Microsoft Malicious Software Removal Tool

7/28/2010 9:29:23 AM
Malicious Software Removal Tool
The Malicious Software Removal Tool was first released in January 2005 to detect and remove the most popular malware families. Although not a default part of Vista, Windows users can expect to see MSRT show up more and do more. Microsoft initially created it to quickly remove common malware threats in response to current attacks and before new Microsoft software was installed. One of the most common reasons a Microsoft software install or upgrade fails is because of installed malware. The end user doesn't realize they have malicious programs installed, and instead blames Microsoft for the installation error. In at least one case, a spyware program tried to prevent its own removal, thereby destroying the installation of Windows XP Service Pack 2. The result was that the computer would irrevocably crash on the first reboot after installing Service Pack 2. Even a safe-mode boot would not work to restore it. By first checking for and removing common malware, Microsoft has decreased the install failure rates for end users.

MSRT is free and can be downloaded from, but it normally downloads, runs, and then uninstalls before significant Microsoft installs and updates. It downloads and runs monthly using Automatic Updates, Windows Update/Microsoft Update, or Windows Server Update Services. Normally, an end user license agreement (EULA) must be agreed to the first time MSRT is run. The automated versions run in the background, and are almost unnoticeable unless an infection is found. The separate stand-alone version may be downloaded and installed to run on-demand scans.


Users running the manual version must be logged in with Administrator credentials. As the version distributed via Microsoft Update runs as a normal Windows Update, it does not require any special privileges to run.

Currently, each version of MSRT is cumulative, detecting current and past threats. MSRT detects over seventy five popular malware families (, which is far less than the 10,000 different malware programs that the normal antivirus software product can detect. MSRT is not intended to replace a user's other anti-malware programs. It is developed as an adjunct tool.

Microsoft only adds detection and removal capability to MSRT for a very small subset of all threats. In order for Microsoft to add detection and removal for a new malware family, the threat must be very common (or predicted to be very common soon), contain malicious instructions, and be actively running in memory when MSRT executes.

MSRT can be run on computers running Windows 2000 or above. When MSRT (Mrtstub.exe) runs, it creates a randomly named temp directory in the root drive of the computer. Normally, the temp folder is automatically deleted after the tool is finished running although it can be manually deleted after the tool is finished if present.

The Malicious Software Removal Tool supports the following four command-line switches:

  • /Q quiet mode, suppresses end-user dialog boxes

  • /N forces detect-only mode

  • /F forces an extended scan

  • /F:Y forces extended scan and automatic cleaning of found infections

Results of the latest scan are stored in \%Windir%\Debug\Mrt.log along with a copy of the previous log (Mrt.old. When downloaded and run automatically, the most common method, MSRT runs in quiet mode by default. The tool notifies the first administrator to log on about the infection, detection, and removal that occurred, using a Windows balloon dialog box message.

By default, MSRT only runs a quick scan, checking only the most common autorun areas. In extended mode, MSRT scans the local hard drive(s) and detected removable media as well. An extended scan can take hours to complete. Figure 1 shows a manual MSRT in progress.

Image from book
Figure 1: A manual MSRT scan in progress

With millions of users running the tool, Microsoft also uses MSRT to judge the prevalence of a particular malware program. Microsoft is able to collect near real-time statistics that impact how quickly they respond to new threats.

For instance, during the early days of the WMF exploit ( in January 2006, several security Web sites and media outlets published stories indicating that millions of computers were being infected by the WMF exploit. A high-risk outbreak would force Microsoft to develop and release a patch to the detriment of patch's quality.

Microsoft included WMF worm detection in MSRT and discovered only 16 infected computers out of millions of computers-an infection rate of 0.000016 in a million. Using facts, and not hyperbolic speculation, Microsoft slowed down the patch response time, and delivered a quality patch. Microsoft continues to use MSRT to assist in setting appropriate patch development response times.

New tool updates are kept as small as possible. When a user with a previous version of the tool installed is detected, only the delta updates are downloaded (when using Windows Update/Microsoft Update and Automatic Updates). Delta updates save approximately 1MB per user or download.

MSRT can be installed using normal software push mechanisms, and is fully scriptable. It can be rolled out using SMS and monitored and executed using WMI and other scripting interfaces.

If MSRT finds an infection, it removes the malware and reports the findings (see Figure 2). Unfortunately, MSRT does not tell you at what location the malware was detected. Hopefully, in future versions Microsoft will add more details.

Image from book
Figure 2: MSRT informs you when it finds and removes malware.

When malware is found, relevant computer and malware information is sent back to Microsoft (except on WSUS delivered versions). According to Microsoft, the information sent to it is only used to allow the Microsoft Anti-malware team to better serve its customers.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8