bit PowerShell host through sysnative when it is launched in a 32-bit context, so registry queries return the correct hive on every Windows build. For each TeamViewer entry, it inspects the UninstallString. MSI-based installs are removed with msiexec.exe /x <ProductCode> /qn /norestart. Executable-based installs (the TeamViewer uninstall.exe typically lives in C:\Program Files (x86)\TeamViewer\) run with the /S silent switch. Exit codes 0, 1641, and 3010 are treated as success, matching the standard Windows installer reboot codes.

Why remove TeamViewer from Windows endpoints

Unsanctioned remote access tools are one of the most common drivers of fleet-wide incident response work. TeamViewer in particular has been associated with a series of credential-stuffing campaigns and supply-chain compromises over the past several years, and most security teams now treat any unmanaged remote control agent as a finding under PCI-DSS 2.2.4, HIPAA Security Rule 164.312(a)(1), and SOC 2 Common Criteria CC6.1. Even where TeamViewer is permitted, multiple installs from end user downloads erode license control and create attack surface that the security team has no visibility into.

Shadow TeamViewer installs accumulate across a Windows fleet whenever a support engineer needs ad-hoc access or a contractor brings their own remote tool. Schedule this Worklet against the relevant endpoint group and the next evaluation reports every remaining TeamViewer install across workstations and servers, then removes the binary, the TeamViewer service, and the persistent listener in a single policy run. The result is a consistent remote access posture aligned with your approved tooling list.

How TeamViewer removal works

1. Evaluation phase: The Worklet detects the OS bitness, then enumerates uninstall keys from HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall (or the single 32-bit hive on legacy systems). It compares each DisplayName against "TeamViewer" using -match, which catches TeamViewer, TeamViewer Host, and version-suffixed names such as TeamViewer 15. If a match is found, the script writes the bitness to the Activity Log and exits 1 to flag remediation. If no match is found, it exits 0 with "TeamViewer was not found. Now Exiting."

2. Remediation phase: The script re-runs the TeamViewerCheck function to confirm the install is still present, then relaunches itself through %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe when needed for true 64-bit registry visibility. It loops every TeamViewer entry returned by Get-ChildItem | Get-ItemProperty | Where-Object DisplayName -match. For msiexec-based UninstallString values it runs Start-Process msiexec.exe -ArgumentList "/x $PSChildName /qn /norestart" -Wait. For executable uninstallers it runs Start-Process $UninstallString -ArgumentList /S -Wait, which invokes the TeamViewer uninstall.exe silently. Exit codes 0, 1641, and 3010 are accepted as success; the PSPath of each removed entry is captured and written back to the Activity Log.

TeamViewer removal requirements

• Windows 10, Windows 11, Windows Server 2016, 2019, 2022, or Windows Server 2025 endpoint with the Automox agent installed

• Local administrator context for the Automox agent (the default service account already meets this) so the script can read the uninstall hives and call msiexec

• PowerShell 3.0 or later (any supported version of Windows ships with a compatible PowerShell)

• FixNow compatibility: trigger an ad-hoc run from the Automox console for incident-response removals rather than waiting for the next policy evaluation

• Allow a reboot window where exit code 3010 is expected; some TeamViewer build variants request a reboot to complete the uninstall

• Network reachability is not required because the Worklet uses the local vendor uninstaller; air-gapped endpoints are supported

Expected state after TeamViewer removal

After a successful run, the TeamViewer and TeamViewer Host entries are absent from HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall. The C:\Program Files (x86)\TeamViewer\ install directory is removed by the vendor uninstaller, and the TeamViewer and TeamViewer Host Windows services no longer appear in Get-Service. The Activity Log records "Uninstalled the following key: <PSPath>" for each entry that was processed, followed by "TeamViewer Uninstall Successful" and exit code 0.

Validate the result with Get-WmiObject -Class Win32_Product -Filter "Name LIKE '%TeamViewer%'" or, faster, with Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object DisplayName -match TeamViewer. Both queries should return nothing on a cleaned endpoint. If the Worklet exits 1 with "TeamViewer Uninstall Failed," inspect the Activity Log for the captured msiexec or uninstall.exe exit code; the most common non-success codes are 1602 (user cancelled, rare under -qn), 1603 (fatal install error, usually a missing source MSI in C:\Windows\Installer), and 1605 (product code not installed, indicating registry orphan rows that need manual cleanup). Re-running evaluation after remediation should report "TeamViewer was not found. Now Exiting." If a subsequent evaluation again flags the endpoint, an end user has reinstalled TeamViewer and the policy is now operating as an enforcement loop.