SEPWscsvc64.exe removes/Delete Key/values of windows registry
search cancel

SEPWscsvc64.exe removes/Delete Key/values of windows registry


Article ID: 272609


Updated On:


Endpoint Protection


After upgrading the Endpoint protection 14.3 RU3 version to 14.3 RU7 version , In Endpoint Detection and Response (EDR) event logs appears as SEPWscsvc64.exe & ccsvchst.exe deleted the registry key as shown in image below.


Windows Server 2016 Server Data center


As per Microsoft this is expected on Windows Server OS (2012,2016 or 2019 etc.) WSC service won't exists that mean no WSC interface is exposed by Windows for 3rd party Anti Virus vendors . Below link for reference.

By policy 

        Coexistence: 0

    Windows Integration
        DisableWindowsFW: DISABLE_ONCE_ONLY


Collect the Low altitude Procmon from the affected environment and Verify the deleted registry is associated with the GPO cleanup.

  • The initial stage is to confirm that all the deleting registry keys are list in procmon and the common gpedit.dll Cleanup portion explains When the SEP policy tries to configure the windows defender state enable or Disable. We call it using IGroupPolicyObject::Save method.

  • The registry key should not be deleted when the IGroupPolicyObject::Save method is allowed to save changes in GPO. Instead, It should refresh or update the setting stored in the GPO and apply the Group policy to the respective computer or User.

  • There could be few potential explanation if we are observing certain registry keys are being deleted once the IGroupPolicyObject:: Save method is allowed to save changes in GPO:
         GPO Configuration: The changes made in GPO might include configurations that affect registry settings.

       (For example: If the settings related to registry-based Group Policy preferences are modified, these modified changes could be reflected in the registry and it is all possible that these changes are interpreted as deletions of certain registry values. 

         When trying to perform Windows Defender status update with respect to the Firewall policy it internally refreshes GPO policy and few keys are deleted as a part of GPO refresh.
  • Therefore Endpoint protection client is not involved in deleting the registry . This is merely a GPO refresh after applying configuration to Windows Defender and its side effects.

Additional Information

Procmon Output example:

0    ntoskrnl.exe    CmpCallCallBacks + 0x20e    0xfffff802dad2a1be    C:\Windows\system32toskrnl.exe
1    ntoskrnl.exe    NtDeleteKey + 0x1b8    0xfffff802dac8d0cc    C:\Windows\system32toskrnl.exe
2    ntoskrnl.exe    KiSystemServiceCopyEnd + 0x13    0xfffff802da979c03    C:\Windows\system32toskrnl.exe
3    <unknown>    0x7ffcb1bb7584    0x7ffcb1bb7584    
4    <unknown>    0x7ffcae9fc577    0x7ffcae9fc577    
5    <unknown>    0x7ffcae991948    0x7ffcae991948    
6    <unknown>    0x7ffcae99187f    0x7ffcae99187f    
7    gpedit.dll    RegDelnode + 0x14c    0x7ffc89a8e4f8    C:\Windows\System32\gpedit.dll
8    gpedit.dll    RegDelnode + 0x11c    0x7ffc89a8e4c8    C:\Windows\System32\gpedit.dll
9    gpedit.dll    RegDelnode + 0x11c    0x7ffc89a8e4c8    C:\Windows\System32\gpedit.dll
10    gpedit.dll    RegDelnode + 0x11c    0x7ffc89a8e4c8    C:\Windows\System32\gpedit.dll
11    gpedit.dll    RegDelnode + 0x11c    0x7ffc89a8e4c8    C:\Windows\System32\gpedit.dll
12    gpedit.dll    CRegistryHive::Release + 0x84    0x7ffc89a9f524    C:\Windows\System32\gpedit.dll
13    gpedit.dll    CGroupPolicyObject::CleanUp + 0x3f    0x7ffc89a9b9ef    C:\Windows\System32\gpedit.dll
14    gpedit.dll    CGroupPolicyObject::Release + 0x29    0x7ffc89a948d9    C:\Windows\System32\gpedit.dll
15    <unknown>    0x7ff7bc2f7d55    0x7ff7bc2f7d55    
16    <unknown>    0x7ff7bc2f8b6c    0x7ff7bc2f8b6c    
17    <unknown>    0x7ff7bc2f6939    0x7ff7bc2f6939    
18    <unknown>    0x7ff7bc38d534    0x7ff7bc38d534    
19    <unknown>    0x7ffcb14484d4    0x7ffcb14484d4    
20    <unknown>    0x7ffcb1b61791    0x7ffcb1b61791