{"id":7439,"date":"2023-11-14T02:36:18","date_gmt":"2023-11-14T02:36:18","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=7439"},"modified":"2024-07-23T08:02:39","modified_gmt":"2024-07-23T08:02:39","slug":"powershell-to-force-remove-webroot","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/powershell-to-force-remove-webroot","title":{"rendered":"Powershell to force remove webroot"},"content":{"rendered":"\n<p> If you boot into Safe mode or boot the disk into another device you can delete the below folders<\/p>\n\n\n\n<p>&#8220;%ProgramData%\\WRData&#8221;,<br>    &#8220;%ProgramData%\\WRCore&#8221;,<\/p>\n\n\n\n<p>Which will let you run the below to remove it ( you will need to reboot again ) <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>For 32 bit versions of Windows: C:\\Program Files\\Webroot\\WRSA.exe -uninstall.<\/li>\n\n\n\n<li>For 64 bit versions of Windows: C:\\Program Files (x86)\\Webroot\\WRSA.exe -uninstall.<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"powershell\" class=\"language-powershell\"># Removes Webroot SecureAnywhere by force\n# Run the script once, reboot, then run again\n\n# Webroot SecureAnywhere registry keys\n$RegKeys = @(\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\WRUNINST\",\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WRUNINST\",\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\WRData\",\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\WRCore\",\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\WRMIDData\",\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\webroot\",\n    \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WRUNINST\",\n    \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\WRUNINST\",\n    \"HKLM:\\SOFTWARE\\WRData\",\n    \"HKLM:\\SOFTWARE\\WRMIDData\",\n    \"HKLM:\\SOFTWARE\\WRCore\",\n    \"HKLM:\\SOFTWARE\\webroot\",\n    \"HKLM:\\SYSTEM\\ControlSet001\\services\\WRSVC\",\n    \"HKLM:\\SYSTEM\\ControlSet001\\services\\WRkrn\",\n    \"HKLM:\\SYSTEM\\ControlSet001\\services\\WRBoot\",\n    \"HKLM:\\SYSTEM\\ControlSet001\\services\\WRCore\",\n    \"HKLM:\\SYSTEM\\ControlSet001\\services\\WRCoreService\",\n    \"HKLM:\\SYSTEM\\ControlSet001\\services\\wrUrlFlt\",\n    \"HKLM:\\SYSTEM\\ControlSet002\\services\\WRSVC\",\n    \"HKLM:\\SYSTEM\\ControlSet002\\services\\WRkrn\",\n    \"HKLM:\\SYSTEM\\ControlSet002\\services\\WRBoot\",\n    \"HKLM:\\SYSTEM\\ControlSet002\\services\\WRCore\",\n    \"HKLM:\\SYSTEM\\ControlSet002\\services\\WRCoreService\",\n    \"HKLM:\\SYSTEM\\ControlSet002\\services\\wrUrlFlt\",\n    \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\WRSVC\",\n    \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\WRkrn\",\n    \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\WRBoot\",\n    \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\WRCore\",\n    \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\WRCoreService\",\n    \"HKLM:\\SYSTEM\\CurrentControlSet\\services\\wrUrlFlt\"\n)\n\n# Webroot SecureAnywhere startup registry item paths\n$RegStartupPaths = @(\n    \"HKLM:\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\",\n    \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"\n)\n\n# Webroot SecureAnywhere folders\n$Folders = @(\n    \"%ProgramData%\\WRData\",\n    \"%ProgramData%\\WRCore\",\n    \"%ProgramFiles%\\Webroot\",\n    \"%ProgramFiles(x86)%\\Webroot\",\n    \"%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Webroot SecureAnywhere\"\n)\n\n# Try to Uninstall - https:\/\/community.webroot.com\/webroot-secureanywhere-antivirus-12\/pc-uninstallation-option-missing-from-control-panel-34688\nStart-Process -FilePath \"${Env:ProgramFiles(x86)}\\Webroot\\WRSA.exe\" -ArgumentList \"-uninstall\" -Wait -ErrorAction SilentlyContinue\nStart-Process -FilePath \"${Env:ProgramFiles}\\Webroot\\WRSA.exe\" -ArgumentList \"-uninstall\" -Wait -ErrorAction SilentlyContinue\n\n# Stop &amp; Delete Webroot SecureAnywhere service\nsc.exe stop WRSVC\nsc.exe stop WRCoreService\nsc.exe stop WRSkyClient\nsc.exe delete WRSVC\nsc.exe delete WRCoreService\nsc.exe delete WRSkyClient\n\n# Stop Webroot SecureAnywhere process\nStop-Process -Name \"WRSA\" -Force\n\n# Remove Webroot SecureAnywhere registry keys\nForEach ($RegKey in $RegKeys) {\n    Write-Host \"Removing $RegKey\"\n    Remove-Item -Path $RegKey -Force -Recurse -ErrorAction SilentlyContinue\n}\n\n# Remove Webroot SecureAnywhere registry startup items\nForEach ($RegStartupPath in $RegStartupPaths) {\n    Write-Host \"Removing WRSVC from $RegStartupPath\"\n    Remove-ItemProperty -Path $RegStartupPath -Name \"WRSVC\"\n}\n\n# Remove Webroot SecureAnywhere folders\nForEach ($Folder in $Folders) {\n    Write-Host \"Removing $Folder\"\n    Remove-Item -Path \"$Folder\" -Force -Recurse -ErrorAction SilentlyContinue\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>If you boot into Safe mode or boot the disk into another device you can delete the below folders &#8220;%ProgramData%\\WRData&#8221;, &#8220;%ProgramData%\\WRCore&#8221;, Which will let you run the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-7439","post","type-post","status-publish","format-standard","hentry","category-research"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=7439"}],"version-history":[{"count":2,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7439\/revisions"}],"predecessor-version":[{"id":8160,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/7439\/revisions\/8160"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=7439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=7439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=7439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}