Refactor uninstall on Windows

[swiatekm]

What does this PR do?

Refactors how we uninstall Elastic Agent on Windows. The essential problem is that we want to delete an executable file that is running the uninstall command itself, which is not allowed on Windows. We used to have a workaround involving NTFS Alternative Data Streams, which unfortunately stopped working in Go 1.25 due to changes to os.RemoveAll. See the linked issue for details.

The workaround for the Go 1.25 upgrade was to fall back to the Go 1.24 implementation of os.RemoveAll. In this PR, I'd like to propose an alternative way of carrying out the executable deletion that doesn't depend so much on Windows filesystem particulars.

My proposal to fix this is to delete everything we can, rename and move the executable to the root path, and mark it for deletion on reboot. We also make sure to delete this renamed executable path on install to avoid leaving more than one after repeated install/uninstall chains without reboots. Throughout, we emit warnings for the user in case they prefer to manually delete the remaining data.

Potential problems:

• We're leaving a large executable behind after uninstall, which users may not be happy about. We are emitting a warning about it, and clean up on install, so blast radius should be limited.

Why is it important?

The uninstall process shouldn't depend on implementation details of the Go standard library and should ideally be easy to understand without detailed knowledge of Windows syscalls and filesystem semantics.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
  - [ ] I have added an integration test or an E2E test

Disruptive User Impact

After uninstalling, the agent binary now continues to exist on disk until the next reboot, though it's safe to manually delete.

How to test this PR locally

Build agent, install it on Windows, then uninstall.

Related issues

• Closes Troubleshoot and refactor uninstall on Windows with Go 1.25+ #13156

[mergify]

This pull request does not have a backport label. Could you fix it @swiatekm? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #10156. Mergify cannot evaluate rules on this PR. Once #10156 is merged or closed, Mergify will resume processing this PR. ⚠️

[VihasMakwana]

/test

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix/bump-golang-1.25.1 upstream/fix/bump-golang-1.25.1
git merge upstream/main
git push upstream fix/bump-golang-1.25.1

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[ebeahan]

@blakerouse can you take a look at these changes?

[michalpristas]

nice PR @swiatekm
seems it works ok

[michalpristas]

maybe worth a comment that passing a nil as destination will schedule it for deletion.
it is documented in a syscall page, but it would be better to have it duplicated here so not involved person passing by understands on first read

[leehinman]

LGTM

[swiatekm]

@blakerouse if we want to ensure the versioned path is deleted on reboot, we could rename the whole path instead of just the executable. Then there's no problem if the same version is subsequently reinstalled, as the scheduled delete is for the renamed path. Does that sound better?

[blakerouse]

@swiatekm Yeah I prefer that.

[github-actions]

TL;DR

golangci-lint failed in lint (windows-latest) because scheduleDeleteOnReboot returns nil from a filepath.WalkDir error callback, which triggers nilerr (internal/pkg/agent/install/uninstall_windows.go:78). Replace that return nil with a non-nil error path.

Remediation

• In internal/pkg/agent/install/uninstall_windows.go (scheduleDeleteOnReboot), change the callback branch:
  • from: if err != nil { return nil // skip inaccessible entries }
  • to: return a non-nil value (for example return err), or explicitly handle/log and return a wrapped non-nil error if you want to fail uninstall scheduling clearly.
• Re-run the golangci-lint workflow for this PR after the change.

Investigation details

Root Cause

The Windows-only code in scheduleDeleteOnReboot uses filepath.WalkDir. In the callback, when err != nil, it currently returns nil, which satisfies the nilerr lint rule condition (“error is not nil but returns nil”).

Evidence

• Workflow: https://github.com/elastic/elastic-agent/actions/runs/24134356891
• Job/step: lint (windows-latest) → golangci-lint
• Key log excerpt:

##[error]internal\pkg\agent\install\uninstall_windows.go:78:4: error is not nil (line 76) but it returns nil (nilerr)
		return nil // skip inaccessible entries
##[error]issues found

• Affected code at PR head (2ce5852185daaf9e535348a6f40e49012701f7c6): internal/pkg/agent/install/uninstall_windows.go around lines 76-79.

Validation

• Not run locally in this workflow context (read-only investigation).

Follow-up

• I could not reliably read prior PR comments in this environment due integrity restrictions, so I could not compare this diagnosis against the latest prior detective report.

Note

🔒 Integrity filtering filtered 3 items

Integrity filtering activated and filtered the following items during workflow execution.
This happens when a tool call accesses a resource that does not meet the required integrity or secrecy level of the workflow.

• pr:Refactor uninstall on Windows #13106 (pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• resource:get_job_logs (get_job_logs: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)
• issue:elastic/elastic-agent#unknown (search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".)

---

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[swiatekm]

Renaming the whole versioned directory ran into permission problems in some circumstances. I've settled on moving the executable to the root install path and cleaning it up on install. As a result, we only leave the root path and the executable after an uninstall on Windows.

[cmacknz]

My proposal to fix this is to delete everything we can, rename and move the executable to the root path, and mark it for deletion on reboot. We also make sure to delete this renamed executable path on install to avoid leaving more than one after repeated install/uninstall chains without reboots. Throughout, we emit warnings for the user in case they prefer to manually delete the remaining data.

What are the cons of continuing to use the Go 1.24 and prior approach? Which as far as we have seen does not have the chance that user has to manually clean up.

This new solution in it's latest iteration is slightly less complex but has a chance of failure that I don't think existed before. I am not totally sold it's worth the risk to make this change but could be convinced otherwise.

[elasticmachine]

⏳ Build in-progress, with failures

• Buildkite Build
• Commit: 4e60991

Failed CI Steps

• Win2022:sudo:fleet
• x86_64:non-sudo: default
• x86_64:sudo: default
• x86_64:sudo: fleet-endpoint-security
• x86_64:sudo: fleet-airgapped-privileged
• x86_64:sudo: fleet-upgrade-to-pr-build
• x86_64:sudo: deb
• arm:sudo: default
• x86_64:non-sudo: default - platform-ingest-elastic-agent-debian-11-1772525581
• x86_64:non-sudo: default - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: default - platform-ingest-elastic-agent-debian-11-1772525581
• x86_64:sudo: fleet - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: fleet-endpoint-security - platform-ingest-elastic-agent-debian-11-1772525581
• x86_64:sudo: fleet-endpoint-security - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: fleet-airgapped - platform-ingest-elastic-agent-debian-11-1772525581
• x86_64:sudo: fleet-airgapped - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: fleet-airgapped - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: fleet-airgapped-privileged - platform-ingest-elastic-agent-debian-11-1772525581
• x86_64:sudo: fleet-airgapped-privileged - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: fleet-privileged - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: deb - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo: container - platform-ingest-elastic-agent-debian-11-1772525581
• x86_64:sudo: container - platform-ingest-elastic-agent-debian-13-1772525581
• x86_64:sudo:rpm - platform-ingest-elastic-agent-rhel-10-1772525581
• :open-pull-request: :kubernetes: v1.34.0:amd64:basic
• :open-pull-request: :kubernetes: v1.27.16:amd64:slim
• :open-pull-request: :kubernetes: v1.27.16:amd64:complete
• :open-pull-request: :kubernetes: v1.27.16:amd64:wolfi
• :open-pull-request: :kubernetes: v1.34.0:amd64:wolfi

History

• 💔 Build #37052 failed 6ddae7e
• 💛 Build #37026 was flaky affd03c
• 💔 Build #36987 failed c19d0cd
• 💔 Build #36967 failed 00e0fe3

cc @swiatekm

[swiatekm]

My proposal to fix this is to delete everything we can, rename and move the executable to the root path, and mark it for deletion on reboot. We also make sure to delete this renamed executable path on install to avoid leaving more than one after repeated install/uninstall chains without reboots. Throughout, we emit warnings for the user in case they prefer to manually delete the remaining data.

What are the cons of continuing to use the Go 1.24 and prior approach? Which as far as we have seen does not have the chance that user has to manually clean up.

This new solution in it's latest iteration is slightly less complex but has a chance of failure that I don't think existed before. I am not totally sold it's worth the risk to make this change but could be convinced otherwise.

The con is what caused us to take so much time to diagnose the Go 1.25 breakage: The current implementation is effectively coupled to implementation details of os.Remove and similar library functions. The ADS rename trick we use requires that the files and directories are deleted using particular Windows syscalls.

I'd also accept changing the current implementation to explicitly use those syscalls to avoid future breakage. Then we'd be on the hook for maintaining it, but at least it'd be clear what is necessary for the logic to work.

Separately, I find the approach in this PR easier to understand in general. I can also try the alternative and we can see how ugly it is.

[cmacknz]

The con is what caused us to take so much time to diagnose the Go 1.25 breakage: The current implementation is effectively coupled to implementation details of os.Remove and similar library functions. The ADS rename trick we use requires that the files and directories are deleted using particular Windows syscalls.

I'd also accept changing the current implementation to explicitly use those syscalls to avoid future breakage. Then we'd be on the hook for maintaining it, but at least it'd be clear what is necessary for the logic to work.

Separately, I find the approach in this PR easier to understand in general. I can also try the alternative and we can see how ugly it is.

I am much more concerned about making sure it works correctly than about how ugly it looks, we have broken the windows uninstall in the past so I more conservative here than in other places.

Replicating what os.Remove does with the system calls directly and clearly documenting it sounds fine to me. I do like the delete on reboot approach as a way to completely avoid dealing with the "Access is denied" failure mode trying to remove a running binary, but I don't love any change that would regularly leave files behind if there's a way to avoid that.

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b fix/bump-golang-1.25.1 upstream/fix/bump-golang-1.25.1
git merge upstream/main
git push upstream fix/bump-golang-1.25.1

[swiatekm]

Closing in favor of #13710.