The Wgncm.exe is the CA Data Protection ‘user-process’. ‘CM’ is an abbreviation of Collection Manager, though the name is no longer relevant..
In normal operation, on a CA Data Protection endpoint client there will be a single wgncm.exe instance per logged on user. The CA Data Protection policy engine is hosted within a Windows service, which means that there will be a separate wgncm.exe instance for the policy engine’s use. This is the case even if the policy engine is running as the same user as the logged on user.
Wgncm.exe performs two main duties (1) storage of captured event data - "USER DATA SET" and (2) management of policy instances from the infrastructure policy interface - "POLICY STORE".
USER DATA SET
This object manages all the storage of captured data to the local infrastructure.
The policy store component in wgncm.exe maintains a single up-to-date copy of the any policies requested by processes running in the context of the wgncm.exe user. With client integration there will normally only be one policy (that of the logged in user). See the section below on policy engines for more info on situations when multiple policies might exist.
In addition to the duties mentioned above, this process also monitors the user’s registry hive to ensure that the user hasn’t attempted to remove DLP components. It also performs periodic cleanup of TMP files for the associated user.