Skip to main content
The marketing around WSA is not hype - it's an extremely light program. There are only a few components on the file system. Some of this is simplified and probably wrong, if any Webroot reps want to chime in either in a post or via PM I will fix the information.

This is a simple black-box analysis - none of the initial information is from any internal Webroot sources.

 

This reference is for Windows 7 x64+ only.

 

Cloud

The small footprint is possible because most of the logic is run "in the cloud" on machines hosted on Amazon AWS. Beyond that I do not know their infrastructure setup.

 

WRkrn.sys (32/64 bit picked at installation) n%system32%]

This is the system driver that WSA uses. It is loaded at boot.

 

WRSA.exe (32-bit version) o%ProgramFiles%(x86)]

WRSA (service)

The first instance of the program launches at boot as a service named WRSA with the command "WRSA.exe -service"

 

WRSA.exe

This is the second instance of WRSA.exe and handles interacting with the user. It can run in both SYTEM and user contexts depending on how it's launched.

 

Normally, once the the WRSA service launches, it will then launch the child process WRSA.exe.

If for some reason this instance is not triggered by the WRSA service, there is also a backup Run command to launch it "WRSA.exe -ul"

 

If for some reason neither of these instances are triggered, there is a link in the Start Menu that launches the program with "WRSA.exe -showgui" It will then launch the WRSA service.

 

WRSA.exe (64-bit version) e%ProgramFiles%]

I honestly don't know where this is used, even on 64-bit systems.

 

WRusr.dll (32-bit version) (%windir%SysWOW64)

This file is used to implement the Windows interface (explorer.exe etc) integration on 32-bit Windows systems and Identity Shield for 32-bit processes.

 

WRusr.dll (64-bit version) (%system32%)

This file is used to implement the Windows interface (explorer.exe etc) integration on 64-bit Windows systems and Identity Shield for 64-bit processes.
Be the first to reply!

Reply