For system administrators, the "unload" command has nuances that can be very useful:
Contrary to a simple "stop" command, unload completely removes the SentinelOne kernel extensions (on macOS/Linux) or kernel drivers (on Windows) from the operating system. It effectively makes the agent blind and passive until the next reboot or a manual load command is issued.
Allowing specific system changes (like modifying VSS shadow storage) that the agent might otherwise block. Manual Removal: Sentinelctl.exe Unload
sentinelctl status
By default, the agent is installed in the Program Files directory. Use this command: cd "C:\Program Files\SentinelOne\Sentinel Agent \" Use code with caution. Copied to clipboard Note: Replace with your specific version number or use to find the exact folder name. Execute the Unload Command Run the following command to unload the agent services: sentinelctl.exe unload -a -k Use code with caution. Copied to clipboard : Unloads the entire agent. : Specifies the passphrase (if required). If you omit , the system will prompt you to enter it manually. Verify Status You can check if the agent is inactive by running: sentinelctl.exe status Use code with caution. Copied to clipboard Common Use Cases Software Conflicts For system administrators, the "unload" command has nuances
) will stop running. You can now perform maintenance tasks, such as deleting shadow copies or troubleshooting performance issues. 5. Re-loading the Agent
: Effectively unlocks system files and Volume Shadow Copies (VSS) that the agent normally protects. Leaves System Vulnerable Manual Removal: sentinelctl status By default, the agent
-k : Required if anti-tamper is active; followed by the unique Passphrase for the device . When to Use Sentinelctl.exe Unload