Remove Webroot SecureAnywhere from Windows Endpoints

What the Webroot SecureAnywhere remover does

This Automox Worklet™ removes Webroot SecureAnywhere from Windows endpoints by running the documented silent uninstall path, then cleaning up residual services and registry artifacts. The Worklet detects Webroot SecureAnywhere through its Uninstall registry key (Publisher Webroot Inc., DisplayName Webroot SecureAnywhere) in both the 64-bit and Wow6432Node 32-bit hives, executes the QuietUninstallString supplied by the installer, and waits for the WRSA.exe and WRSVC service to terminate before re-evaluating.

After the official uninstall path completes, the Worklet removes lingering artifacts that the Webroot installer is known to leave behind. It deletes the WRSVC and WRkrn services via sc.exe delete, removes the C:\ProgramData\WRData and C:\ProgramData\WRCore directories, and strips the HKLM:\SOFTWARE\WRMIDData registry tree. The script also clears the leftover Run-key entry that re-launches the Webroot tray UI on next login, so the endpoint comes up clean after a reboot.

Evaluation enumerates the Uninstall hive for the Webroot Inc. Publisher entry and checks for the WRSVC service without invoking msiexec, so endpoints with no Webroot install pass at exit code 0 immediately. Endpoints where Webroot was re-installed (for example by a Webroot management console push that ran before its policy was disabled) are flagged on the next run, the QuietUninstallString fires again, and the residual sc.exe delete pass cleans up the services Webroot leaves behind, so the EPP migration baseline is restored without manual intervention.

Why remove Webroot during an EPP transition

Webroot SecureAnywhere installs a kernel-mode filter driver, a system service that runs continuously, and a user-mode agent that registers with Windows Security Center as the primary antivirus provider. When a replacement EPP arrives, both agents try to claim the same surface. The filter chain runs both products' on-access scanners against every file read and write; the Security Center heartbeat ping-pongs between vendors; CPU usage climbs; legitimate user processes get flagged by one or the other and put into a quarantine the user does not know how to clear.

Endpoint protection migrations stall on the residual Webroot install left behind on each host, where the WRSA.exe service, the WRkrn.sys filter driver, and the WRData registry hive continue to claim file-system and process inspection hooks that the replacement EPP also wants. This Worklet runs the supported Webroot uninstaller, removes the lingering WRkrn driver, and cleans up the WRData hive on every Windows endpoint in scope, so the new EPP can claim the surface cleanly and the helpdesk does not field a wave of slow-laptop or quarantined-file tickets after the cutover. Pair this Worklet with one that installs and registers the replacement EPP for a clean one-policy migration.

How Webroot removal works

1. Evaluation phase: The Worklet runs Get-ItemProperty against the Uninstall registry hives (64-bit and Wow6432Node 32-bit) and filters by Publisher -like 'Webroot*' or DisplayName -like 'Webroot SecureAnywhere*'. It also runs Get-Service WRSVC and Get-Process WRSA to detect a live install whose registry entry has been removed by a partial uninstall. If any signal indicates Webroot is present, the endpoint is flagged for remediation. Endpoints with no Webroot signal are reported compliant and skipped.

2. Remediation phase: The remediation script executes the QuietUninstallString reported by the Uninstall key (typically "%ProgramFiles%\Webroot\WRSA.exe" /uninstall /silent), waits up to 300 seconds for WRSA.exe to terminate, then runs sc.exe delete WRSVC and sc.exe delete WRkrn for any remaining services. It removes C:\ProgramData\WRData and C:\ProgramData\WRCore via Remove-Item -Recurse -Force and strips HKLM:\SOFTWARE\WRMIDData. Exit 0 on success or non-zero with the offending artifact path in stderr if a cleanup step failed.

Webroot removal requirements

• Windows 10, Windows 11, or Windows Server 2016 and later with PowerShell 5.1 or PowerShell 7 available

• Local administrator or SYSTEM privileges for the Automox agent (the default agent context satisfies this) to call the uninstaller and delete kernel-mode services

• Webroot management console policy that allows uninstall from the local endpoint; if the central policy enforces tamper protection on the SecureAnywhere agent, disable that policy in the console before scheduling this Worklet

• A replacement EPP installed and registered with Windows Security Center either before or alongside this Worklet so the endpoint is not left without an AV provider during the transition window

• A change-management ticket or migration plan tying the Webroot removal to the new EPP rollout so the security team can audit the transition and recover endpoints if a regression occurs

Expected Webroot state after removal

After successful remediation, Apps and Features no longer lists Webroot SecureAnywhere, the WRSA.exe process is no longer running, and the WRSVC and WRkrn services are not registered. C:\ProgramData\WRData and C:\ProgramData\WRCore no longer exist. The Windows Security Center heartbeat reflects the replacement EPP as the primary AV provider. Subsequent Automox policy runs report the endpoint as compliant unless the Webroot console has pushed a re-install since the previous run, at which point the next evaluation catches it and the remediation runs again.

Validate by running Get-Service WRSVC on a remediated endpoint and confirming it returns "Cannot find any service with service name 'WRSVC'." For audit evidence, capture the before-and-after Get-Package output and the Get-Service status, then store them with the policy run identifier. If Webroot reappears after the policy completes, the most common cause is that the Webroot management console has not been told to release the endpoint; remove the endpoint from the Webroot console first, then rerun the Worklet.