Unable to remove the NSX Introspection Drivers with the VMware Tools Installer
search cancel

Unable to remove the NSX Introspection Drivers with the VMware Tools Installer

book

Article ID: 390550

calendar_today

Updated On:

Products

VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

This article assists with removing NSX introspection drivers from your Windows Machines using the VMware Tools installer.

Symptoms :

  • The NSX Introspection Drivers are not detected by the VMware Tools Installer.
  • Unchecking the NSX Introspection drivers while using "Change" option under VMware Tools on "Programs and Features" does not remove the drivers.
  • Upgrading the VMware Tools version and using the "Modify" option and unchecking the NSX Introspection drivers does not remove the drivers.
  • Security Identity Alerts from CrowdStrike for the path "c:\windows\system32\drivers\vnetwfp.sys" may be received.
  • Logs may show that no installation was detected 
    2024-11-12T02:14:46.651-06:00| tools-build-20735119| I0: Current vnetWFP_Win7.installed: (null)
2024-11-12T02:14:46.651-06:00| tools-build-20735119| I0: Writing vnetWFP_Win7.installed = FALSE
2024-11-12T02:14:46.651-06:00| tools-build-20735119| I0: Current vnetWFP_Win8.installed: (null)
2024-11-12T02:14:46.651-06:00| tools-build-20735119| I0: Writing vnetWFP_Win8.installed = FALSE
2024-11-12T02:14:46.651-06:00| tools-build-20735119| I0: Current vnetWFP_Win10.installed: (null)
2024-11-12T02:14:46.651-06:00| tools-build-20735119| I0: Writing vnetWFP_Win10.installed = FALSE

To check VMware Tools installer logs, refer KB VMware Tools upgrader and installer logs

Environment

VMware vSphere ESXi 7.0
VMware vSphere ESXi 8.0 

Cause

This is due to older releases of NSX Introspection Drivers being present within the VM that cannot be detected on newer releases of VMware Tools.

To verify this, you may use the below steps

  1. Go to the path C:\windows\system32\drivers\
  2. Look for the driver "vnetwfp"
  3. Right click and Click on Properties and then Details
  4. You will be able to see the version and build here

Resolution

To remove the drivers completely, use the below steps to install a newer version of the driver so that it can be detected and removed.

  1. Go to Programs and Features on the Windows Machine
  2. Click on VMware Tools > Change
  3. Check the box next to NSX Introspection Drivers to install the latest version
  4. Once installed , check the driver version
  5. Once updated , repeat Step 2 and Uncheck the drivers.
  6. The vnetwfp driver will be deleted successfully.

Additional Information

To verify the driver presence :

Start a PowerShell Session and Check if the Service is Present :

Get-Service -Name vnetWFP

Check if the Driver is Still present within the Driver Path :

$drivers = @("vnetflt.sys", "vnetWFP.sys", "vsepflt.sys")
$driverPaths = @()

foreach ($driver in $drivers) {
    $path = Get-ChildItem -Path "C:\Windows\System32\drivers" -Filter $driver -Recurse -ErrorAction SilentlyContinue
    if ($path) {
        $driverPaths += $path.FullName
    }
}

if ($driverPaths.Count -gt 0) {
    Write-Output "The following VMware Tools drivers are installed on this machine:"
    $driverPaths
} else {
    Write-Output "No VMware Tools drivers found on this machine."
}
Powered by Wolken Software