Complete Guide to Cleaning Sangfor EasyConnect Residue

Background

Sangfor EasyConnect is a widely used enterprise SSL VPN client in China, commonly used in universities and enterprise remote work scenarios. However, this software has the following issues:

Incomplete uninstallation: Official uninstaller leaves significant residue
Background persistence: Processes continue running even without VPN connection
Kernel-level monitoring: Installs NSP/LSP drivers, can intercept all network traffic
Root certificate installation: Can decrypt user HTTPS traffic
Data collection: May collect terminal information and report it

Discovery Process

Initial Check

Through Task Manager, found these processes running in background:

Process Name	Description
`SangforPromoteService.exe`	Push service
`SangforPWEx.exe`	VPN security protection service
`SangforUDProtectEx.exe`	Terminal security protection

Registered System Services

SERVICE_NAME: SangforPWEx
DISPLAY_NAME: Sangfor VPN Security Protect Service
STATE: RUNNING

SERVICE_NAME: SangforSP
DISPLAY_NAME: SangforSP

Installed Root Certificate

Subject: OU=Sangfor Technologies Inc., O=Sangfor Technologies Inc., L=shenzhen, S=guangdong, C=CN
Thumbprint: A9062C5C1721FF87EBCBD89DF03719755560E7A0

This root certificate is in both system and user certificate stores.

Cleanup Steps

Step 1: Stop and Delete Services

Run CMD as administrator:

net stop SangforPWEx
sc delete SangforPWEx
sc delete SangforSP

Step 2: Delete Residue Directories

Directories to delete:

C:\Program Files (x86)\Sangfor
C:\Users\{username}\AppData\Roaming\Sangfor
C:\ProgramData\Sangfor

Note: Some files may be locked by system, requiring special handling.

Step 3: Handle Locked NSP/LSP Files

If files like SangforNsp.dll cannot be deleted:

C:\Program Files (x86)\Sangfor\SSL\ClientComponent\1_SangforNsp.dll - Access denied
C:\Program Files (x86)\Sangfor\SSL\ClientComponent\SangforNspX64.dll - Access denied

This is because Sangfor installed Winsock NSP (Name Space Provider) driver, loaded by network subsystem.

Solutions

Method 1: Reset Winsock (affects network configuration)

netsh winsock reset
netsh int ip reset

Restart computer then delete directory.

Method 2: Safe Mode Deletion (Recommended)

Press Win + R, type msconfig
Click "Boot" tab, check "Safe boot" → "Minimal"
Restart into Safe Mode
Delete residue directories
Open msconfig again, uncheck "Safe boot"
Restart to return to normal

Step 4: Delete Root Certificate

Open Certificate Manager (certlm.msc):

Expand "Trusted Root Certification Authorities" → "Certificates"
Find Sangfor Technologies Inc. certificate
Right-click → Delete

Or use PowerShell:

Remove-Item -Path "Cert:\LocalMachine\Root\A9062C5C1721FF87EBCBD89DF03719755560E7A0" -Force
Remove-Item -Path "Cert:\CurrentUser\Root\A9062C5C1721FF87EBCBD89DF03719755560E7A0" -Force

Verify Cleanup Results

Check Processes

tasklist | findstr /i "sangfor easyconnect"

Should have no output.

Check Services

sc query SangforPWEx
sc query SangforSP

Should return "The specified service does not exist".

Check Certificates

Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $_.Issuer -like '*Sangfor*' }

Should have no output.

Check Directories

Confirm these directories no longer exist:

C:\Program Files (x86)\Sangfor
C:\Users\{username}\AppData\Roaming\Sangfor
C:\ProgramData\Sangfor

Deep Analysis: Why So Hard to Delete?

Sangfor's Monitoring Architecture

Browser initiates request
    ↓
Socket API
    ↓
Winsock Layer ← 【NSP intercepts here, already sees original traffic】
    ↓
TCP/IP Protocol Stack
    ↓
Network Card Driver
    ↓
Physical Network Card → Out

Sangfor intercepts at Winsock layer through NSP/LSP drivers, more底层 than normal proxy software (VPN, Clash, etc.).

Why Can't VPN Block It?

Software	Working Layer	Can Block Sangfor
Sangfor NSP	Winsock Layer	-
Clash TUN	Virtual NIC Layer	❌ Too late
Normal VPN	Network Interface Layer	❌ Too late

Traffic is intercepted by Sangfor before reaching VPN/proxy software.

Protection Recommendations

If Must Use

VM Isolation: Install EasyConnect in virtual machine, only for intranet access
Delete After Use: Immediately uninstall and clean residue after use
Regular Checks: Confirm no newly installed certificates or services

Alternatives

Request Web VPN portal from school/enterprise (no client installation needed)
Use isolated backup device for intranet access

Summary

Sangfor EasyConnect residue cleanup requires handling multiple layers:

Layer	Content	Method
Process	Multiple background processes	Task Manager end
Service	SangforPWEx, SangforSP	sc delete
Files	Program directory, user config	Delete directories
NSP Driver	DLLs locked by network stack	Safe mode or reset Winsock
Certificate	Root certificate	Certificate Manager delete

After thorough cleanup, recommend restarting computer to confirm all residue cleared.

⚠️ Disclaimer: This article is for technical learning and personal device maintenance reference only. Please operate legally and in compliance, ensuring no violation of your organization's security policies.

References

Last updated: 2026-05-10