If you check what updates are installed on your computer through Windows Update every month, you may have noted the critical update KB890830 (Windows Malicious Software Removal Tool). This update contains the latest version of Windows Malicious Software Removal Tool (MSRT) by Microsoft. This tool can scan and clean your computer for viruses, trojans, worms and other malware. MSRT is available for all supported Windows versions (including Windows 7 which is currently not supported).
You can install/update MSRT automatically via Windows Update, or manually download and install the Windows Malicious Software Removal Tool (KB890830) from the Microsoft update catalog (https://www.catalog.update.microsoft.com/Search.aspx?q=KB890830).
To use the Windows Malicious Software Removal Tool, run this command:
mrt.exe
3 scan types are available:
- Quick scan – a quick scan of memory and system files that may be infected the most often. If a virus or a trojan is detected, the tool will offer to perform a full scan;
- Full scan – a full device scan (it may take up to several hours depending on the number of files on a disk);
- Customized scan – in this mode you can specify a folder to be scanned.
Select the scan type you want and wait till the scan is over.
If no infected files are found, the tool will show the message “No malicious software was detected”. If you click “View detailed results of the scan,” the list of malware which signatures have been looked for will be shown and scan status for each of them.
- At least one infection was found and removed;
- Malicious software was found, but it was not removed. This message is displayed if suspicious files were detected on a computer. To remove them, you should use an antivirus app;
- Malicious software was detected and partially removed. To remove it completely, you should use an antivirus.
MSRT saves a detailed scan log to the file: %WinDir%\Debug\mrt.log.
Microsoft Windows Malicious Software Removal Tool v5.88, (build 5.88.18031.1) Started On Wed Apr 14 09:14:53 2021 Engine: 1.1.17900.7 Signatures: 1.333.1197.0 MpGear: 1.1.16330.1 Run Mode: Scan Run From Windows Update Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 14 09:20:49 2021 Return code: 0 (0x0)
Note the last line of the log (Heartbeat Report). As you can see, Malicious Software Removal Tool sends a report to Microsoft (MSFT says it is anonymous). You can disable sending scan reports to Microsoft through the registry. Create a REG_DWORD parameter with the name DontReportInfectionInformation and value 1 under the reg key HKLM\SOFTWARE\Policies\Microsoft\MRT.
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
MRT.exe has several command line options you can use to scan computers in a corporate network (using SCCM, GPO or similar tools).
/Q– to run the tool in quiet mode (in the background without the graphic interface)/N– to enable the detection mode (the tool only scans for malicious software without removing)/F– to start a full computer scan/F:Y– to start a full scan of a computer and remove infected files automatically
To automatically scan the computer, a special MRT_HB task in the Task Scheduler is used (Task Scheduler Library -> Microsoft -> Windows -> RemovalTools).
The task runs mrt.exe with /EHB /Q (it is interesting that /EHB options are not described in the official documentation, there is no mention about them in the help).