Hopefully this may help someone:

The drivers are kept in

Program Files\VMware\vShield Endpoint\Drivers\VFileScsiFilter
Program Files\VMware\vShield Endpoint\Drivers\VFileFilter

and also placed into

System32\Drivers\vfilefilter.sys
System32\Drivers\vfilescsifilter.sys

where they are reference by the registry entries. This is the procedure I received from VMware to remove Endpoint Thinagent should it fail to uninstall properly:

Hi Tim,

Here are the keys that need to be removed from the Registry:

HKLM\SYSTEM\CurrentControlSet\Services\VFileFilter

HKLM\SYSTEM\CurrentControlSet\Services\VFileScsiFilter

On top of these two entries two more things need to be removed from the registry. Select "HKLM\SYSTEM\" then clicked "CTRL+F" (find) and searched for the "vfile" string. You should find the vfileScsiFilter mentioned as a lower filter to disk driver class. The registry REG_MULTI_SZ value name is "LowerFilters". Edit it, and remove VFileScsiFilter from the list (probably it will be the only one in the list). Then there will be a LEGACY_VFILEFILTER key. You will need to add a permission to delete this key to whatever user you are logged in as (only SYSTEM has a permission to delete this key by default). After you add the permission you should delete this key.

I would do this for all control sets (CurrentControlSet and whatever other control sets you can find these keys/values).

Message was edited by: Vodder