Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Just what is the Malicious Software Removal Tool that I keep getting in Windows Updates?


This Malicious Software Removal Tool which Microsoft sends around
every month; usually, I download this tool and have it installed
automatically, but I really do not know what it is doing. Is it doing
it automatically or does it have to be activated?

I once downloaded this tool as a separate item and then I could run
it on it’s own, however, I ended up in Windows Defender. Does that mean
that this tool is a part of Windows Defender and sort of an update? I
could not find anything about this in all my computer books.

Microsoft’s “Malicious Software Removal Tool” is somewhat mysterious.
It shows up in Windows updates, apparently gets installed, and then


Not quite. Let’s look at what Microsoft says, how I interpret it,
and just what the MSRT does.


Here it is, straight from the horses mouth:

The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software-including Blaster, Sasser, and Mydoom-and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed.

But what does that mean? Is it an anti-virus tool? Anti-spyware? Do you still need those if you have this?

My take is that it’s a little of each, but not a replacement for either.

“I believe that the MSRT exists in part because even after all this time many people do not run anti-malware tools.”

First, realize that the definitions of “spyware” and “virus” are somewhat arbitrary, and blurry. Many things we think of as one are really the other, or even some blend of both.

That’s why the term “malware” is actually more accurate: malicious software. The term covers both.

I believe that the MSRT exists in part because even after all this time many people do not run anti-malware tools. They should, but they don’t. The MSRT focuses on the most prevalent, the most malicious, and removes them when found. It doesn’t scan regularly, look for updates or monitor or anything like that, it just runs, looks for a specific and pre-defined set of known threats and removes them.

And it’s part of Windows Update so that more people will get it, automatically, when they take updates to Windows.

It’s unclear exactly how often MSRT runs – the wording on the site actually implies that it only runs once a month, presumably when it’s updated.

One thing that is clear is that it reports back to Microsoft what it finds. Note that this is anonymous – nothing about you or your system is included. It’s used by Microsoft to track the rates at which various malware are being found. Once again, quoting Microsoft:

The Malicious Software Removal Tool will send basic information to Microsoft if the tool detects malicious software or finds an error. This information will be used for tracking virus prevalence. No identifiable personal information that is related to you or to the computer is sent together with this report.

The MSRT does not have to be activated, it just runs when it runs.

It’s not a replacement for anti-virus and anti-spyware software. You still need to make sure that you have appropriate anti-malware tools installed and running in addition to whatever the MSRT might be doing.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

13 comments on “Just what is the Malicious Software Removal Tool that I keep getting in Windows Updates?”

  1. Hi Leo

    My guess also is that MSRT runs each time it’s updated.

    I’ve noticed that it takes longer & longer to ‘install’ each update, so I realised that it was probably running the scan each time. (Taking longer as it has more to scan for, I would assume).

  2. Do you think it actually scans your entire disk, or looks into directories where Blaster, Sasser, and Mydoom (for example) are usually installed?

    I think it just takes a look at specific registry entries (or directories) and deletes them if they indeed pertain to those types of infections (or maybe restores entries that have been modified). I doubt it scans the drive like Windows Defender would for example, because MS has to ask for your permission first for something like that.

    Just me thinkin out loud :)

    I think it’s pretty clear from Microsoft’s description that it’s only looking for certain things in certain places.

    – Leo
  3. I wonder if one could run it if one wished. Also, any idea where it might be found? I checked inside Program Files and of course, it wasn’t there. That didn’t really surprise me, but not finding it in the Control Panel did.
    Any suggestions?
    Many thanks!

  4. You say (in bold type even) that the reporting is anonymous. Unless you are connecting through an anonymizing proxy this is never true – your IP address is an essential part of the communication. And there are lawyers arguing that anything sent from an IP address that you pay for is your responsibility – even if you have no knowledge of what was being sent.

  5. Well something must be wrong then on my side as i have MSRT and my email still tells me that i have Win32:Mydoom-M [Wrm]) I thought MSRT would take care of this but todate it has not. Does anyone have any suggestions as to how i can get MSRT to remove Win32:Mydoom-M [Wrm])? Many thanks for the great newsletter..

    I don’t think you can make it do anything that it doesn’t do. I’d look into getting a good anti-virus program to do it for you.

    – Leo
    I think it’s pretty clear from Microsoft’s description that it’s only looking for certain things in certain places.
    – Leo
    I think that MSRT is looking for non MS programs that emulate MS programs AND TO REMOVE THOSE!

  7. I refuse to download it and that has generally related to Windows Defender, which is just treated as another non required Microsoft add-on.
    I reckon if you are doing things that make spyware/malware, call it what you will, then you should use a properly constructed malware management suite such as CA, or even better, that plus a specific anti-spy such as spyhunter.
    Problematically, most people don’t want to pay for protection and that decision, in my experience can be very expensive.
    One of the biggest income streams in my organisation is spyware removal (manual and machine based), and supporting people who refuse to spend money on the internet to protect themselves.

  8. The MRT is an ‘On-Demand’ scanner. It is pretty efective:
    It is offered via the Microsoft Windows Update site once per month and it will scan your OS at the time it is downloaded/re-booted.

    It also can be run at any time whenever you like.

    Click Start==>Run… then type (or copy/paste) “MRT.exe” (w/out quotation marks) into the box, then click the ‘OK’ button.
    Follow the prompts.



    Command Line Switches…
    /q or /quiet — execute without GUI
    /? or /help — displays command line switches
    /n — detect mode only
    /f — force a full scan
    /f:y — force a full scan and automatically clean infections found

    MRT is much like McAfee’s Stinger. It has a limited sub-set target list. However unlike Stinger it is updated monthly and is downloaded on Patch-Tuesday as well as can be manually downloaded.

    MRT can be used as a valuable supplemental ‘On-Demand’ scanner.

  9. Whether MSRT is or isnt part of Windows Defender, WD is a great program. Its set out well has extra features ( I know the features are native to Xp ) but for those that dont know that , theyre introduced to them by WD. Its free, its Windows, it works great, so whats the problem?


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.