A blue screen on your Windows box, is there anyone that has never seen it? One place you don’t want to see this is on your Exchange server.

While upgrading 3 Exchange 2013 CU12 servers for a customer to Exchange 2013 CU15 I experienced a blue screen while updating the UM components, resulting in the following screen:

A quick search on Google (search on “swin1.sys”) revealed that McAfee was the culprit. I’m not a fan of installing (file level) anti-virus software on an Exchange server, and IMHO it’s not needed when you have a properly secured environment.

I was successful installing CU15 on the Edge Transport servers earlier, but it turned out that these servers were not running McAfee software.

Uninstalling the McAfee agent is not a big deal, just a matter of deselecting the server in the EPO console. The McAfee Solidifier didn’t want to uninstall, not via the EPO console nor via Add/Remove Programs.

According to the McAfee knowledgebase article KB75902 you can uninstall this software using a command line with the following commands:

sc stop scsrvc
sc delete scsrvc
sc delete swin
"\Program Files (x86)\McAfee\Common Framework\Mctray.exe" unloadplugin=scormcpl.dll
del /Q "C:\WINDOWS\system32\drivers\swin.sys"
rmdir /S /Q C:\Solidcore
rmdir /S /Q "C:\Program Files\McAfee\Solidcore"
rmdir /S /Q "C:\ProgramData\McAfee\Solidcore"
reg delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\SOLIDCOR5000_WIN" /f
reg delete "HKLM\SOFTWARE\Classes\Installer\Features\4E9BD2348836F234A9BD168E87F25439" /f
reg delete "HKLM\SOFTWARE\Classes\Installer\Products\4E9BD2348836F234A9BD168E87F25439" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{432DB9E4-6388-432F-9ADB-61E8782F4593}" /f

After running these commands and a reboot I was able to finalize the installation of Exchange 2013 CU15.