Skip to main content

Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment

Microsoft has released the Microsoft Windows Malicious Software Removal Tool to help you remove specific, prevalent malicious software from a computer. 

Skip the details and download the tool
For more information about how to download the tool, go to the following Microsoft webpage:
The information that is contained in this article is specific to the enterprise deployment of the tool. We highly recommend that you review the following Microsoft Knowledge Base article. It contains general information about the tool and about the download locations. 


The tool is primarily intended for noncorporate users who do not have an existing, up-to-date antivirus product installed on their computers. However, the tool can also be deployed in an enterprise environment to enhance existing protection and as part of a defense-in-depth strategy. To deploy the tool in an enterprise environment, you can use one or more of the following methods:
  • Windows Server Update Services
  • Microsoft Systems Management Software (SMS) software package
  • Group Policy-based computer startup script
  • Group Policy-based user logon script
For more information about how to deploy the tool through Windows Update and Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:
890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running supported versions of Windows
The current version of this tool does not support the following deployment technologies and techniques:
  • Windows Update Catalog
  • Execution of the tool against a remote computer
  • Software Update Services (SUS)
Additionally, the Microsoft Baseline Security Analyzer (MBSA) does not detect execution of the tool. This article includes information about how you can verify execution of the tool as part of deployment.
Code sample
The script and the steps that are provided here are meant to be only samples and examples. Customers must test these sample scripts and example scenarios and modify them appropriately to work in their environment. You must change the ServerNameand the ShareName according to the setup in your environment.

The following code sample does the following things:
  • Runs the tool in silent mode
  • Copies the log file to a preconfigured network share
  • Prefixes the log the file name with the name of the computer from which the tool is executed and with the user name of the current user. You must set appropriate permissions on the share according to the instructions in the Initial setup and configuration section.
REM In this example, the script is named RunMRT.cmd.
REM The Sleep.exe utility is used to delay the execution of the tool when used as a
REM startup script. See the "Known issues" section for details.
@echo off
call \\ServerName\ShareName\Sleep.exe 5
Start /wait \\ServerName\ShareName\Windows-KB890830-V5.20.exe /q
Note In this code sample, ServerName is a placeholder for the name of your server, and ShareName is a placeholder for the name of your share.
Initial setup and configuration
This section is intended for administrators who are using a startup script or a logon script to deploy this tool. If you are using SMS, you can continue to the "Deployment methods" section.

To configure the server and the share, follow these steps:
  1. Set up a share on a member server. Then name the share ShareName.
  2. Copy the tool and the sample script, RunMRT.cmd, to the share. See the Code sample section for details.
  3. Configure the following share permissions and NTFS file system permissions:
    • Share permissions:
      1. Add the domain user account for the user who is managing this share, and then click Full Control.
      2. Remove the Everyone group.
      3. If you use the computer startup script method, add the Domain Computers group together with Change and Read permissions.
      4. If you use the logon script method, add the Authenticated Users group together with Change and Read permissions.
    • NTFS permissions:
      1. Add the domain user account for the user who is managing this share, and then click Full Control.
      2. Remove the Everyone group if it is in the list.

        Note If you receive an error message when you remove the Everyone group, click Advanced on the Securitytab, and then click to clear the Allow inheritable permissions from parent to propagate to this objectcheck box.
      3. If you use the computer startup script method, grant the Domain Computers group Read & Execute permissions, List Folder Contents permissions, and Read permissions.
      4. If you use the logon script method, grant the Authenticated Users group Read & Execute permissions, List Folder Contents permissions, and Read permissions.
  4. Under the ShareName folder, create a folder that is named "Logs."

    This folder is where the final log files will be collected after the tool runs on the client computers.
  5. To configure the NTFS permissions on the Logs folder, follow these steps.

    Note Do not change the Share permissions in this step.
    1. Add the domain user account for the user who is managing this share, and then click Full Control.
    2. If you use the computer startup script method, give the Domain Computers group Modify permissions, "Read & Execute" permissions, List Folder Contents permissions, Read permissions, and Write permissions.
    3. If you use the logon script method, give the Authenticated Users group Modify permissions, "Read & Execute" permissions, List Folder Contents permissions, Read permissions, and Write permissions.
Deployment methods
Note To run this tool, you must have Administrator permissions or System permissions, regardless of the deployment option that you choose.
How to use the SMS software package
The following example provides step-by-step instructions for using SMS 2003. The steps for using SMS 2.0 resemble these steps.
  1. Extract the Mrt.exe file from the package that is named Windows-KB890830-V1.34-ENU.exe /x.
  2. Create a .bat file to start Mrt.exe and to capture the return code by using ISMIF32.exe.

    The following is an example.
    @echo off
    Start /wait Mrt.exe /q
    If errorlevel 13 goto error13
    If errorlevel 12 goto error12
    Goto end

    :error13
    Ismif32.exe –f MIFFILE –p MIFNAME –d ”text about error 13”
    Goto end

    :error12
    Ismif32.exe –f MIFFILE –p MIFNAME –d “text about error 12”
    Goto end

    :end

    For more information about Ismif32.exe, click the following article numbers to view the articles in the Microsoft Knowledge Base:
    268791 How a status Management Information Format (MIF) file produced by the ISMIF32.exe file is processed in SMS 2.0
    186415 Status MIF creator, Ismif32.exe is available
  3. To create a package in the SMS 2003 console, follow these steps:
    1. Open the SMS Administrator Console.
    2. Right-click the Packages node, click New, and then click Package.

      The       Package Properties dialog box is displayed.
    3. On the General tab, name the package.
    4. On the Data Source tab, click to select the This package contains source files check box.
    5. Click Set, and then choose a source directory that contains the tool.
    6. On the Distribution Settings tab, set the Sending priority to High.
    7. On the Reporting tab, click Use these fields for status MIF matching, and then specify a name for the MIF file name field and for the Name field.

      Version and Publisher are optional.
    8. Click OK to create the package.
  4. To specify a Distribution Point (DP) to the package, follow these steps:
    1. In the SMS 2003 console, locate the new package under the Packages node.
    2. Expand the package. Right-click Distribution Points, point to New, and then click Distribution Points.
    3. Start the New Distribution Points Wizard. Select an existing Distribution Point.
    4. Click Finish to exit the wizard.
  5. To add the batch file that was previously created to the new package, follow these steps:
    1. Under the new package node, click the Programs node.
    2. Right-click Programs, point to New, and then click Program.
    3. Click the General tab, and then enter a valid name.
    4. At the Command line, click Browse to select the batch file that you created to start Mrt.exe.
    5. Change Run to Hidden. Change After to No action required.
    6. Click the Requirements tab, and then click This program can run only on specified client operating systems.
    7. Click All x86 Windows Server 2003, and All x86 Windows XP.
    8. Click the Environment tab, click Whether a user is logged in the Program can run list. Set the Run mode to Run with administrative rights.
    9. Click OK to close the dialog box.
  6. To create an advertisement to advertise the program to clients, follow these steps:
    1. Right-click the Advertisement node, click New, and then click Advertisement.
    2. On the General tab, enter a name for the advertisement. In the Package field, select the package that you previously created. In the Program field, select the program that you previously created. Click Browse, and then click the All System collection or select a collection of computers that only includes Windows XP and later versions.
    3. On the Schedule tab, leave the default options if you want the program to only run one time. To run the program on a schedule, assign a schedule interval.
    4. Set the Priority to High.
    5. Click OK to create the advertisement.
How to use a Group Policy-based computer startup script
This method requires you to restart the client computer after you set up the script and after you apply the Group Policy setting.
  1. Set up the shares. To do this, follow the steps in the Initial setup and configuration section.
  2. Set up the startup script. To do this, follow these steps:
    1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then clickProperties.
    2. Click the Group Policy tab.
    3. Click New to create a new Group Policy Object (GPO), and type MRT Deployment for the name of the policy.
    4. Click the new policy, and then click Edit.
    5. Expand Windows Settings for Computer Configuration, and then click Scripts.
    6. Double-click Logon, and then click Add.

      The       Add a Script dialog box is displayed.
    7. In the Script Name box, type \\ServerName\ShareName\RunMRT.cmd.
    8. Click OK, and then click Apply.
  3. Restart the client computers that are members of this domain.
How to use a Group Policy-based user logon script
This method requires that the logon user account is a domain account and is a member of the local administrator's group on the client computer.
  1. Set up the shares. To do this, follow the steps in the Initial setup and configuration section.
  2. Set up the logon script. To do this, follow these steps:
    1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then clickProperties.
    2. Click the Group Policy tab.
    3. Click New to create a new GPO, and then type MRT Deployment for the name.
    4. Click the new policy, and then click Edit.
    5. Expand Windows Settings for User Configuration, and then click Scripts.
    6. Double-click Logon, and then click Add. The Add a Script dialog box is displayed.
    7. In the Script Name box, type \\ServerName\ShareName\RunMRT.cmd.
    8. Click OK, and then click Apply.
  3. Log off and then log on to the client computers.
In this scenario, the script and the tool will run under the context of the logged-on user. If this user does not belong to the local administrators group or does not have sufficient permissions, the tool will not run and will not return the appropriate return code. For more information about how to use startup scripts and logon scripts, click the following article numbers to view the articles in the Microsoft Knowledge Base:



The following list contains the valid return codes.
0
=
No infection found
1
=
OS Environment Error
2
=
Not running as an Administrator
3
=
Not a supported OS
4
=
Error Initializing the scanner. (Download a new copy of the tool)
5
=
Not used
6
=
At least one infection detected. No errors.
7
=
At least one infection was detected, but errors were encountered.
8
=
At least one infection was detected and removed, but manual steps are required for a complete removal.
9
=
At least one infection was detected and removed, but manual steps are required for complete removal and errors were encountered.
10
=
At least one infection was detected and removed, but a restart is required for complete removal
11
=
At least one infection was detected and removed, but a restart is required for complete removal and errors were encountered
12
=
At least one infection was detected and removed, but both manual steps and a restart is required for complete removal.
13
=
At least one infection was detected and removed, but a restart is required. No errors were encountered.




Q2. How do I verify that the removal tool has run on a client computer?

A2. You can examine the value data for the following registry entry to verify the execution of the tool. You can implement such an examination as part of a startup script or a logon script. This process prevents the tool from running multiple times.
Subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Entry name: Version
Every time that the tool is run, the tool records a GUID in the registry to indicate that it has been executed. This occurs regardless of the results of the execution. The following table lists the GUID that corresponds to each release.
Release
Value data
January 2005
E5DD9936-C147-4CD1-86D3-FED80FAADA6C
February 2005
805647C6-E5ED-4F07-9E21-327592D40E83
March 2005
F8327EEF-52AA-439A-9950-CE33CF0D4FDD
April 2005
D89EBFD1-262C-4990-9927-5185FED1F261
May 2005
08112F4F-11BF-4129-A90A-9C8DD0104005
June 2005
63C08887-00BE-4C9B-9EFC-4B9407EF0C4C
July 2005
2EEAB848-93EB-46AE-A3BF-9F1A55F54833
August 2005
3752278B-57D3-4D44-8F30-A98F957EC3C8
August 2005 A
4066DA74-2DDE-4752-8186-101A7C543C5F
September 2005
33B662A4-4514-4581-8DD7-544021441C89
October 2005
08FFB7EB-5453-4563-A016-7DBC4FED4935
November 2005
1F5BA617-240A-42FF-BE3B-14B88D004E43
December 2005
F8FEC144-AA00-48B8-9910-C2AE9CCE014A
January 2006
250985ee-62e6-4560-b141-997fc6377fe2
February 2006
99cb494b-98bf-4814-bff0-cf551ac8e205
March 2006
b5784f56-32ca-4756-a521-ca57816391ca
April 2006
d0f3ea76-76c8-4287-8cdf-bdfee5e446ec
May 2006
ce818d5b-8a25-47c0-a9cd-7169da3f9b99
June 2006
7cf4b321-c0dd-42d9-afdf-edbb85e59767
July 2006
5df61377-4916-440f-b23f-321933b0afd3
August 2006
37949d24-63f1-4fdc-ad24-5dc3eb3ad265
September 2006
ac3fa517-20f0-4a42-95ca-6383f04773c8
October 2006
79e385d0-5d28-4743-aeb3-ed101c828abd
November 2006
1d21fa19-c296-4020-a7c2-c5a9ba4f2356
December 2006
621498ca-889b-48ef-872b-84b519365c76
January 2007
2F9BC264-1980-42b6-9EE3-2BE36088BB57
February 2007
FFCBCFA5-4EA1-4d66-A3DC-224C8006ACAE
March 2007
5ABA0A63-8B4C-4197-A6AB-A1035539234D
April 2007
57FA0F48-B94C-49ea-894B-10FDA39A7A64
May 2007
15D8C246-6090-450f-8261-4BA8CA012D3C
June 2007
234C3382-3B87-41ca-98D1-277C2F5161CC
July 2007
4AD02E69-ACFE-475C-9106-8FB3D3695CF8
August 2007
0CEFC17E-9325-4810-A979-159E53529F47
September 2007
A72DDD48-8356-4D06-A8E0-8D9C24A20A9A
October 2007
52168AD3-127E-416C-B7F6-068D1254C3A4
November 2007
EFC91BC1-FD0D-42EE-AA86-62F59254147F
December 2007
73D860EC-4829-44DD-A064-2E36FCC21D40
January 2008
330FCFD4-F1AA-41D3-B2DC-127E699EEF7D
February 2008
0E918EC4-EE5F-4118-866A-93f32EC73ED6
March 2008
24A92A45-15B3-412D-9088-A3226987A476
April 2008
F01687B5-E3A4-4EB6-B4F7-37D8F7E173FA
May 2008
0A1A070A-25AA-4482-85DD-DF69FF53DF37
June 2008
0D9785CC-AEEC-49F7-81A8-07B225E890F1
July 2008
BC308029-4E38-4D89-85C0-8A04FC9AD976
August 2008
F3889559-68D7-4AFB-835E-E7A82E4CE818
September 2008
7974CF06-BE58-43D5-B635-974BD92029E2
October 2008
131437DE-87D3-4801-96F0-A2CB7EB98572
November 2008
F036AE17-CD74-4FA5-81FC-4FA4EC826837
December 2008
9BF57AAA-6CE6-4FC4-AEC7-1B288F067467
December 2008
9BF57AAA-6CE6-4FC4-AEC7-1B288F067467
January 2009
2B730A83-F3A6-44F5-83FF-D9F51AF84EA0
February 2009
C5E3D402-61D9-4DDF-A8F5-0685FA165CE8
March 2009
BDEB63D0-4CEC-4D5B-A360-FB1985418E61
April 2009
276F1693-D132-44EF-911B-3327198F838B
May 2009
AC36AF73-B1E8-4CC1-9FF3-5A52ABB90F96
June 2009
8BD71447-AAE4-4B46-B652-484001424290
July 2009
F530D09B-F688-43D1-A3D5-49DC1A8C9AF0
August 2009
91590177-69E5-4651-854D-9C95935867CE
September 2009
B279661B-5861-4315-ABE9-92A3E26C1FF4
October 2009
4C64200A-6786-490B-9A0C-DEF64AA03934
November 2009
78070A38-A2A9-44CE-BAB1-304D4BA06F49
December 2009
A9A7C96D-908E-413C-A540-C43C47941BE4
January 2010
ED3205FC-FC48-4A39-9FBD-B0035979DDFF
February 2010
76D836AA-5D94-4374-BCBF-17F825177898
March 2010
076DF31D-E151-4CC3-8E0A-7A21E35CF679
April 2010
D4232D7D-0DB6-4E8B-AD19-456E8D286D67
May 2010
18C7629E-5F96-4BA8-A2C8-31810A54F5B8
June 2010
308738D5-18B0-4CB8-95FD-CDD9A5F49B62
July 2010
A1A3C5AF-108A-45FD-ABEC-5B75DF31736D
August 2010
E39537F7-D4B8-4042-930C-191A2EF18C73
September 2010
0916C369-02A8-4C3D-9AD0-E72AF7C46025
October 2010
32F1A453-65D6-41F0-A36F-D9837A868534
November 2010
5800D663-13EA-457C-8CFD-632149D0AEDD
December 2010
4E28B496-DD95-4300-82A6-53809E0F9CDA
January 2011
258FD3CF-9C82-4112-B1B0-18EC1ECFED37
February 2011
B3458687-D7E4-4068-8A57-3028D15A7408
March 2011
AF70C509-22C8-4369-AEC6-81AEB02A59B7
April 2011
0CB525D5-8593-436C-9EB0-68C6D549994D
May 2011
852F70C7-9C9E-4093-9184-D89D5CE069F0
June 2011
DDE7C7DD-E76A-4672-A166-159DA2110CE5
July 2011
3C009D0B-2C32-4635-9B34-FFA7F4CB42E7
August 2011
F14DDEA8-3541-40C6-AAC7-5A0024C928A8
September 2011
E775644E-B0FF-44FA-9F8B-F731E231B507
October 2011
C0177BCC-8925-431B-AC98-9AC87B8E9699
November 2011
BEB9D90D-ED88-42D7-BD71-AE30E89BBDC9
December 2011
79B9D6F6-2990-4C15-8914-7801AD90B4D7
January 2012
634F47CA-D7D7-448E-A7BE-0371D029EB32
February 2012
23B13CB9-1784-4DD3-9504-7E58427307A7
March 2012
84C44DD1-20C8-4542-A1AF-C3BA2A191E25
April 2012
3C1A9787-5E87-45E3-9B0B-21A6AB25BF4A
May 2012
D0082A21-13E4-49F7-A31D-7F752F059DE9
June 2012
4B83319E-E2A4-4CD0-9AAC-A0AB62CE3384
July 2012
3E9B6E28-8A74-4432-AD2A-46133BDED728
August 2012
C1156343-36C9-44FB-BED9-75151586227B
September 2012
02A84536-D000-45FF-B71E-9203EFD2FE04
October 2012
8C1ACB58-FEE7-4FF0-972C-A09A058667F8
November 2012
7D0B34BB-97EB-40CE-8513-4B11EB4C1BD6
December 2012
AD64315C-1421-4A96-89F4-464124776078
January 2013
A769BB72-28FC-43C7-BA14-2E44725FED20
February 2013
ED5E6E45-F92A-4096-BF7F-F84ECF59F0DB
March 2013
147152D2-DFFC-4181-A837-11CB9211D091
April 2013
7A6917B5-082B-48BA-9DFC-9B7034906FDC
May 2013
3DAA6951-E853-47E4-B288-257DCDE1A45A
June 2013
4A25C1F5-EA3D-4840-8E14-692DD6A57508
July 2013
9326E352-E4F2-4BF7-AF54-3C06425F28A6
August 2013
B6345F3A-AFA9-42FF-A5E7-DFC6C57B7EF8
September 2013
462BE659-C07A-433A-874F-2362F01E07EA
October 2013
21063288-61F8-4060-9629-9DBDD77E3242
November 2013
BA6D0F21-C17B-418A-8ADD-B18289A02461
December 2013
AFAFB7C5-798B-453D-891C-6765E4545CCC
January 2014
7BC20D37-A4C7-4B84-BA08-8EC32EBF781C
February 2014
FC5CF920-B37A-457B-9AB9-36ECC218A003
March 2014
​254C09FA-7763-4C39-8241-76517EF78744
April 2014
54788934-6031-4F7A-ACED-5D055175AF71
May 2014
91EFE48B-7F85-4A74-9F33-26952DA55C80
June 2014
07C5D15E-5547-4A58-A94D-5642040F60A2
July 2014
43E0374E-D98E-4266-AB02-AE415EC8E119
August 2014
53B5DBC4-54C7-46E4-B056-C6F17947DBDC
September 2014
98CB657B-9051-439D-9A5D-8D4EDF851D94
October 2014
5612279E-542C-454D-87FE-92E7CBFDCF0F
November 2014
7F08663E-6A54-4F86-A6B5-805ADDE50113
December 2014
386A84B2-5559-41C1-AC7F-33E0D5DE0DF6
January 2015
677022D4-7EC2-4F65-A906-10FD5BBCB34C



Comments

  1. AnonymousApril 8, 2022 at 6:21 AM

    Deployment Of The Microsoft Windows Malicious Software Removal Tool In An Enterprise Environment >>>>> Download Now

    >>>>> Download Full

    Deployment Of The Microsoft Windows Malicious Software Removal Tool In An Enterprise Environment >>>>> Download LINK

    >>>>> Download Now

    Deployment Of The Microsoft Windows Malicious Software Removal Tool In An Enterprise Environment >>>>> Download Full

    >>>>> Download LINK da

    ReplyDelete

Post a Comment

Popular posts from this blog

Visual Studio 2012 / 2013 Update 1 2 3 4 Offline Installer

Visual Studio 2012 Update 2 was released about a week ago.  This update includes lots of fixes and some features – you can see the list   here .  The only problem with the update is that Microsoft does not offer an offline installer.  If you are installing this on your own PC or for one person, you may not have a need for one.  But…  if your entire team needs to install this (or you just want to have it for later for a PC rebuild, you can download all 1.8 GB and have an offline installer for you or your team to share.  Here’s how: Get the update from Microsoft  here . (updated with Update 4 link) Save the file to a folder. open the folder Pro tip – Shift + right-click the background of the folder and choose ‘Open command window here’ in the command window type  VS2013.4.exe /Layout (or VS2013.1.exe /Layout or VS2013.2.exe /Layout depending on your update) It will then ask you w...
Post a Comment
Read more

VMware ESXi 5.5 Purple Diagnostic Screen Exception 14 in SEsparse and LibAIO (LibAIODrainMergeQueue, LibAIOMergedIODone, SESparseAsyncDataDone) (2073516)

Symptoms VMware ESXi 5.5 host fails with a purple diagnostic screen You see backtrace similar to: cpu0:33101)@BlueScreen: #PF Exception 14 in world 33101:memMap-0 IP 0x4180182f4948 addr 0x4108fffffff0 PTEs:0x100088063;0x80000020ad5bf063;0x0; cpu0:33101)Code start: 0x418018000000 VMK uptime: 1:09:27:02.593 cpu0:33101)0x4123c535cb20:[0x4180182f4948]LibAIODrainMergeQueue@vmkernel#nover+0x150 stack: 0x4130002a85c0 cpu0:33101)0x4123c535cb80:[0x4180182f53fd]LibAIOMergedIODone@vmkernel#nover+0x211 stack: 0x412ec622ef90 cpu0:33101)0x4123c535cbb0:[0x41801802d21f]AsyncPopCallbackFrameInt@vmkernel#nover+0xe7 stack: 0x1 cpu0:33101)0x4123c535cbe0:[0x418018bb9798]SESparseAsyncDataDone@esx#nover+0x15c stack: 0x41300007b0c0 cpu0:33101)0x4123c535cc10:[0x41801802d21f]AsyncPopCallbackFrameInt@vmkernel#nover+0xe7 stack: 0x4123c535cc70 ...
Post a Comment
Read more

How to configure an IP address in Solaris 11

Oracle made a huge changes in the networking stack with Solaris 11. The use of many network related files have been deprecated in Solaris 11. Below are some of the files which are not used in Solaris 11 for persistent network configuration : /etc/defaultdomain /etc/dhcp.* /etc/hostname.* /etc/hostname.ip*.tun* /etc/nodename /etc/nsswitch.conf Network Configuration Profile Solaris 11 uses profile-based network configuration. It has 2 configuration modes : 1. Automatic   – Uses DHCP to obtain network configuration (IP address, router and DNS) from any of the connected ethernet interfaces. Do not support hot swapping of interfaces and IPMP. 2. Manual (DefaultFixed NCP)   – interfaces needs to be manually configured using dladm and ipadm commands. Also called as DefaultFixed NCP. Supports hot swapping of interfaces and IPMP. Configuring the IP address Step 1 : Set the NCP We would set the NCP to DefaultFixed profile in order to configure the IP address...
Post a Comment
Read more