Malicious Software Removal Tool
The Windows Malicious Software Removal Tool (MSRT) is a free Microsoft utility designed to detect and remove specific prevalent malware, such as viruses, worms, and Trojans, from Windows-based computers, while also reversing changes made by these threats.[1] First released in January 2005 as version 1.0, MSRT has been updated monthly on the second Tuesday of each month through Windows Update or as a standalone download, with the November 2025 release marking version 5.137.[1] The tool targets a curated list of high-impact malware families, including recent threats like NetFleek, ShadowLink, RogueSpy, and KaziBora, but it is not intended as a full antivirus solution and should be used alongside comprehensive security software.[1] MSRT operates by scanning the system for targeted threats, typically in a quiet mode during automatic updates, and provides notifications for any detections; users can also run it manually via themrt.exe executable with options for full scans or quick checks.[1] It supports Windows 11, 10, 8.1, 7, and various Server editions up to 2022, but excludes older platforms like Windows Vista and Server 2008 after May 2025, as well as mapped network drives from scans.[1] Key features include command-line switches for customized scans (e.g., /F for forced full scan), anonymous reporting of infection data to Microsoft, and availability in 24 languages, though it requires administrator privileges and may necessitate a system restart for complete removal.[1]
Despite its effectiveness against specific threats, MSRT has limitations, such as not providing ongoing real-time protection and potentially failing to remove all infections, for which Microsoft recommends tools like Windows Defender Offline or the Microsoft Safety Scanner.[1] In enterprise environments, it can be deployed via Group Policy or scripts to ensure consistent scanning across networks.[2]
Overview
Introduction
The Windows Malicious Software Removal Tool (MSRT) is a freeware utility developed by Microsoft to detect and remove specific, prevalent malware from computers running supported versions of Windows.[3] It functions as an on-demand scanner, complementing rather than replacing full-featured antivirus software by targeting a curated list of widespread threats such as worms, trojans, and rootkits.[1] First released on January 13, 2005, the tool has been updated monthly to address evolving malware landscapes, with the latest stable version, 5.137, issued on November 11, 2025.[3] It is licensed under freeware terms, making it accessible without additional cost to Windows users.[3] MSRT supports 24 languages, automatically selecting the appropriate one based on the operating system's locale or defaulting to United States English if unsupported.[1] It is compatible with Windows 7 and later editions, including Windows 8.1, Windows 10, Windows 11, and various Windows Server versions up to 2022 (with support for Windows Server 2008 and 2008 R2 ending in May 2025), ensuring broad applicability across modern Windows ecosystems.[3][1] Integrated into the Windows ecosystem, MSRT is automatically downloaded and executed monthly through Windows Update for routine checks, allowing users to also run it manually via standalone installation for targeted scans.[1] This supplementary role helps maintain system security by addressing threats that may evade primary defenses.Purpose and Scope
The Windows Malicious Software Removal Tool (MSRT) serves as a specialized utility aimed at detecting and removing specific, widespread malware threats that may evade primary antivirus solutions. Its core objective is to address prevalent malicious software—such as viruses, worms, Trojan horses, and rootkits—that pose significant risks to Windows systems based on factors like infection rates and potential damage. By focusing on these high-impact threats, MSRT acts as a supplementary defense mechanism, helping to identify infections that persist despite standard protections.[1] Targeted at individual Windows users and enterprises, the tool provides a second-opinion scan for those seeking verification of system cleanliness or dealing with suspected persistent infections. It is particularly useful in environments where comprehensive real-time monitoring is already in place, offering an on-demand or scheduled check without replacing full antivirus suites. Enterprises can deploy it across networks to enhance overall malware remediation efforts, though it requires manual or automated invocation rather than continuous operation.[1][2] The scope of MSRT is deliberately narrow and non-comprehensive, concentrating on 258 prevalent malware families per monthly release to prioritize effectiveness over breadth. This targeted approach enables low false positive rates by limiting detection to well-characterized, high-prevalence threats rather than attempting to cover the entire malware landscape. Unlike real-time protectors, it performs periodic scans and does not provide ongoing monitoring, positioning it as a reactive tool within broader malware defense strategies.[1] A key aspect of its functionality is the reversal of malware-induced changes, including modifications to registry entries, system files, and configurations that could compromise security or performance. Upon successful removal, MSRT restores these elements to their pre-infection state where possible, reducing the need for extensive manual cleanup and minimizing residual risks. This emphasis on remediation underscores its role in supporting recovery from known threats without introducing unnecessary system disruptions.[3]History
Initial Development and Release
The Malicious Software Removal Tool (MSRT) was developed by Microsoft starting in late 2003, following the company's acquisition of GeCAD Software, a Romanian antivirus firm, which provided expertise in malware detection and removal technologies. This effort built upon earlier standalone tools, such as the Blaster Worm Removal Tool released in January 2004, which addressed infections from the Win32/Blaster worm and ultimately removed malware from over 10 million computers. The development occurred amid escalating malware threats, including widespread worms like Blaster (exploiting a 2003 DCOM vulnerability) and Sasser (emerging in 2004), which highlighted the need for targeted removal solutions to mitigate damage from entrenched infections on Windows systems.[4] The tool's initial release came on January 13, 2005, as knowledge base article KB890830 (version 1.0), available in 24 languages and compatible with Windows 2000, Windows XP, and Windows Server 2003. This debut version specifically targeted prevalent worms and viruses, including Blaster (Win32/MSBlast), Sasser (Win32/Sasser), Mydoom (Win32/Mydoom), and Zindos, focusing on scanning for and reversing changes caused by these threats. Motivations for MSRT centered on augmenting traditional antivirus software by providing a lightweight, no-cost utility for removing specific high-impact malware that could evade or persist despite standard protections, while also collecting anonymized data to inform Microsoft's broader security research. Unlike the contemporaneous Windows AntiSpyware (beta-released in January 2005, following Microsoft's acquisition of Giant Company Software in December 2004), which emphasized spyware and adware detection, MSRT addressed gaps in handling deeply rooted viruses and worms.[1][4] From its launch, MSRT was integrated directly into Windows Update and Automatic Updates, enabling automatic delivery and execution on eligible systems without requiring user intervention beyond enabling updates. This seamless distribution facilitated rapid early adoption, with the tool executed approximately 2.7 billion times across 270 million unique computers in its first 15 months. By mid-2006, it had removed 16 million instances of malware from 5.7 million unique Windows computers, averaging one removal per 311 scanned systems and demonstrating significant impact against backdoor Trojans like Rbot and Sdbot, which accounted for a substantial portion of early detections. This release formed part of Microsoft's intensified security initiatives post-2003 vulnerabilities, aiming to bolster user protection through proactive, metric-driven malware response.[1][4]Updates and Platform Support Changes
The Malicious Software Removal Tool (MSRT) has been updated monthly since its initial release in January 2005, typically on the second Tuesday of each month as part of Microsoft's Patch Tuesday cycle, with each update adding or removing detection for specific malware families based on their current prevalence.[1] These updates ensure the tool remains effective against evolving threats while optimizing performance on supported platforms.[3] Key milestones in the tool's evolution include the end of support for Windows 2000 in July 2010, aligning with the operating system's extended support lifecycle conclusion, after which versions were no longer compatible with that platform.[5] Support for Windows XP was extended beyond its general end-of-support date in 2014 and continued until August 2016, with the final compatible version released that month.[6] Subsequent updates introduced optimizations for Windows 10 starting in 2015, enhancing scan efficiency and integration with the newer OS architecture, and further adaptations for Windows 11 in 2021 to address compatibility with its security features.[1] More recently, support for Windows Server 2008 and 2008 R2 ended in May 2025.[1] Version progression spans from 1.0 in January 2005 to 5.137 in November 2025, encompassing approximately 251 releases over two decades.[1] Each standalone download is approximately 77 MB in size, reflecting the inclusion of detection engines and removal scripts.[3] As of 2025, the tool requires Windows 7 or later, including Windows 11 and corresponding Server editions from 2012 onward, ensuring alignment with Microsoft's active support lifecycle.[1] Enterprise deployment has been available via Windows Server Update Services (WSUS) since 2006, allowing administrators to manage and approve updates centrally.[7] A distinctive aspect of these updates is the maintenance of backward compatibility, where new versions retain detection and removal capabilities for historical threats that remain prevalent, preventing the need for users to revert to older tool iterations.[1]Availability
Distribution via Windows Update
The Malicious Software Removal Tool (MSRT) is integrated into Windows Update as the primary automated delivery mechanism, where it is downloaded and executed monthly on opted-in systems. This process aligns with Microsoft's Patch Tuesday schedule, occurring on the second Tuesday of each month (with occasional skips when no new threats require updates), ensuring users receive the latest version targeting newly prevalent threats without manual intervention.[1][3] By default, the tool is enabled through Windows Update settings for automatic updates, running silently in quiet mode to minimize user disruption; it only prompts for interaction if malware is detected during the scan. Users can opt out by reviewing and declining the tool's license terms directly in the Windows Update interface, preventing its installation and execution.[1] Full monthly updates deliver the complete executable, such as version 5.137 released on November 11, 2025, which includes enhanced detection capabilities for specific malware families. In cases where no new threats require updates, a lightweight stub file (Mrtstub.exe) is deployed instead, performing a rapid integrity check and self-deleting afterward to avoid unnecessary resource use.[1][8] For enterprise settings, the MSRT supports bulk deployment via Windows Server Update Services (WSUS), allowing administrators to manage distribution across networks since the tool's initial releases in 2005. This method integrates seamlessly with existing update infrastructures, enabling scheduled executions and compliance monitoring without relying on individual user actions.[2]Standalone Downloads and Installation
Users seeking manual access to the Windows Malicious Software Removal Tool (MSRT) can download standalone versions directly from the official Microsoft Download Center, providing an alternative to automated distribution through Windows Update.[1] The tool is available in separate packages for 32-bit (x86) and 64-bit (x64) architectures, ensuring compatibility with various Windows systems; the 32-bit version is accessible at https://www.microsoft.com/en-us/download/details.aspx?id=16, while the 64-bit version is at https://www.microsoft.com/en-us/download/details.aspx?id=9905.[9][3] These downloads represent the on-demand executable variant, distinct from the monthly full release integrated into Windows Update.[1] To install and run the tool, users must download the appropriate executable file and execute it with local administrator privileges, as elevated rights are required for scanning and removal operations.[1] Upon launch, the tool prompts acceptance of the license terms and self-extracts to a temporary directory containing the core executable, mrt.exe, without performing a permanent installation on the system.[1] After completing its tasks, the temporary files are typically deleted automatically, though users can manually remove the directory if needed; this design allows for repeated use without residual components.[1] The MSRT supports Windows 7 and later versions, including Windows 11, Windows 10, Windows 8.1, and corresponding Windows Server editions such as 2022, 2019, 2016, 2012 R2, and 2012, provided the system meets SHA-2 signing requirements introduced in November 2019.[1] Administrator privileges are mandatory, and the tool operates offline once downloaded, enabling use in environments without internet connectivity.[1] It provides multilingual support in 24 languages, automatically selecting the operating system's language or defaulting to U.S. English if unsupported.[1] This manual method contrasts with the passive delivery via Windows Update, offering greater control for on-demand scans.[1]Operation
Scanning and Detection Process
The Malicious Software Removal Tool (MSRT) initiates scanning either automatically through Windows Update in a quiet mode, where it runs silently without user intervention, or manually by executing the downloaded mrt.exe file, which presents a graphical user interface with a progress bar indicating scan phases.[1] Detection relies primarily on signature-based matching to identify infections from a targeted set of prevalent malware families, scanning key system areas including files, registry entries, and running processes.[1] Unlike comprehensive antivirus solutions, MSRT does not incorporate behavioral analysis and focuses solely on known signatures for viruses, worms, and Trojan horses within its scope.[1] Users can select between a quick scan, which examines common infection locations such as startup folders and system directories for rapid detection, and a full system scan, which covers all fixed and removable drives and is recommended if initial threats are found.[1] A full scan typically requires several hours to complete, depending on system hardware and storage size.[10] During manual scans, the tool notifies users of detections via the interface and may prompt for a full scan or further actions; it can also be run in Safe Mode by launching mrt.exe from %windir%\system32 to address persistent threats.[1]Removal Actions and Logging
Upon detecting malware, the Malicious Software Removal Tool (MSRT) performs remediation by quarantining or deleting infected files, reversing malware-induced changes such as altered registry keys or browser settings, and prompting a system reboot if required to complete the process.[1] If the removal is partial or unsuccessful due to factors like insufficient permissions or persistent threats, the tool displays results indicating the outcome—such as "partially removed" or "not removed"—and offers guidance on manual steps for cleanup, while recommending the use of an up-to-date antivirus for ongoing protection.[1][2] The MSRT maintains detailed records in a log file at%windir%\debug\mrt.log, capturing timestamps for scan start and end times, lists of detected threats with names like "Virus:Win32/MPnTestFile.2004", removal outcomes such as "Removed!" or "partially removed", and hexadecimal error codes like 0x00000000 for success or 0x80508007 for specific failures.[2][11]
These error codes, including 0x80508019 for missing scan destinations or 0x80508007 for low memory, enable troubleshooting by matching them to procedures such as retrying the scan, freeing resources, or redownloading the tool.[11]
The tool also transmits anonymized telemetry to Microsoft by default, encompassing the detected malware name, removal result, OS version, locale, processor architecture, tool version, and an anonymous GUID to inform threat prevalence tracking; additional file samples may be sent with user consent, and reporting can be disabled via a registry setting in enterprise setups (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation as DWORD value 1).[2]