SEPWscsvc64.exe removes/Delete Key/values of windows registry
Article ID: 272609
Updated On:
Products
Issue/Introduction
After upgrading the Endpoint protection 14.3 RU3 version to 14.3 RU7 version , In Endpoint Detection and Response (EDR) event logs appears as SEPWscsvc64.exe & ccsvchst.exe deleted the registry key as shown in image below.
Environment
Windows Server 2016 Server Data center
Cause
As per Microsoft this is expected on Windows Server OS (2012,2016 or 2019 etc.) WSC service won't exists that mean no WSC interface is exposed by Windows for 3rd party Anti Virus vendors . Below link for reference.
https://learn.microsoft.com/en-us/windows/win32/api/wscapi/ne-wscapi-wsc_security_provider
By policy
WindowsSecurityCenter
Coexistence: 0
Windows Integration
DisableWindowsFW: DISABLE_ONCE_ONLY
Resolution
Collect the Low altitude Procmon from the affected environment and Verify the deleted registry is associated with the GPO cleanup.
- The initial stage is to confirm that all the deleting registry keys are list in procmon and the common gpedit.dll Cleanup portion explains When the SEP policy tries to configure the windows defender state enable or Disable. We call it using IGroupPolicyObject::Save method.
- The registry key should not be deleted when the IGroupPolicyObject::Save method is allowed to save changes in GPO. Instead, It should refresh or update the setting stored in the GPO and apply the Group policy to the respective computer or User.
- There could be few potential explanation if we are observing certain registry keys are being deleted once the IGroupPolicyObject:: Save method is allowed to save changes in GPO:
GPO Configuration: The changes made in GPO might include configurations that affect registry settings.
(For example: If the settings related to registry-based Group Policy preferences are modified, these modified changes could be reflected in the registry and it is all possible that these changes are interpreted as deletions of certain registry values.
When trying to perform Windows Defender status update with respect to the Firewall policy it internally refreshes GPO policy and few keys are deleted as a part of GPO refresh.
- Therefore Endpoint protection client is not involved in deleting the registry . This is merely a GPO refresh after applying configuration to Windows Defender and its side effects.
Additional Information
Procmon Output example:
0 ntoskrnl.exe CmpCallCallBacks + 0x20e 0xfffff802dad2a1be C:\Windows\system32toskrnl.exe
1 ntoskrnl.exe NtDeleteKey + 0x1b8 0xfffff802dac8d0cc C:\Windows\system32toskrnl.exe
2 ntoskrnl.exe KiSystemServiceCopyEnd + 0x13 0xfffff802da979c03 C:\Windows\system32toskrnl.exe
3 <unknown> 0x7ffcb1bb7584 0x7ffcb1bb7584
4 <unknown> 0x7ffcae9fc577 0x7ffcae9fc577
5 <unknown> 0x7ffcae991948 0x7ffcae991948
6 <unknown> 0x7ffcae99187f 0x7ffcae99187f
7 gpedit.dll RegDelnode + 0x14c 0x7ffc89a8e4f8 C:\Windows\System32\gpedit.dll
8 gpedit.dll RegDelnode + 0x11c 0x7ffc89a8e4c8 C:\Windows\System32\gpedit.dll
9 gpedit.dll RegDelnode + 0x11c 0x7ffc89a8e4c8 C:\Windows\System32\gpedit.dll
10 gpedit.dll RegDelnode + 0x11c 0x7ffc89a8e4c8 C:\Windows\System32\gpedit.dll
11 gpedit.dll RegDelnode + 0x11c 0x7ffc89a8e4c8 C:\Windows\System32\gpedit.dll
12 gpedit.dll CRegistryHive::Release + 0x84 0x7ffc89a9f524 C:\Windows\System32\gpedit.dll
13 gpedit.dll CGroupPolicyObject::CleanUp + 0x3f 0x7ffc89a9b9ef C:\Windows\System32\gpedit.dll
14 gpedit.dll CGroupPolicyObject::Release + 0x29 0x7ffc89a948d9 C:\Windows\System32\gpedit.dll
15 <unknown> 0x7ff7bc2f7d55 0x7ff7bc2f7d55
16 <unknown> 0x7ff7bc2f8b6c 0x7ff7bc2f8b6c
17 <unknown> 0x7ff7bc2f6939 0x7ff7bc2f6939
18 <unknown> 0x7ff7bc38d534 0x7ff7bc38d534
19 <unknown> 0x7ffcb14484d4 0x7ffcb14484d4
20 <unknown> 0x7ffcb1b61791 0x7ffcb1b61791
Feedback
