Get Embeded Code
Save the journal to Dashboard
If a machine is experiencing extreme disk space consumption due to VSS Shadow Copies (snapshots), unloading the agent can allow administrators to manually clear shadow storage .
Because SentinelOne includes anti-tampering protection to prevent malware from killing the security process, you cannot simply stop the service from the Windows Services Manager. You must use sentinelctl along with a valid passphrase. Prerequisites
Without the correct passphrase corresponding to that specific endpoint or policy group, the agent will reject the unload request and log a tamper attempt. Step-by-Step Guide: How to Run Sentinelctl.exe Unload
: Most SentinelOne policies have "Self-Protection" enabled. You will likely need the passphrase
What or behavior are you experiencing when running the command? Sentinelctl.exe Unload
unload is more aggressive than stop but less permanent than disable . It removes the Sentinel driver from active memory right now but does not modify boot configuration.
The tool is a powerful command-line utility used to manage the SentinelOne Agent on individual endpoints. The "unload" command specifically stops the agent's protection and services, which is typically required for troubleshooting or complete removal . Core Function: sentinelctl.exe unload
In rare instances, digital forensics and incident response (DFIR) professionals might need to unload the agent to perform low-level disk geometry changes or specialized memory dumps that the agent's self-protection mechanisms would otherwise block. Security Safeguards: The Passphrase Requirement
Risks and pitfalls
sentinelctl.exe unload MyApp -f
| Error Message | Likely Cause | Solution | |---------------|--------------|----------| | Access denied (5) | Not running as admin/root | Elevate your shell. | | Invalid token | Wrong site token | Re-copy token from console. | | Tamper Protection blocks unload | Tamper on | Disable via console first. | | Unload not supported on this OS version | Legacy or mismatched agent | Update agent or check OS compatibility matrix. | | Failed: Dependency service running | Other security products hooked same kernel driver | Unload conflicting filter drivers first. |
sentinelctl status
The unload command should only be used by IT professionals, as it leaves the computer vulnerable to threats while the agent is inactive. If a machine is experiencing extreme disk space
Once your maintenance is complete, don't forget to restart the agent. You can do this with the inverse command: sentinelctl.exe load Use code with caution. Best Practices for Security
If you are experiencing issues with the and need assistance with a specific version , I can help you locate the documentation for your exact setup. Or, if you need to troubleshoot a specific error code , please share it. SentinelOne space issues (Shadow Copy)
Simply typing sentinelctl.exe unload as an admin will fail 99% of the time. Here is what is required :