How to remove Change Guardian for Windows (CGW) from a Security Manager agent computer (NETIQKB71288)

  • 7771288
  • 08-Oct-2008
  • 15-Mar-2013


Change Guardian for Windows 1.0.x

Change Guardian for Windows 1.1.x

Change Guardian for Windows 1.2.x

Change Guardian for Windows 1.3.x

Change Guardian for Windows 1.4.x

Change Guardian for Windows 2.0

Change Guardian for Windows 2.0 SP1


Remove Change Guardian for Windows from an agent computer


On Change Guardian for Windows 1.4, and Change Guardian for Windows 2.x there is an uninstaller which can be run. The uninstaller is located at NetIQ Security Manager\OnePoint\Providers\<configuration group name>\ChangeGuardianProvider. The name of this provider is CGWDriverUninstall.EXE.

Once this Uninstaller is completed, a reboot is required.

Follow the steps below to modify Security Manager to allow you to exclude agent computers from CGW 1.0, 1.1, 1.2 or 1.3. This exclusion also applies to CGW 1.4, but it is preferable to run the uninstaller to remove CGW from the already deployed machines:

I)  Open development console (Modify rules to allow for computer exclusions).
        - Click on Computer Groups
        - Copy the "Windows 2003 Any Computer" group
        - Right click and Paste
        - Find "Copy of Windows 2003 Any Computer" group
        - Open the properties of the group
                        - Rename the group to "Change Guardian for Windows"
                - Modify the Description (ie., "Any Windows 2003 Computers to install CGW on" )
                - Select the "Exclude Computers" tab
                - Add the computers you DO NOT want CGW installed on.
                - Click Apply and OK

        - Open the "Processing Rule Groups" (PRG) on the left
        - Open the properties of the "Change Guardian for Windows" PRG.
                - Select the "Computer Groups" tab
                - Remove the "Windows 2003 Any Computer" computer group.
                - If not present, add the "Change Guardian for Windows" computer group.
                - Click Apply and OK
        - Right click "Configuration" on the left side of the screen
                - Select "Force Configuration Changes Now" (make note of time) and click ok for all CC's to be updated.

II)  Open the Monitor Console
        - Browse down to Monitor / Security Views / Security Manager Self-Monitoring / Central Computers
          / Central Computer Detected Changes to the Rules (last 24 hours)
        - Monitor for all CC's to get event after the force configuration changes (see noted time).

III) Items to address per agent (Note: reboot is required):
        - Stop the Security Manager service on the agent.
        - Delete only the config.cache file found in
          "C:\Documents and Settings\All Users\Application Data\NetIQ\Security Manager\{Configuration Group}".
        - Delete the directory "ChangeGuardianProvider" found in,
          "C:\Program Files\NetIQ Security Manager\OnePoint\Providers\{Configuration Group}".
        - Delete the file "" if it exists in the IncomingProviders directory.
        - Open REGEDIT and remove the following keys,
                HKEY_LOCAL_MACHINE\SOFTWARE\NetIQ\Change Guardian for Windows

Note: The cgwfunc registry key is release dependant. You will need to locate this. For 1.4 for instance it will likely look like this:



        - Remove the following files from C:\WINDOWS\system32\drivers
          (In a XP box the above files names will have ?_xp? at the end),


Note: The cgwfunc driver will be version dependant. They may also be platform dependant. Search for a file that starts with cgwfunc and ends in .sys. Contact Technical Support if you require assistance with the specifics of this file.

        - Restart the target machine and wait until it reboots


Change Guardian for Windows 1.x deploys to all Windows 2003 servers in a configuration group by default. Change Guardian for Windows 2.0 deploys to all windows computers in a configuration group by default. This behavior can be modified with the steps in the fix/description of this article.

Additional Information

Formerly known as NETIQKB71288

You can use the command line tool driveryquery to validate whether the driver is loaded. Run driverquery, and then look for cgwfiltr and cgwfunc. If you see either of these, then Change Guardian for Windows is most likely still loaded on the system.