I currently had to wipe Sysmon from our enterprise environment and wanted to purge/remove all the C:\Sysmon folders off the devices as this pertained to the FileDelete preservation.
However, the issue I have.. even after takeown and icacls and setting integritylevel. Is I am unable to locate, or unlock these leftover .dll and .exe files that remain in the C:\Sysmon folder, I am getting Access denied, blah blah due to them being locked to a process. I have used the other tools in the sysinternal suite to try and track down the handles and locks for these hashed .dll files and I am unable to.
Anyone please have a solution for this? Would love to toss out a script to be able to remove this directory once Sysmon has been uninstalled and removed from a system.
Thanks in advance