Windows - Software - Uninstall TightVNC

What the TightVNC uninstaller does

This Automox Worklet™ uninstalls TightVNC from Windows endpoints across your fleet. The Worklet scans the Windows registry under both HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall to detect every installed copy of TightVNC, whether the endpoint runs the 32-bit build on a 64-bit OS or the native 64-bit build.

For each detected install, the Worklet selects the correct removal path. MSI-based installs are removed with msiexec /x {ProductCode} /qn /norestart, pulling the ProductCode straight from the registry UninstallString. Executable installs fall back to tvnserver.exe -remove -silent, which stops the TightVNC Server service and tears down the listener on TCP 5900 and the web client on TCP 5800 without prompting the end user.

After the uninstaller exits, the Worklet sweeps C:\Program Files\TightVNC and C:\Program Files (x86)\TightVNC for any leftover binaries, configuration files, or password hashes the vendor uninstaller leaves behind. Exit codes are surfaced to the Automox Activity Log so a fleet-wide policy run produces a clean audit trail of every endpoint that was non-compliant, every endpoint that was remediated, and every endpoint that was already clean.

Why remove TightVNC at fleet scale

Older TightVNC builds shipped with weak authentication defaults and a string of disclosed vulnerabilities, including credential-handling weaknesses and unauthenticated stack overflow conditions on the listener. Any endpoint still running tvnserver.exe is publishing TCP 5900 and TCP 5800 to whatever network segment it sits on, with no SIEM telemetry, no MFA, and no centralized session log. PCI-DSS, HIPAA, and SOC 2 all treat an unsanctioned VNC server as a critical finding because the attack surface is exactly the one auditors are paid to look for.

TightVNC has carried a long string of authentication and memory-corruption advisories, and an installed copy with the default port 5900 listening is an exposed entry point on any workstation or server reachable from the network. Once you have decided to retire TightVNC, this Worklet removes the binary, stops the tvnserver service, and clears the registered listener across every Windows endpoint in scope in a single policy run, replacing one-off MSIEXEC sweeps with a repeatable enforcement loop.

How TightVNC removal works

1. Evaluation phase: The Worklet enumerates HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall, filtering DisplayName entries that match TightVNC. It captures the UninstallString and QuietUninstallString values, the install architecture (32-bit or 64-bit), and the ProductCode where present. Any match flags the endpoint as non-compliant and stages the captured uninstall metadata for the remediation phase.

2. Remediation phase: For MSI installs, the script invokes msiexec /x {ProductCode} /qn /norestart and waits on the process exit code. For executable installs, it runs tvnserver.exe -remove -silent from the captured install path. Once the vendor uninstaller returns, the script removes any residual files under C:\Program Files\TightVNC and C:\Program Files (x86)\TightVNC, deletes the TightVNC Server service entry if it lingers, and writes the final exit status to the Automox Activity Log.

TightVNC removal requirements

• Windows 7 SP1 and later (Windows 7, 8.1, 10, 11, Server 2008 R2, Server 2012 R2, Server 2016, Server 2019, Server 2022)

• PowerShell 5.1 or later (default Automox agent context already meets this)

• Local Administrator privileges for the Automox agent to read the Uninstall registry hive and invoke msiexec

• No active TightVNC session on the target endpoint at the time of remediation (active sessions are terminated when tvnserver.exe stops)

• FixNow compatible for immediate execution on a selected set of endpoints when a vulnerability disclosure forces an out-of-band removal

Expected state after TightVNC removal

TightVNC no longer appears in Programs and Features, Settings > Apps, or the Start menu. The TightVNC Server service is removed from services.msc, and netstat -an no longer reports a LISTENING state on TCP 5900 or TCP 5800. The Uninstall registry entries under both the 64-bit and Wow6432Node Uninstall hives are deleted, along with any HKLM:\SOFTWARE\TightVNC configuration keys. The directories under C:\Program Files\TightVNC and C:\Program Files (x86)\TightVNC are removed; no leftover password hash file (vnc.ini, control passwords) remains on disk.

Validate by running Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*, HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*TightVNC*"} in an elevated PowerShell session. A clean endpoint returns no results. Confirm port closure with Test-NetConnection -ComputerName localhost -Port 5900, which should report TcpTestSucceeded : False. For audit evidence, export the Automox Activity Log entries for the policy run and store them with the compliance ticket. Endpoints that were never running TightVNC return immediately from the evaluation phase and report compliant without any remediation action, so the policy is safe to run as a recurring sweep across mixed fleets where only a subset of endpoints ever had the software installed.