Complete Removal of Webroot SecureAnywhere — CleanUp.exe in Safe Mode + Residual Service/Driver/Registry Cleanup

Indicators

• Webroot SecureAnywhere still listed in Programs and Features after uninstall attempt
• WRSVC (Webroot SecureAnywhere) service persists in services.msc after uninstall and reboot
• WRkrn.sys driver still loaded — visible via driverquery /v | findstr /i WRkrn
• Folders C:\Program Files\Webroot, C:\Program Files (x86)\Webroot, C:\ProgramData\WRData, or C:\ProgramData\WRCore persist after uninstall
• Replacement AV installer aborts citing an existing antivirus product
• Registry keys HKLM\SOFTWARE\WRData or HKLM\SOFTWARE\WRCore remain after standard uninstall
• Event Viewer continues to show Webroot-source events after reboot

Likely causes

• Standard Add/Remove Programs uninstall does not remove the WRkrn.sys kernel driver or self-protection components
• Webroot self-protection blocks deletion of its own files, services, and registry keys while the agent is running in normal mode
• Corrupted installation state prevents the built-in MSI uninstaller from completing successfully
• Endpoint is still enrolled in a Webroot GSM/Endpoint Console policy and is being re-deployed by management
• Previous failed uninstall left orphaned WRSVC/WRkrn/WRBoot/WRCore service entries with no associated binaries

Diagnostic steps

1. Confirm Webroot is installed and check WRSVC service state — run: Get-Service WRSVC | Format-List Name, Status, StartType
   Verify presence and current run state of the Webroot service before removal; confirms whether self-protection is active.
2. Check whether the Webroot kernel driver is loaded — run: driverquery /v | findstr /i WRkrn
   Confirms WRkrn.sys is active in memory, which means files and registry keys cannot be deleted from normal boot — Safe Mode will be required.
3. Enumerate residual installation directories — run: Get-ChildItem 'C:\Program Files\Webroot','C:\Program Files (x86)\Webroot','C:\ProgramData\WRData','C:\ProgramData\WRCore' -ErrorAction SilentlyContinue
   Identify on-disk artifacts that must be removed manually after CleanUp.exe runs.
4. Check whether the endpoint is managed by a Webroot console — run: reg query HKLM\SOFTWARE\WRCore /s
   Determines whether the agent will be re-pushed by the console after removal; if managed, the device must be deactivated in the console first.
5. Enumerate Webroot service entries — run: Get-ChildItem 'HKLM:\SYSTEM\CurrentControlSet\Services' | Where-Object { $_.Name -match 'WR' }
   Identify all WRSVC, WRkrn, WRBoot, WRCore service registry stubs that must be removed after CleanUp.exe.
6. Confirm no Webroot processes are running — open Process Explorer or run: Get-Process | Where-Object { $_.Company -like '*Webroot*' -or $_.Name -like 'WR*' }
   Validates that self-protection has been disabled (e.g., in Safe Mode) before attempting manual file/registry cleanup.

Resolution path

• If the endpoint is managed by a Webroot GSM/Endpoint Console, log in and deactivate or delete the device before touching the endpoint — otherwise the agent will be re-deployed.
• Attempt the standard uninstall first: Control Panel → Programs and Features → Webroot SecureAnywhere → Uninstall. Reboot.
• If standard uninstall fails or leaves residue (WRSVC, WRkrn.sys, or WR* folders persist), reboot into Safe Mode: msconfig → Boot tab → Safe boot → OK → Restart, or Shift+Restart → Troubleshoot → Advanced options → Startup Settings → Safe Mode.
• Download and run Webroot's official CleanUp utility from https://download.webroot.com/CleanUp.exe — execute as Administrator. Reboot when prompted (still in Safe Mode if it prompts to re-enter).
• After reboot back into normal mode (uncheck Safe boot in msconfig if set), manually delete any residual folders: C:\Program Files\Webroot, C:\Program Files (x86)\Webroot, C:\ProgramData\WRData, C:\ProgramData\WRCore.
• Remove residual registry keys via regedit or reg.exe: HKLM\SOFTWARE\WRData, HKLM\SOFTWARE\WRCore, HKLM\SYSTEM\CurrentControlSet\Services\WRSVC, HKLM\SYSTEM\CurrentControlSet\Services\WRkrn, HKLM\SYSTEM\CurrentControlSet\Services\WRBoot, HKLM\SYSTEM\CurrentControlSet\Services\WRCore.
• If service entries persist after registry cleanup, run sc.exe delete WRSVC / WRkrn / WRBoot / WRCore from an elevated prompt.
• Reboot the endpoint normally and verify with Get-Service WRSVC and driverquery | findstr /i WR that no Webroot components remain.
• Install the replacement AV product and confirm it completes without conflict warnings.

Prevention

• Always deactivate endpoints in the Webroot GSM/Endpoint Console before uninstall to prevent re-enrollment via management policy.
• Standardise on running CleanUp.exe in Safe Mode rather than relying on Programs and Features — this reliably captures self-protected components (WRkrn.sys, WRSVC).
• Maintain a documented AV migration runbook that includes console deactivation, Safe Mode entry, CleanUp.exe execution, manual folder/registry cleanup, and post-removal verification commands.
• Take a system restore point or full image snapshot before removal so rollback is possible if residual driver removal destabilises the OS.
• Stage and test the replacement AV deployment on a pilot group before mass migration to confirm CleanUp.exe leaves no blocking artifacts in your image.

Tools

• Webroot CleanUp.exe (vendor-supported full removal utility)
• msconfig (boot to Safe Mode)
• Autoruns (verify no Webroot autostart entries remain)
• Process Explorer (confirm no WR* processes running)
• regedit / reg.exe (remove residual registry keys)
• driverquery.exe (verify kernel driver removed)
• PowerShell Get-Service / Get-ChildItem (validation)

References

• Webroot CleanUp Utility (vendor removal tool)
• Webroot Support — Uninstalling SecureAnywhere