Last active
October 30, 2025 00:05
-
-
Save asheroto/4b1313fc41b3801a1362d421ff577406 to your computer and use it in GitHub Desktop.
Forcefully removes Webroot Endpoint Protection.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Removes Webroot SecureAnywhere by force | |
| # Run the script once in Safe Mode, then reboot | |
| # Webroot SecureAnywhere registry keys | |
| $RegKeys = @( | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\WRUNINST", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST", | |
| "HKLM:\SOFTWARE\WOW6432Node\WRData", | |
| "HKLM:\SOFTWARE\WOW6432Node\WRCore", | |
| "HKLM:\SOFTWARE\WOW6432Node\WRMIDData", | |
| "HKLM:\SOFTWARE\WOW6432Node\webroot", | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WRUNINST", | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST", | |
| "HKLM:\SOFTWARE\WRData", | |
| "HKLM:\SOFTWARE\WRMIDData", | |
| "HKLM:\SOFTWARE\WRCore", | |
| "HKLM:\SOFTWARE\webroot", | |
| "HKLM:\SYSTEM\ControlSet001\services\WRSVC", | |
| "HKLM:\SYSTEM\ControlSet001\services\WRkrn", | |
| "HKLM:\SYSTEM\ControlSet001\services\WRBoot", | |
| "HKLM:\SYSTEM\ControlSet001\services\WRCore", | |
| "HKLM:\SYSTEM\ControlSet001\services\WRCoreService", | |
| "HKLM:\SYSTEM\ControlSet001\services\wrUrlFlt", | |
| "HKLM:\SYSTEM\ControlSet002\services\WRSVC", | |
| "HKLM:\SYSTEM\ControlSet002\services\WRkrn", | |
| "HKLM:\SYSTEM\ControlSet002\services\WRBoot", | |
| "HKLM:\SYSTEM\ControlSet002\services\WRCore", | |
| "HKLM:\SYSTEM\ControlSet002\services\WRCoreService", | |
| "HKLM:\SYSTEM\ControlSet002\services\wrUrlFlt", | |
| "HKLM:\SYSTEM\CurrentControlSet\services\WRSVC", | |
| "HKLM:\SYSTEM\CurrentControlSet\services\WRkrn", | |
| "HKLM:\SYSTEM\CurrentControlSet\services\WRBoot", | |
| "HKLM:\SYSTEM\CurrentControlSet\services\WRCore", | |
| "HKLM:\SYSTEM\CurrentControlSet\services\WRCoreService", | |
| "HKLM:\SYSTEM\CurrentControlSet\services\wrUrlFlt" | |
| ) | |
| # Startup locations | |
| $RegStartupPaths = @( | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run", | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | |
| ) | |
| # Webroot folders | |
| $Folders = @( | |
| "$Env:ProgramData\WRData", | |
| "$Env:ProgramData\WRCore", | |
| "$Env:ProgramFiles\Webroot", | |
| "$Env:ProgramFiles(x86)\Webroot", | |
| "$Env:ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere", | |
| "$Env:ProgramData\Microsoft\Windows\Start Menu\Programs\OpenText™ Core Endpoint Protection", | |
| "$Env:ProgramFiles\Common Files\Webroot" | |
| ) | |
| # Known service names | |
| $Services = @{ | |
| "WRSVC" = "Webroot SecureAnywhere"; | |
| "WRCoreService" = "Webroot Core Service"; | |
| "WRSkyClient" = "Webroot Sky Client" | |
| } | |
| # Known uninstall keys | |
| $UninstallKeys = @( | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST" | |
| ) | |
| # Attempt uninstall if WRSA.exe found | |
| $WrsaPaths = @( | |
| "${Env:ProgramFiles(x86)}\Webroot\WRSA.exe", | |
| "${Env:ProgramFiles}\Webroot\WRSA.exe" | |
| ) | |
| foreach ($Wrsa in $WrsaPaths) { | |
| if (Test-Path $Wrsa) { | |
| Write-Output "Uninstalling via $Wrsa" | |
| Start-Process -FilePath $Wrsa -ArgumentList "-uninstall" -Wait -ErrorAction SilentlyContinue | |
| } | |
| } | |
| # Stop and delete services | |
| foreach ($ServiceName in $Services.Keys) { | |
| $Service = Get-WmiObject -Class Win32_Service -Filter "Name='$ServiceName'" -ErrorAction SilentlyContinue | |
| if ($null -ne $Service) { | |
| Write-Output "Stopping service: $ServiceName" | |
| Stop-Service -Name $ServiceName -Force -ErrorAction SilentlyContinue | |
| Write-Output "Removing service: $ServiceName" | |
| $Service.Delete() | Out-Null | |
| } | |
| } | |
| # Kill WRSA.exe process | |
| Write-Output "Killing WRSA process (if running)" | |
| Stop-Process -Name "WRSA" -Force -ErrorAction SilentlyContinue | |
| # Remove registry keys | |
| foreach ($RegKey in $RegKeys) { | |
| if (Test-Path $RegKey) { | |
| Write-Output "Removing registry key: $RegKey" | |
| Remove-Item -Path $RegKey -Force -Recurse -ErrorAction SilentlyContinue | |
| } | |
| } | |
| # Remove startup entries | |
| foreach ($RegStartupPath in $RegStartupPaths) { | |
| $StartupEntry = Get-ItemProperty -Path $RegStartupPath -ErrorAction SilentlyContinue | |
| if ($null -ne $StartupEntry -and $StartupEntry.PSObject.Properties.Name -contains "WRSVC") { | |
| Write-Output "Removing WRSVC from startup: $RegStartupPath" | |
| Remove-ItemProperty -Path $RegStartupPath -Name "WRSVC" -ErrorAction SilentlyContinue | |
| } | |
| } | |
| # Remove folders | |
| foreach ($Folder in $Folders) { | |
| $Expanded = [Environment]::ExpandEnvironmentVariables($Folder) | |
| if (Test-Path $Expanded) { | |
| Write-Output "Removing folder: $Expanded" | |
| Remove-Item -Path $Expanded -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| # Remove known Add/Remove Program keys | |
| foreach ($Key in $UninstallKeys) { | |
| if (Test-Path $Key) { | |
| Write-Output "Removing uninstall key: $Key" | |
| Remove-Item -Path $Key -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| # Remove any uninstall entries that mention Webroot | |
| $UninstallRootPaths = @( | |
| "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", | |
| "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" | |
| ) | |
| foreach ($RootPath in $UninstallRootPaths) { | |
| Get-ChildItem -Path $RootPath -ErrorAction SilentlyContinue | ForEach-Object { | |
| $Props = Get-ItemProperty -Path $_.PsPath -ErrorAction SilentlyContinue | |
| if ($null -ne $Props.DisplayName -and $Props.DisplayName -like "*Webroot*") { | |
| Write-Output "Removing detected uninstall key: $($_.PsPath) [$($Props.DisplayName)]" | |
| Remove-Item -Path $_.PsPath -Recurse -Force -ErrorAction SilentlyContinue | |
| } | |
| } | |
| } |
Author
@axiomcs78 thanks for that. Here's that converted into PowerShell, I haven't tested it yet.
# Show Webroot-related registry keys and optionally remove them
$Keys = @(
'HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList',
'HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net',
'HKCU\Control Panel\NotifyIconSettings\13912443615532443305',
'HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList',
'HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net',
'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled',
'HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog',
'HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB',
'HKLM\SYSTEM\ControlSet001\Services\WRCore',
'HKLM\SYSTEM\ControlSet001\Services\WRCoreService',
'HKLM\SYSTEM\ControlSet001\Services\WRSkyClient',
'HKLM\SYSTEM\ControlSet001\Services\WRSVC',
'HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog',
'HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB',
'HKLM\SYSTEM\CurrentControlSet\Services\WRCore',
'HKLM\SYSTEM\CurrentControlSet\Services\WRCoreService',
'HKLM\SYSTEM\CurrentControlSet\Services\WRSkyClient',
'HKLM\SYSTEM\CurrentControlSet\Services\WRSVC',
'HKU\S-1-5-21-2943901566-3547865535-3987560582-1004\Control Panel\NotifyIconSettings\13912443615532443305'
)
# Collect keys that exist
$Existing = foreach ($Key in $Keys) {
if (Test-Path $Key) {
[PSCustomObject]@{
KeyPath = $Key
Exists = 'Yes'
}
} else {
[PSCustomObject]@{
KeyPath = $Key
Exists = 'No'
}
}
}
# Display results in table
$Existing | Format-Table -AutoSize
# Prompt user before deletion
$Confirm = Read-Host "Remove existing keys listed above? (Y/N)"
if ($Confirm -eq 'Y') {
foreach ($Item in $Existing) {
if ($Item.Exists -eq 'Yes') {
try {
Remove-Item -Path $Item.KeyPath -Recurse -Force -ErrorAction Stop
Write-Output "Removed: $($Item.KeyPath)"
} catch {
Write-Output "Failed to remove: $($Item.KeyPath) - $($_.Exception.Message)"
}
}
}
} else {
Write-Output "No keys were removed."
}Can you test?
No devices right now with webroot (hopefully no more webroot). Will test if I can. Thanks for that.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ran this twice as system account and restarted in between.
Ran Nirsoft's Regscanner afterwards and got this result: (Warning: somewhat difficult to read results, also I removed several for privacy reasons or were just too long to fit here - running Regscanner on your system should produce similar results)
HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList LastUsedSource n;1;C:\Program Files (x86)\Webroot\
HKCR\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net C:\Program Files (x86)\Webroot\
HKCU\Control Panel\NotifyIconSettings\13912443615532443305 {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Webroot\WRSA.exe
HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList n;1;C:\Program Files (x86)\Webroot\
HKLM\SOFTWARE\Classes\Installer\Products\2C91C1CFE37069649AD21509082D341F\SourceList\Net C:\Program Files (x86)\Webroot\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled "C:\Program Files (x86)\Webroot\WRSA.exe" -ul
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog CategoryMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog EventMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog CategoryCount REG_DWORD 0x00000002 (2) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\Webroot-WRLog TypesSupported REG_DWORD 0x00000007 (7) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB AppFullPath REG_SZ C:\Program Files (x86)\Webroot\WRSA.exe 9/16/2025 12:48:35 PM 40 BUILTIN\Administrators
HKLM\SYSTEM\ControlSet001\Services\WRCore DisplayName REG_SZ Webroot Core Driver 9/16/2025 12:48:44 PM 20 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRCore\Files{5e71bfb8-8ba9-4d78-bd98-2f1216f2d5fe} \Program Files\Webroot\Core REG_DWORD 0x00000001 (1) 9/16/2025 12:50:57 PM 4 BUILTIN\Administrators
HKLM\SYSTEM\ControlSet001\Services\WRCoreService ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRCoreService.x64.exe" 9/16/2025 12:48:43 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRCoreService Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSkyClient ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRSkyClient.x64.exe" 9/16/2025 12:48:43 PM 52 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSkyClient Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSVC Description REG_SZ Webroot SecureAnywhere Endpoint Protection v9.0.41.32 9/16/2025 12:48:35 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\ControlSet001\Services\WRSVC ImagePath REG_EXPAND_SZ "C:\Program Files (x86)\Webroot\WRSA.exe" -service 9/16/2025 12:48:35 PM 51 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache AppCompatCache REG_BINARY 10/14/2025 2:14:26 PM 254,838 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog CategoryMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog EventMessageFile REG_EXPAND_SZ %ProgramFiles%\Webroot\Core\WRLogEventProvider.x64.dll 10/13/2025 3:12:26 PM 55 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog CategoryCount REG_DWORD 0x00000002 (2) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Webroot-WRLog TypesSupported REG_DWORD 0x00000007 (7) 10/13/2025 3:12:26 PM 4 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2E4983EB AppFullPath REG_SZ C:\Program Files (x86)\Webroot\WRSA.exe 9/16/2025 12:48:35 PM 40 BUILTIN\Administrators
HKLM\SYSTEM\CurrentControlSet\Services\WRCore DisplayName REG_SZ Webroot Core Driver 9/16/2025 12:48:44 PM 20 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRCore\Files{5e71bfb8-8ba9-4d78-bd98-2f1216f2d5fe} \Program Files\Webroot\Core REG_DWORD 0x00000001 (1) 9/16/2025 12:50:57 PM 4 BUILTIN\Administrators
HKLM\SYSTEM\CurrentControlSet\Services\WRCoreService ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRCoreService.x64.exe" 9/16/2025 12:48:43 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRCoreService Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSkyClient ImagePath REG_EXPAND_SZ "C:\Program Files\Webroot\Core\WRSkyClient.x64.exe" 9/16/2025 12:48:43 PM 52 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSkyClient Description REG_SZ Webroot SecureAnywhere Core Service 9/16/2025 12:48:43 PM 36 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSVC Description REG_SZ Webroot SecureAnywhere Endpoint Protection v9.0.41.32 9/16/2025 12:48:35 PM 54 NT AUTHORITY\SYSTEM
HKLM\SYSTEM\CurrentControlSet\Services\WRSVC ImagePath REG_EXPAND_SZ "C:\Program Files (x86)\Webroot\WRSA.exe" -service 9/16/2025 12:48:35 PM 51 NT AUTHORITY\SYSTEM
HKU\S-1-5-21-2943901566-3547865535-3987560582-1004\Control Panel\NotifyIconSettings\13912443615532443305 ExecutablePath REG_SZ {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Webroot\WRSA.exe 10/14/2025 2:23:31 PM 56