Because SentinelOne is a security platform (EDR/XDR) designed to resist tampering, this command is not a simple "stop" button and typically requires authorization. Purpose and Functionality command is primarily used by IT administrators for: Troubleshooting:
The unload command stops the SentinelOne Agent services. This is distinct from disabling Anti-Tampering (which is done with the unprotect command) or uninstalling the agent. Unloading is a action; the agent can be restarted later with the corresponding load command.
Backup applications like Veeam rely on VSS. SentinelOne’s boot protection can interfere, causing COM error: Code: 0xd0000022 . To resolve this, you would:
cd "C:\Program Files\SentinelOne\Sentinel Agent \" Use code with caution. Copied to clipboard
Look for the menu or the Endpoint Details pane to find the Passphrase . Copy this code. 2. Open an Elevated Command Prompt Sentinelctl.exe Unload
unload is more aggressive than stop but less permanent than disable . It removes the Sentinel driver from active memory right now but does not modify boot configuration.
Allowing specific system changes (like modifying VSS shadow storage) that the agent might otherwise block. Manual Removal:
Navigate to the SentinelOne installation directory (usually C:\Program Files\SentinelOne\Sentinel Agent [Version]\ ) or simply call the executable if it's in your path. Use the following syntax: sentinelctl.exe unload -k "YOUR_PASSPHRASE_HERE" Use code with caution. The -k flag stands for the "key" or passphrase. 4. Verify the Status
The SentinelOne agent is a software component that runs on endpoints (such as laptops, desktops, and servers) to protect them from various threats, including malware, ransomware, and other types of cyber threats. The agent uses advanced algorithms and machine learning techniques to detect and respond to threats in real-time. Unloading is a action; the agent can be
commands can lead to orphaned agent files or registry keys that require a SentinelOne removal tool
sentinelctl unload -m -a -k "<passphrase>"
sentinelctl reload -m -a -k "passphrase"
| Scenario | Recommendation | |----------|----------------| | Upgrading a kernel-mode driver (e.g., backup filter driver) | – prevents file system conflicts. | | Running a known false-positive application that uses deep system hooks | Disable – less disruptive, agent still reports. | | Performing a memory dump for malware analysis | Unload – eliminates agent interference. | | Deploying a new ransomware decryption tool | Unload – prevents agent from quarantining the tool. | agent still reports.
Why would an administrator deliberately unload the license manager?
The unload argument explicitly instructs the SentinelOne agent to stop its core protection services and detach its anti-malware drivers from the Windows operating system kernel.
C:\Program Files\SentinelOne\Sentinel Agent \sentinelctl.exe Command Prompt PowerShell Administrator to run the commands. 3. Run the Unload Command Use the following syntax to unload the agent. Replace with the key you retrieved in Step 1: sentinelctl.exe unload -a -k " " Use code with caution. Copied to clipboard Common Flags Explained: : Target all agent components. : Specifies the passphrase/token follows. : (Optional) Used to enter maintenance mode. 4. Verify the State
Mastering the SentinelOne CLI: When and How to Use "sentinelctl.exe unload"