Microsoft Malicious Software Removal Tool

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
Malicious Software Removal Tool
The Malicious Software Removal Tool was first released in January 2005 to detect and remove the most popular malware families. Although not a default part of Vista, Windows users can expect to see MSRT show up more and do more. Microsoft initially created it to quickly remove common malware threats in response to current attacks and before new Microsoft software was installed. One of the most common reasons a Microsoft software install or upgrade fails is because of installed malware. The end user doesn't realize they have malicious programs installed, and instead blames Microsoft for the installation error. In at least one case, a spyware program tried to prevent its own removal, thereby destroying the installation of Windows XP Service Pack 2. The result was that the computer would irrevocably crash on the first reboot after installing Service Pack 2. Even a safe-mode boot would not work to restore it. By first checking for and removing common malware, Microsoft has decreased the install failure rates for end users.

MSRT is free and can be downloaded from, but it normally downloads, runs, and then uninstalls before significant Microsoft installs and updates. It downloads and runs monthly using Automatic Updates, Windows Update/Microsoft Update, or Windows Server Update Services. Normally, an end user license agreement (EULA) must be agreed to the first time MSRT is run. The automated versions run in the background, and are almost unnoticeable unless an infection is found. The separate stand-alone version may be downloaded and installed to run on-demand scans.


Users running the manual version must be logged in with Administrator credentials. As the version distributed via Microsoft Update runs as a normal Windows Update, it does not require any special privileges to run.

Currently, each version of MSRT is cumulative, detecting current and past threats. MSRT detects over seventy five popular malware families (, which is far less than the 10,000 different malware programs that the normal antivirus software product can detect. MSRT is not intended to replace a user's other anti-malware programs. It is developed as an adjunct tool.

Microsoft only adds detection and removal capability to MSRT for a very small subset of all threats. In order for Microsoft to add detection and removal for a new malware family, the threat must be very common (or predicted to be very common soon), contain malicious instructions, and be actively running in memory when MSRT executes.

MSRT can be run on computers running Windows 2000 or above. When MSRT (Mrtstub.exe) runs, it creates a randomly named temp directory in the root drive of the computer. Normally, the temp folder is automatically deleted after the tool is finished running although it can be manually deleted after the tool is finished if present.

The Malicious Software Removal Tool supports the following four command-line switches:

  • /Q quiet mode, suppresses end-user dialog boxes

  • /N forces detect-only mode

  • /F forces an extended scan

  • /F:Y forces extended scan and automatic cleaning of found infections

Results of the latest scan are stored in \%Windir%\Debug\Mrt.log along with a copy of the previous log (Mrt.old. When downloaded and run automatically, the most common method, MSRT runs in quiet mode by default. The tool notifies the first administrator to log on about the infection, detection, and removal that occurred, using a Windows balloon dialog box message.

By default, MSRT only runs a quick scan, checking only the most common autorun areas. In extended mode, MSRT scans the local hard drive(s) and detected removable media as well. An extended scan can take hours to complete. Figure 1 shows a manual MSRT in progress.

Image from book
Figure 1: A manual MSRT scan in progress

With millions of users running the tool, Microsoft also uses MSRT to judge the prevalence of a particular malware program. Microsoft is able to collect near real-time statistics that impact how quickly they respond to new threats.

For instance, during the early days of the WMF exploit ( in January 2006, several security Web sites and media outlets published stories indicating that millions of computers were being infected by the WMF exploit. A high-risk outbreak would force Microsoft to develop and release a patch to the detriment of patch's quality.

Microsoft included WMF worm detection in MSRT and discovered only 16 infected computers out of millions of computers-an infection rate of 0.000016 in a million. Using facts, and not hyperbolic speculation, Microsoft slowed down the patch response time, and delivered a quality patch. Microsoft continues to use MSRT to assist in setting appropriate patch development response times.

New tool updates are kept as small as possible. When a user with a previous version of the tool installed is detected, only the delta updates are downloaded (when using Windows Update/Microsoft Update and Automatic Updates). Delta updates save approximately 1MB per user or download.

MSRT can be installed using normal software push mechanisms, and is fully scriptable. It can be rolled out using SMS and monitored and executed using WMI and other scripting interfaces.

If MSRT finds an infection, it removes the malware and reports the findings (see Figure 2). Unfortunately, MSRT does not tell you at what location the malware was detected. Hopefully, in future versions Microsoft will add more details.

Image from book
Figure 2: MSRT informs you when it finds and removes malware.

When malware is found, relevant computer and malware information is sent back to Microsoft (except on WSUS delivered versions). According to Microsoft, the information sent to it is only used to allow the Microsoft Anti-malware team to better serve its customers.

Top 10
Free Mobile And Desktop Apps For Accessing Restricted Websites
TOYOTA CAMRY 2; 2.5 : Camry now more comely
KIA SORENTO 2.2CRDi : Fuel-sipping slugger
How To Setup, Password Protect & Encrypt Wireless Internet Connection
Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
Backup & Restore Game Progress From Any Game With SaveGameProgress
Generate A Facebook Timeline Cover Using A Free App
New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
- Messages forwarded by Outlook rule go nowhere
- Create and Deploy Windows 7 Image
- How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
- Creating and using an unencrypted cookie in ASP.NET
- Directories
- Poor Performance on Sharepoint 2010 Server
- SBS 2008 ~ The e-mail alias already exists...
- Public to Private IP - DNS Changes
- Send Email from Winform application
- How to create a .mdb file from ms sql server database.......
programming4us programming4us