What is Windows Malicious Software Removal Tool (mrt.exe) and how to use it


The Windows Malicious Software Removal Tool was always a very enigmatic Windows Update for me. I always installed it both on my Windows XP and Windows Vista PCs and never really understood how it works and if it works. After I installed it, I did not see any new shortcuts or programs running in the background, not even new notification messages. It was as if I installed an update which did not do anything.

Recently, I went to one of my friend's house and installed Windows Vista on his PC. Of course, Windows Update installed Windows Malicious Software Removal Tool on his PC as well. When he asked me about this tool and how it works, I was not able to give him any answers. To answer his questions and any of your questions about this tool, I decided to do a little digging and write this article to share with you all there is to know about the Windows Malicious Software Removal Tool.

What is Windows Malicious Software Removal Tool (mrt.exe)?

Microsoft Windows Malicious Software Removal Tool is basically a free tool which helps to remove specific malicious software from computers which run Windows operating systems, including all versions of Windows Vista. This tool is updated on the second Tuesday of every month and it is distributed via Windows Update. After it is installed, it silently runs in the background and removes the malicious software that it finds. When the detection and removal process is complete, the tool generates a report describing the outcome of the scan. The report can be found in a log file named 'mrt.log' placed in the 'C:\Windows\Debug' folder.

Even though this tool helps you remove malicious software, it should never be used as a replacement for an antivirus program. That's because this tool has a very limited database of malicious software and searches only for specific threats. Also, it is updated on a monthly basis unlike antivirus solutions which are updated daily.



Where to find it

By default, the tool can be found in the 'C:\Windows\System32' folder. Once you open this location, search for a file called mrt.exe.

In Windows 10 you can find it by searching "mrt".

If you don't find this file, it means that this tool is not installed on your PC. In this case you can download it directly from the Microsoft Download Center. The 64 bit version can be found here.



How to use it in interactive mode

If you want to run this tool manually, go to the location mentioned above and double click the mrt.exe file. An easier way is to type mrt.exe in the Start Menu Search Box or in the Run window.

Alternatively, you can download the Windows Malicious Software Removal Tool Shortcut we have attached to this article, place it on your desktop and use it each time you want.

When the tool starts, you will receive an UAC prompt. Click Continue and the tool will start.

When you see the Welcome window, click Next.

Windows Malicious Software Removal Tool

Now you need to select the type of scan you want the tool to perform. You have three possible options: Quick scan, Full scan and Customized scan. If you did not scan your PC before and you don't have a reliable antivirus solution installed, you might want to select Full scan. Once you selected the option you prefer, click Next.

Windows Malicious Software Removal Tool

The tool will start to scan your computer and show you the status of the scan.

Windows Malicious Software Removal Tool

When finished you will see the results. In my case, no malicious software was detected. Now click Finish and the tool will close.

Windows Malicious Software Removal Tool



How to use it from the Command Prompt

You can use this tool from the Command Prompt as well. To use it, right click the Command Prompt shortcut and select 'Run as administrator.

Windows Malicious Software Removal Tool

Now type 'mrt.exe ' followed by one of these possible switches:

  • /Q or /quiet - runs the tool in quiet mode. This option suppresses the user interface completely;
  • /N - runs in detect-only mode. In this mode, any detected malicious software will be reported but it will not be removed;
  • /F - performs a full scan of the computer without removing any infections that are found;
  • /F:Y - performs a full scan of the computer and automatically cleans all the found infections;
  • /? or /help - displays usage information.

Windows Malicious Software Removal Tool

If you are running the tool in quiet mode, you can find the log file mrt.log in the 'C:\Windows\Debug' folder. To easily open this file, you can download the attached shortcut, place it on your desktop and double click on it.



Related articles:
Windows Defender
Windows Firewall
How to work with the new Windows Update



Comments

Malicious Software Removal Tool

Having read your expalnation of what this tool does what is the point of taking this download if you have a good anti-virus software programme installed like i am running avg pro which like you say is updated daily

MRT

It is supposed to be able to detect and remove rootkits and botnets (especially botnets). Something that other AV software may not do.

Malicious Software Removal Tool

Thanks for the explanation. #2 :) very informative.

NOT!

I downloaded this tool, from an official ms mirror, a secure one.
I executed it in a virtual machine, and 10 min later infected it with a very easy to remove (but potentially deadly) bot.
it never found it. not even when i put it in the root folder, still says not infected, this bot is even in MRT's db. still didnt find it.

Did you miss the part where

Did you miss the part where the article said it seeks out a very limited and specific set of infections.

The tool is not meant to replace a proper antivirus, it is meant to supplement and assist whatever your current antivirus may be.

So if the bot you infected your virtual machine was not on the list of the type this program is meant to find and remove then it is no wonder that it was not detected. Especially since this program is likely not designed to search for malicious software that your regular anti-virus would 'find and remove'

MRT

I appreciate the time you took to explain this piece of software. However there is an aspect that you don’t mention and is hard to find on the web.

Even if I don’t want this software Microsoft continues to try and force me to install it.

I currently do NOT have MRT.exe on my machine (xp pro) yet each month MS lists this as a download that is pre checked so that if I use the express download option it would automatically get installed. I’m a little annoyed at this because I feel the MS Update Center should only update existing software on my system, not install new software. Also, new software should never install automatically. It should always ask permission and allow me to opt out of this and future installs. MRT.exe doesn’t do any of this.

I can, and have, checked the little box that says never ask me again about this file but guess what? Since the date is part of the file name then when the next update comes along it considers the file as something new and so wants to download it again.

Also, I noticed that Vista machines don’t seem to have this little checkbox. On my wife’s vista machine if the MRT is the only download and I uncheck it then the OK button gets grayed out and my only option is to cancel which means that the box is left as checked. It appears that on Vista machines MS is forcing you to accept this download no matter what.

If another company was continually trying install a piece of software that I didn’t want, didn’t ask my permission and doesn’t give me a way to opt out of the install I would call that software either spam or a virus.

accept the install of the

accept the install of the malicious software removal, you'll get a license agreement, select decline and you will have the option to "never ask me for this update again" check box

Very Bad Advice

MRT was designed to remove a very limited set of virus/malware programs that interfere with the normal Windows Update process. Remember back in the day when updates would fail all the time and sometimes crash your system? That's because you were infected and it caused the update to fail, and LOTS of support requests to MS - for something that was not their doing.

The MRT solves that problem. It seeks out specific, highly prevalent malicous software. It is run once a month (during the normal 2nd Tuesday updates) prior to the updates being "installed", usually during the reboot.

The MRT is an essential tool to making sure your Windows Update process completes successfully and does not "brick" your system. No one visiting this site (it's for beginners after all) should disable MRT using the instructions given above.

Very Bad Advice????

You write: "MRT was designed to remove a very limited set of virus/malware programs that interfere with the normal Windows Update process .... The MRT is an essential tool to making sure your Windows Update process completes successfully ... No one visiting this site ... should disable MRT using the instructions given above."

This sounded authorative, at first, but then, hang on, MRT removes ONLY a subset of well known Virus/Malware and 1) There is no mention of the rationale in the details MS give. It sounds like a great rationale to me so why not? 2) Any decent virus/malware program will have already removed these threats (IF they are present) If it/they haven't THAT is the problem. 3) Why doesn't MS make sure AV etc program makers are advised of any viruses they'd like removed ...?

I have, I think, a very good set of malware detection and removal tools (eg Malawarebytes, Spybot) a good antivirus program (Avast) and a fine firewall (Privatefirewall). I also use Firefox (never IE) and have the NoScript addon. I scan periodically using the F-Secure online facility. My "proof" of the efficiency of my security is that I have to date never had any infection. This is in a way irritating as I would love my MS problems to have come from some common virus or malware!

Rather than go to the trouble of designing a special piece of software for a (generally) non-existant problem (assuming most people have decent enough anti-virus etc progs installed) it would have been more efficient to simply check for the presence of specific viruses that would hamper any update process AS A PART OF THAT update process, and then to notify the user IF there was a problem. If there were a problem MS could ask if the user wanted the virus/malware removed by MS or their own AV/malware etc progs. The user could then a) check with their own AV etc progs and if they have failed get a better system, b) never believe MS again if they're none present, c) let MS have it away with their system.

Software companies are businesses not philanthropic charities. Ethics etc are an optional extra. Bearing in mind both the way that MS came to power and has maintained that power, should give everyone pause for thought when blindly trusting that they (the user) can trust that they (MS) will look after their (the user's) interests. What is truer is that that they (the user) can trust that they (MS) will look after their (MS's) interests.

There seems NO LOGIC to justify installing the tool, and none that justifies the WAY that it is promoted and published by MS. In fact logically the conclusion would have to be more foul play from MS.

Malicious Removal Tool is a dollar short & day Late

I don't know if it's "VERY" bad advice but it sure sounds bad, because frankly I don't think it goes far enough, cuz I just got punked by a surreptitious piece of software that installed a toolbar I didn't want or need called "Funmoods", and almost lost my mind trying to get rid of! "Funmoods" is an unqualified exemplar of the question begging the issue "if another company was continually trying install a piece of software that I didn’t want, didn’t ask for, and doesn’t give me a way to opt out, I would call that software either spam or a virus (or in this case "Funmoods"). Now to give vendors of malware an even break in the off-chance a user actually wanted to keep a POS software on their machine widely considered malicious, I guess MRT could ask the user just before deleting it, whether the user wanted to keep the suspect or malicious software or not -- but like i said, I don't think MRT goes far enough, and it's not updated enough either, and I have a top name broad scale antivirus and security program too, so don't tell me MRT wouldn't be necessary if everybody had their own security software, my security program didn't catch it or remove it, and their support team in Gawd-Knows-Where didn't help either, as usual they were polite and virtually useless, and I had to do the research and get rid of it myself. There should be MORE Malicious Software Removal Tools under Windows and they should be aggressively updated, annotated, and their targets indexed by name.

I have a question on this.

I have a question on this. If I was running a pirated copy of Office, would this tool also find that?

No. It wouldn't!

No. It wouldn't!

yes it does, it finds pirated

yes it does, it finds pirated windows and office and locks the comp and refers u to a phone number to purchase microsoft software legally

mrt.exe

I seem to have several folders in the root of my c drive, with class id like names that contain different versions/sizes of this executable. System is XP Pro SP3, should I delete these various entries, or will microsoft eventually remove them or just continue to add further versions add-infinitum 'til my hard drive fills up?

Delete

It should be ok to delete those older versions.

MRT

I'm late to this discussion but agree with the idea that we all should be able to permanently opt out of non-critical MS software such as the MRT.
Everything running on a PC takes resources and also has the risk of failing and causing down time. Each user or support team (home / office) should have the freedom to control and monitor the installation of non-essential software that could affect system performance. So MS needs to either designate it as critical to their OS and ALWAYS install it OR make it easier to block and forget about it. Every month we have to kill this "update" from installing on our servers. The sad thing is MS is pretty smart about this stuff so that only leaves me with the thought this it is a marketing ploy of some kind that eventually will come to light and wipe out half their endpoint protection competitors due to it's integration into our mostly "MS World". Remember, this is one update that asks that we "agree" with a licensing agreement.....hmmmm, why is that? It's a "free" application, not an update.

MRT spyware

If you care to read the agreement...hang on, that's ridiculous, no one reads them, why do they force this on users. Keep googling and you may reveal why MS want you to run this application. It provides very useful information about your PC and how you use it.
I have never seen this tool detect anything so much as a cookie on my PC much less spyware. Maybe it should detect itself!

thanks

Hey, this was indeed helpful, i now know what's this all about.hopefully, i wont have to use it

Question?

Could a virus pose as this software?

MRT,exe

I have just recently had a window to send Windows Info on C:\Windows\system32\MRT.exe needing checked for use with windows[ not quoted per notice] sent. Log file says 0 , Why am i sending info and what info to WHO?

Big Brother

If you bother to read the license agreement, you will see that it is Microsoft who determines what software this tool will remove from your computer. That is, it can and will remove any software that Microsoft thinks is not appropriate. That is why they need a new license agreement, because that is not within the normal license. Yes, it may do something about viruses as well, but it is mainly a tool for Microsoft to control what you can and cannot install on your computer. With your approval, because you signed the license agreement.
Big Brother on stereoids.

MRT.exe in a weird folder location?

Hello everyone,

I hope someone can help me here.
I am running Windows Vista Home Premium
Service Pack2 on a 64bit OS

My MRT.exe file is located in a folder titled 19a09944c6a71dc4d58e
when i first click on my harddrive c:

MRT.exe is the only file in the folder and i thought it was really weird,
should it be in a program files folder or something that seems like the right place for it why is it in its particular location? There is a folder with a similar weird letter/number combination below that^ folder but there is nothing in it.

I am worried that it may be malicious software like a virus or something.
I have a premium security suite and all my windows update installed so I feel i am secure to some extent(as much as i can be for a windows OS lol).

Can someone please help me or share your thoughts it will be very much appreciated!

Thank you very much!

MRT i weird folders

Hi, I have had similar thoughts.

It seems like these folders are spread out by Vista. I understand (by googleing the subject) that the MRT exefile is downloaded once a month and only used used once. It should be found in C:\Windows\System32.

Other locations are not default, and bad contents have been reported according to google answers.

I ran Mbam just in case but it found nothing. So I just deleted all these weird folders containing MRT.

Why they are spread out like this is hard to say, but Vista is by default having Pagefiles spread out over all HDDs' partitions present.

I have for privacy reasons chosen to remove the ticks (in advanced system settings) from all partitions exept C: (System partition), in order to have paging only on C:

Since then the MRT spread-out seems to have stopped.

Remains to be seen if this is a coincidence though - I can't tell yet.

Hope this was helpful.

malicious removal tool

I believe this update will spoil your machine if you are not using a genuine version of windows XP.
That is it will add a screen that shouts PIRATE when you log on and sugests you call microsoft to report where you bought your copy etc.
Am I right?

MRT

MRT= Microsoft Rootkit tool
If you like to have a program that does not do what it says, and tracks state of your OS and then sends out secret data to M$..
Then this is for you!

mrt.exe

Is it OK to remove mrt.exe? will it cause problems? I have Windows 7. I checked my system resource usage, and this thing takes up a huge amount of resources while apparently duplicating monthly what my Norton 360 already does daily. I'm willing to take a chance and get rid of it, if it won't mess up anything else to remove it. any advice on proper removal and how to keep it from re-inserting every month would be really helpful. thanks.

the truth about windows software removal tool

The truth is that this software has a limited database at best. It is my 'opinion' that this tool was developed for one purpose and one purpose only, to keep people from pirating MS Windows software and other MS products. This is why MS tries to keep it in the updates even though it isn't really needed (again, in my 'opinion'). MS Windows protects itself from piracy of it's products in three (3) basic ways.

1. Product Installation Key of varying types - VLK for volume license key, DLK for Developer (checked against it's servers, where your machine is considered pirated if the key is ever blacklisted).
2. Activation depending on which version you have.
3. Windows Genuine Advantage program verified by the.... you guessed it "Windows Malicious Software Removal Tool".

I hope you enjoyed reading. In my 'opinion', you have a legal right to know what it is that the software does.

Windows Malicious Software Removal Tool

Hi. Great article. Quick question, when I decided to run it, how come it scanned over 300,000 files while my McAfee A/V only scanned over 79,000 files? Is this accurate? Why would Windows Malicious Software Removal Tool seem to scan more files than McAfee?????

Wrong, the main hidden

Wrong, the main hidden purpose microsoft has for this program is to Lock pirated copies of windows and office, it considers both of them "malicious" and will freeze lock your computer and give u a number where u can purchase a ligitimate copy! i have witnessed this firsthand.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options