This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

MacOS uninstall password reset

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MacOS uninstall password reset

ThisizAmen
L1 Bithead

‎05-05-2026 03:15 AM

Greetings!

 

I have a problem about Cortex XDR uninstall password in MacOS. The agent got corrupted while upgrading and from then on it is not upgrading to a new version thats why i was trying to uninstall cortex agent then reinstall new one.

 


sudo "/Library/Application Support/PaloAltoNetworks/Traps/bin/cortexxdruninstaller_tool"

 

I used this command and for the uninstall password i tried Password1 as this is the default one but didn't work (Get the error this password is not correct) then i updated uninstall password within the agent configuration and global agent configuration but after all i was unable to delete it.

 

Cortex XDR 

Best Regards,
Amin Gurbanli,
SOC T2 Team Lead
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
3 REPLIES 3

susekar
L5 Sessionator

‎05-05-2026 06:48 AM

Hello @ThisizAmen ,

 

Greetings for the day.

 

When a Cortex XDR agent becomes corrupted during an upgrade, it often loses communication with the management console. Because of this, any password changes you make in the console will not sync to the endpoint, and the agent will continue to require the password it last received or revert to the default. Additionally, if the installation folder is damaged, the uninstaller itself may fail to validate credentials correctly.

 

We recommend we try the following steps to reset the local configuration and attempt a removal with a default password.

Method 1: Resetting Local Databases via Terminal
This method attempts to clear the local settings so the agent reverts to a default state.

  1. Open the Terminal application on the Mac.
  2. Unload the agent daemon by running the following command:
    sudo launchctl unload /Library/LaunchDaemons/com.paloaltonetworks.trapsd.plist
  3. Remove the local database files that store the configuration and password hashes:
    sudo rm /Library/Application\ Support/PaloAltoNetworks/Traps/db/agentsettings.db
    sudo rm /Library/Application\ Support/PaloAltoNetworks/Traps/db/cloudfrontend.db
  4. Reload the agent daemon:
    sudo launchctl load /Library/LaunchDaemons/com.paloaltonetworks.trapsd.plist
  5. Attempt to run the uninstaller tool again. When it asks for a password, try using the default: Password1
    sudo /Library/Application\ Support/PaloAltoNetworks/Traps/bin/cortexxdruninstaller_tool Password1

Method 2: Manual Removal via Recovery Mode
If Method 1 fails (often due to Tamper Protection), we must bypass the agent's protection by using macOS Recovery Mode.

  1. Restart the Mac and boot into Recovery Mode (Hold Command+R for Intel Macs, or hold the Power button for Apple Silicon Macs).
  2. Once in the Utilities menu, open Terminal.
  3. You will need to delete the agent's service user configuration. Run the following command (replace [DISKNAME] with your drive name, usually Macintosh HD):
    rm -f /Volumes/[DISKNAME]/private/var/db/dslocal/nodes/Default/users/trapspanw.plist
  4. Exit Terminal and restart the Mac normally.
  5. Once the Mac boots back up, open a standard Terminal and delete the service account from the system:
    sudo /usr/bin/dscl . -delete /Users/trapspanw

After completing these steps, the agent's core identity will be removed, allowing you to either run the uninstaller or manually delete the /Library/Application Support/PaloAltoNetworks/ folder.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

 

0 Likes Likes

ThisizAmen
L1 Bithead
In response to susekar

‎05-05-2026 06:52 AM

Thank you for your response @susekar !

 

Right now i am unable to test this let me try these tomorrow and i will let you  know if it's worked or not.

 

Best Regards,
Amin Gurbanli,
SOC T2 Team Lead

susekar
L5 Sessionator
In response to ThisizAmen

‎05-05-2026 06:56 AM

Sure!! @ThisizAmen 

0 Likes Likes
  • 68 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks