Last active
January 24, 2026 17:59
-
-
Save asheroto/4b1313fc41b3801a1362d421ff577406 to your computer and use it in GitHub Desktop.
Forcefully removes Webroot Endpoint Protection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -RunAsAdministrator | |
| <# | |
| .SYNOPSIS | |
| Force removes Webroot SecureAnywhere remnants. | |
| .DESCRIPTION | |
| Designed to be run in Safe Mode. Performs process termination, uninstall attempt, | |
| service removal, registry cleanup, and filesystem cleanup with existence checks. | |
| #> | |
| #region Guardrails | |
| function Test-IsAdmin { | |
| $CurrentUser = [Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent() | |
| return $CurrentUser.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) | |
| } | |
| function Test-IsSafeMode { | |
| return (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SafeBoot\Option" -ErrorAction SilentlyContinue) -ne $null | |
| } | |
| if (-not (Test-IsAdmin)) { | |
| Write-Output "ERROR: Script must be run as Administrator." | |
| exit 1 | |
| } | |
| if (-not (Test-IsSafeMode)) { | |
| Write-Output "WARNING: System is not in Safe Mode. Cleanup may be incomplete." | |
| } | |
| #endregion | |
| #region Helper Functions | |
| function Remove-RegistryKey { | |
| param ([string]$Path) | |
| if (Test-Path $Path) { | |
| Write-Output "Removing registry key: $Path" | |
| Remove-Item -Path $Path -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| function Remove-Folder { | |
| param ([string]$Path) | |
| if (Test-Path $Path) { | |
| Write-Output "Removing folder: $Path" | |
| Remove-Item -Path $Path -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| function Remove-ServiceSafe { | |
| param ([string]$Name) | |
| $Service = Get-WmiObject -Class Win32_Service -Filter "Name='$Name'" -ErrorAction SilentlyContinue | |
| if ($null -ne $Service) { | |
| Write-Output "Disabling service: $Name" | |
| Set-Service -Name $Name -StartupType Disabled -ErrorAction SilentlyContinue | |
| Write-Output "Stopping service: $Name" | |
| Stop-Service -Name $Name -Force -ErrorAction SilentlyContinue | |
| Write-Output "Deleting service via sc.exe: $Name" | |
| sc.exe delete $Name | Out-Null | |
| } | |
| $SvcRegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$Name" | |
| if (Test-Path $SvcRegPath) { | |
| Write-Output "Removing remaining service registry key: $SvcRegPath" | |
| Remove-Item -Path $SvcRegPath -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| #endregion | |
| #region Kill Processes First | |
| $Processes = @("WRSA","WRSVC","WRCore","WRSkyClient") | |
| foreach ($Proc in $Processes) { | |
| Get-Process -Name $Proc -ErrorAction SilentlyContinue | ForEach-Object { | |
| Write-Output "Killing process: $($_.Name)" | |
| $_.Kill() | |
| } | |
| } | |
| #endregion | |
| #region Attempt Official Uninstall | |
| $WrsaPaths = @( | |
| "$Env:ProgramFiles\Webroot\WRSA.exe", | |
| "$Env:ProgramFiles(x86)\Webroot\WRSA.exe" | |
| ) | |
| foreach ($Wrsa in $WrsaPaths) { | |
| if (Test-Path $Wrsa) { | |
| Write-Output "Attempting uninstall via: $Wrsa" | |
| Start-Process -FilePath $Wrsa -ArgumentList "-uninstall -quiet" -Wait -ErrorAction SilentlyContinue | |
| } | |
| } | |
| #endregion | |
| #region Services | |
| $ServiceNames = @( | |
| "WRSVC", | |
| "WRCoreService", | |
| "WRkrn", | |
| "WRBoot", | |
| "wrUrlFlt", | |
| "WRSkyClient" | |
| ) | |
| foreach ($ServiceName in $ServiceNames) { | |
| Remove-ServiceSafe -Name $ServiceName | |
| } | |
| #endregion | |
| #region Registry Cleanup | |
| $ControlSets = Get-ChildItem "HKLM:\SYSTEM" | Where-Object { $_.Name -like "*ControlSet*" } | |
| $RegKeys = @( | |
| "HKLM:\SOFTWARE\WRData", | |
| "HKLM:\SOFTWARE\WRMIDData", | |
| "HKLM:\SOFTWARE\WRCore", | |
| "HKLM:\SOFTWARE\webroot", | |
| "HKLM:\SOFTWARE\WOW6432Node\WRData", | |
| "HKLM:\SOFTWARE\WOW6432Node\WRMIDData", | |
| "HKLM:\SOFTWARE\WOW6432Node\WRCore", | |
| "HKLM:\SOFTWARE\WOW6432Node\webroot", | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST" | |
| ) | |
| foreach ($Key in $RegKeys) { | |
| Remove-RegistryKey -Path $Key | |
| } | |
| foreach ($CS in $ControlSets) { | |
| foreach ($Svc in $ServiceNames) { | |
| Remove-RegistryKey -Path "$($CS.PSPath)\Services\$Svc" | |
| } | |
| } | |
| #endregion | |
| #region Startup Entries | |
| $StartupPaths = @( | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" | |
| ) | |
| foreach ($Path in $StartupPaths) { | |
| if (Test-Path $Path) { | |
| $Props = Get-ItemProperty -Path $Path | |
| foreach ($Prop in $Props.PSObject.Properties) { | |
| if ($Prop.Value -match "Webroot|WRSA") { | |
| Write-Output "Removing startup entry '$($Prop.Name)' from $Path" | |
| Remove-ItemProperty -Path $Path -Name $Prop.Name -ErrorAction SilentlyContinue | |
| } | |
| } | |
| } | |
| } | |
| #endregion | |
| #region Filesystem Cleanup | |
| $Folders = @( | |
| "$Env:ProgramData\WRData", | |
| "$Env:ProgramData\WRCore", | |
| "$Env:ProgramFiles\Webroot", | |
| "$Env:ProgramFiles(x86)\Webroot", | |
| "$Env:ProgramFiles\Common Files\Webroot", | |
| "$Env:ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere", | |
| "$Env:ProgramData\Microsoft\Windows\Start Menu\Programs\OpenText Core Endpoint Protection" | |
| ) | |
| foreach ($Folder in $Folders) { | |
| Remove-Folder -Path $Folder | |
| } | |
| #endregion | |
| #region Uninstall Entry Scan | |
| $UninstallRoots = @( | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" | |
| ) | |
| foreach ($Root in $UninstallRoots) { | |
| Get-ChildItem $Root -ErrorAction SilentlyContinue | ForEach-Object { | |
| $Props = Get-ItemProperty $_.PsPath -ErrorAction SilentlyContinue | |
| if ($null -ne $Props.DisplayName -and $Props.DisplayName -match "Webroot") { | |
| Write-Output "Removing uninstall entry: $($Props.DisplayName)" | |
| Remove-Item -Path $_.PsPath -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| } | |
| #endregion | |
| #region Verification | |
| $RemainingServices = @() | |
| foreach ($Svc in $ServiceNames) { | |
| $Query = sc.exe query $Svc 2>$null | |
| if ($Query -and ($Query -notmatch "FAILED 1060")) { | |
| $RemainingServices += $Svc | |
| } | |
| } | |
| if ($RemainingServices.Count -gt 0) { | |
| Write-Output "NOTICE: Services pending removal until reboot:" | |
| $RemainingServices | ForEach-Object { Write-Output " - $_" } | |
| Write-Output "Reboot is required to complete removal." | |
| } else { | |
| Write-Output "Verification passed: No remaining Webroot services detected." | |
| } | |
| #endregion | |
| Write-Output "Webroot cleanup completed. Please reboot the computer." | |
| exit 0 |
Author
@axiomcs78 thanks for that. Here's that converted into PowerShell, I haven't tested it yet.
# Show Webroot-related registry keys and optionally remove them
$Keys = @(
'HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList',
'HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net',
'HKCU\Control Panel\NotifyIconSettings\13912443615532443305',
'HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList',
'HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net',
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled',
'HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog',
'HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB',
'HKLM\SYSTEM\ControlSet001\Services\WRCore',
'HKLM\SYSTEM\ControlSet001\Services\WRCoreService',
'HKLM\SYSTEM\ControlSet001\Services\WRSkyClient',
'HKLM\SYSTEM\ControlSet001\Services\WRSVC',
'HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog',
'HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB',
'HKLM\SYSTEM\CurrentControlSet\Services\WRCore',
'HKLM\SYSTEM\CurrentControlSet\Services\WRCoreService',
'HKLM\SYSTEM\CurrentControlSet\Services\WRSkyClient',
'HKLM\SYSTEM\CurrentControlSet\Services\WRSVC',
'HKU\S-1-5-21-2943901566-3547865535-3987560582-1004\Control Panel\NotifyIconSettings\13912443615532443305'
)
# Collect keys that exist
$Existing = foreach ($Key in $Keys) {
if (Test-Path $Key) {
[PSCustomObject]@{
KeyPath = $Key
Exists = 'Yes'
}
} else {
[PSCustomObject]@{
KeyPath = $Key
Exists = 'No'
}
}
}
# Display results in table
$Existing | Format-Table -AutoSize
# Prompt user before deletion
$Confirm = Read-Host "Remove existing keys listed above? (Y/N)"
if ($Confirm -eq 'Y') {
foreach ($Item in $Existing) {
if ($Item.Exists -eq 'Yes') {
try {
Remove-Item -Path $Item.KeyPath -Recurse -Force -ErrorAction Stop
Write-Output "Removed: $($Item.KeyPath)"
} catch {
Write-Output "Failed to remove: $($Item.KeyPath) - $($_.Exception.Message)"
}
}
}
} else {
Write-Output "No keys were removed."
}Can you test?
No devices right now with webroot (hopefully no more webroot). Will test if I can. Thanks for that.
I am trying this against a number of machines we have rouge Webroot installs on. I did need to make one correction because of an error. On line 51, "$Env:ProgramData\Microsoft\Windows\Start Menu\Programs\OpenText™ Core Endpoint Protection",. The TM after OpenText throws a powershell error. Some unsupported character. Once I removed that, it ran properly. Waiting for the user to reboot and we will see if it works!
Author
@chadmark thanks for the info. For some reason on my computer, it has the TM symbol. I made some major revisions and added support for both, just in case.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ran this twice as system account and restarted in between.
Ran Nirsoft's Regscanner afterwards and got this result: (Warning: somewhat difficult to read results, also I removed several for privacy reasons or were just too long to fit here - running Regscanner on your system should produce similar results)
HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList LastUsedSource n;1;C:\Program Files (x86)\Webroot\
HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net C:\Program Files (x86)\Webroot\
HKCU\Control Panel\NotifyIconSettings\13912443615532443305 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Webroot\WRSA.exe
HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList n;1;C:\Program Files (x86)\Webroot\
HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net C:\Program Files (x86)\Webroot\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "C:\Program Files (x86)\Webroot\WRSA.exe" -ul
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog CategoryMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog EventMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog CategoryCount REG_DWORD 0x00000002 (2) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog TypesSupported REG_DWORD 0x00000007 (7) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB AppFullPath REG_SZ C:\Program Files (x86)\Webroot\WRSA.exe 9/16/2025 12:48:35 PM 40 BUILTIN\Administrators
HKLM\SYSTEM\ControlSet001\Services\WRCore DisplayName REG_SZ Webroot Core Driver 9/16/2025 12:48:44 PM 20 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRCore\Files{5e71bfb8-8ba9-4d78-bd98-2f1216f2d5fe} \Program Files\Webroot\Core REG_DWORD 0x00000001 (1) 9/16/2025 12:50:57 PM 4 BUILTIN\Administrators
HKLM\SYSTEM\ControlSet001\Services\WRCoreService ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRCoreService.x64.exe" 9/16/2025 12:48:43 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRCoreService Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSkyClient ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRSkyClient.x64.exe" 9/16/2025 12:48:43 PM 52 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSkyClient Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSVC Description REG_SZ Webroot SecureAnywhere Endpoint Protection v9.0.41.32 9/16/2025 12:48:35 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSVC ImagePath REG_EXPAND_SZ "C:\Program Files (x86)\Webroot\WRSA.exe" -service 9/16/2025 12:48:35 PM 51 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache AppCompatCache REG_BINARY 10/14/2025 2:14:26 PM 254,838 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog CategoryMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog EventMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog CategoryCount REG_DWORD 0x00000002 (2) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog TypesSupported REG_DWORD 0x00000007 (7) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB AppFullPath REG_SZ C:\Program Files (x86)\Webroot\WRSA.exe 9/16/2025 12:48:35 PM 40 BUILTIN\Administrators
HKLM\SYSTEM\CurrentControlSet\Services\WRCore DisplayName REG_SZ Webroot Core Driver 9/16/2025 12:48:44 PM 20 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRCore\Files{5e71bfb8-8ba9-4d78-bd98-2f1216f2d5fe} \Program Files\Webroot\Core REG_DWORD 0x00000001 (1) 9/16/2025 12:50:57 PM 4 BUILTIN\Administrators
HKLM\SYSTEM\CurrentControlSet\Services\WRCoreService ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRCoreService.x64.exe" 9/16/2025 12:48:43 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRCoreService Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSkyClient ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRSkyClient.x64.exe" 9/16/2025 12:48:43 PM 52 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSkyClient Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSVC Description REG_SZ Webroot SecureAnywhere Endpoint Protection v9.0.41.32 9/16/2025 12:48:35 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSVC ImagePath REG_EXPAND_SZ "C:\Program Files (x86)\Webroot\WRSA.exe" -service 9/16/2025 12:48:35 PM 51 NT AUTHORITY\SYSTEM
HKU\S-1-5-21-2943901566-3547865535-3987560582-1004\Control Panel\NotifyIconSettings\13912443615532443305 ExecutablePath REG_SZ {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Webroot\WRSA.exe 10/14/2025 2:23:31 PM 56