Skip to content

Instantly share code, notes, and snippets.

@hayleyxyz
Last active April 1, 2024 16:44
Show Gist options
  • Save hayleyxyz/a2c37d0a1780d681e9758bfc0c78dc78 to your computer and use it in GitHub Desktop.
Save hayleyxyz/a2c37d0a1780d681e9758bfc0c78dc78 to your computer and use it in GitHub Desktop.
How to remove zscaler without password
1. You will need admin access.
2. Suspend the zscaler processes
- I use this: https://github.com/DavidXanatos/TaskExplorer
3. Open regedit and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Zscaler Inc.\Zscaler
4. Delete the key: UninstallPassword
- If you have suspended the processes, the key will not be immediately added back in.
5. Uninstall zscaler like you would any other program, via the control panel.
================================================================================================
The installer has a zlib-compressed XML file that is used to grab the password from the registry
and run the check. Extract the XML file with offzip, modify the XML to remove the check completely,
pack it back into the XML with packzip and then run it. I don't know if there are signature/crc
checks on the uninstaller binary files.
Misc interesting things:
<setInstallerVariable name="uninstallPassword" value="${env(ZSCALER_PASSWORD)}"/>
- If we set an env variable, does it use that instead?
<runProgram>
<program>${installdir}\ZSAService\ZSAService.exe</program>
<programArguments>-markStop ${uninstallPassword}</programArguments>
<onErrorActionList>
<showWarning text="Incorrect Password." title="${product_shortname}"/>
<registrySet abortOnError="0" showMessageOnError="0">
<key>HKEY_LOCAL_MACHINE\SOFTWARE\Zscaler Inc.\Zscaler</key>
<name>UninstallExitCode</name>
<type>REG_SZ</type>
<value>1</value>
</registrySet>
<exit/>
</onErrorActionList>
<ruleList>
<windowsServiceTest>
<condition>exists</condition>
<service>ZSAService</service>
</windowsServiceTest>
<fileExists>
<path>${installdir}\ZSAService\ZSAService.exe</path>
</fileExists>
</ruleList>
</runProgram>
- It seems to run ZAService.exe to check the password against the encrypted one in the reg. It can do this without internet connection, so maybe the static key is in the binary? The IV/salt is also in the registry.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment