Helping people with computers... one answer at a time.

Microsoft's Malicious Software Removal Tool is downloaded and updated periodically by Windows Update. It's not an complete anti-malware solution.

This Malicious Software Removal Tool which Microsoft sends around every month; usually, I download this tool and have it installed automatically, but I really do not know what it is doing. Is it doing it automatically or does it have to be activated?

I once downloaded this tool as a separate item and then I could run it on it's own, however, I ended up in Windows Defender. Does that mean that this tool is a part of Windows Defender and sort of an update? I could not find anything about this in all my computer books.

Microsoft's "Malicious Software Removal Tool" is somewhat mysterious. It shows up in Windows updates, apparently gets installed, and then ...


Not quite. Let's look at what Microsoft says, how I interpret it, and just what the MSRT does.

Here it is, straight from the horses mouth:

The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software-including Blaster, Sasser, and Mydoom-and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

But what does that mean? Is it an anti-virus tool? Anti-spyware? Do you still need those if you have this?

My take is that it's a little of each, but not a replacement for either.

"I believe that the MSRT exists in part because even after all this time many people do not run anti-malware tools."

First, realize that the definitions of "spyware" and "virus" are somewhat arbitrary, and blurry. Many things we think of as one are really the other, or even some blend of both.

That's why the term "malware" is actually more accurate: malicious software. The term covers both.

I believe that the MSRT exists in part because even after all this time many people do not run anti-malware tools. They should, but they don't. The MSRT focuses on the most prevalent, the most malicious, and removes them when found. It doesn't scan regularly, look for updates or monitor or anything like that, it just runs, looks for a specific and pre-defined set of known threats and removes them.

And it's part of Windows Update so that more people will get it, automatically, when they take updates to Windows.

It's unclear exactly how often MSRT runs - the wording on the site actually implies that it only runs once a month, presumably when it's updated.

One thing that is clear is that it reports back to Microsoft what it finds. Note that this is anonymous - nothing about you or your system is included. It's used by Microsoft to track the rates at which various malware are being found. Once again, quoting Microsoft:

The Malicious Software Removal Tool will send basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.

The MSRT does not have to be activated, it just runs when it runs.

It's not a replacement for anti-virus and anti-spyware software. You still need to make sure that you have appropriate anti-malware tools installed and running in addition to whatever the MSRT might be doing.

Article C3577 - November 28, 2008 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Just J
November 29, 2008 10:24 AM

Hi Leo

My guess also is that MSRT runs each time it's updated.

I've noticed that it takes longer & longer to 'install' each update, so I realised that it was probably running the scan each time. (Taking longer as it has more to scan for, I would assume).

November 29, 2008 5:39 PM

Do you think it actually scans your entire disk, or looks into directories where Blaster, Sasser, and Mydoom (for example) are usually installed?

I think it just takes a look at specific registry entries (or directories) and deletes them if they indeed pertain to those types of infections (or maybe restores entries that have been modified). I doubt it scans the drive like Windows Defender would for example, because MS has to ask for your permission first for something like that.

Just me thinkin out loud :)

I think it's pretty clear from Microsoft's description that it's only looking for certain things in certain places.
- Leo
Nelson Webber
December 2, 2008 8:33 AM

I wonder if one could run it if one wished. Also, any idea where it might be found? I checked inside Program Files and of course, it wasn't there. That didn't really surprise me, but not finding it in the Control Panel did.
Any suggestions?
Many thanks!

December 2, 2008 8:34 AM

You say (in bold type even) that the reporting is anonymous. Unless you are connecting through an anonymizing proxy this is never true - your IP address is an essential part of the communication. And there are lawyers arguing that anything sent from an IP address that you pay for is your responsibility - even if you have no knowledge of what was being sent.

Diane Louw
December 2, 2008 9:02 AM

Well something must be wrong then on my side as i have MSRT and my email still tells me that i have Win32:Mydoom-M [Wrm]) I thought MSRT would take care of this but todate it has not. Does anyone have any suggestions as to how i can get MSRT to remove Win32:Mydoom-M [Wrm])? Many thanks for the great newsletter..

I don't think you can make it do anything that it doesn't do. I'd look into getting a good anti-virus program to do it for you.
- Leo

December 2, 2008 9:12 AM

will ms malicious software remove win32/heur. if it cannot is there any other antivirus that can remove this particular virus or trojan or malware which i am not sure

December 2, 2008 10:20 AM

I think it's pretty clear from Microsoft's description that it's only looking for certain things in certain places.
- Leo
I think that MSRT is looking for non MS programs that emulate MS programs AND TO REMOVE THOSE!

Daemon Singer
December 2, 2008 1:48 PM

I refuse to download it and that has generally related to Windows Defender, which is just treated as another non required Microsoft add-on.
I reckon if you are doing things that make spyware/malware, call it what you will, then you should use a properly constructed malware management suite such as CA, or even better, that plus a specific anti-spy such as spyhunter.
Problematically, most people don't want to pay for protection and that decision, in my experience can be very expensive.
One of the biggest income streams in my organisation is spyware removal (manual and machine based), and supporting people who refuse to spend money on the internet to protect themselves.

Glenn P.
December 2, 2008 9:24 PM

Nelson Webber wrote: "I wonder if one could run it if one wished. Also, any idea where it might be found?"


N.B. that's just for this month, though -- the Knowledgebase number changes with each edition, and the corresponding URL along with it.

Hope that helps! :)

December 2, 2008 10:22 PM

The MRT is an 'On-Demand' scanner. It is pretty efective:
It is offered via the Microsoft Windows Update site once per month and it will scan your OS at the time it is downloaded/re-booted.

It also can be run at any time whenever you like.

Click Start==>Run... then type (or copy/paste) "MRT.exe" (w/out quotation marks) into the box, then click the 'OK' button.
Follow the prompts.



Command Line Switches...
/q or /quiet -- execute without GUI
/? or /help -- displays command line switches
/n -- detect mode only
/f -- force a full scan
/f:y -- force a full scan and automatically clean infections found

MRT is much like McAfee's Stinger. It has a limited sub-set target list. However unlike Stinger it is updated monthly and is downloaded on Patch-Tuesday as well as can be manually downloaded.

MRT can be used as a valuable supplemental 'On-Demand' scanner.

Kenneth Crook
December 6, 2008 6:30 PM

Malicious Software Removal Tool can be downloaded and run separately. Go to the default home page and download it. Each month it has the newest version. Once downloaded you can run it anytime you want, as many times as you want. I run it once a week when I do my full Norton Antivirus and Windows Defender scans.

Susan James
December 7, 2008 9:51 PM

Thanks for the article. Thx. to Kyle and Kenneth, too, this was very helpful!I wondered when this tool scanned myself. Now I know how to use it and where to get it.

December 16, 2008 3:21 PM

Whether MSRT is or isnt part of Windows Defender, WD is a great program. Its set out well has extra features ( I know the features are native to Xp ) but for those that dont know that , theyre introduced to them by WD. Its free, its Windows, it works great, so whats the problem?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.