Malicious Software Removal Tool

Microsoft Windows Malicious Software Removal Tool (MSRT) is a freeware second-opinion malware scanner that Microsoft's Windows Update downloads and runs on Windows computers each month, independent of the install antivirus software. First released on January 13, 2005, MSRT does not offer real-time protection. It scans its host computer for specific, widespread malware, and tries to eliminate the infection. Outside its monthly deployment schedule, it can be separately downloaded from Microsoft.

Availability
Since its January 13, 2005, Microsoft releases the updated tool every second Tuesday of every month (commonly called "Patch Tuesday") through Windows Update, at which point it runs once automatically in the background and reports if malicious software is found. The tool is also available as a standalone download.

Since support for Windows 2000 ended on July 13, 2010, Microsoft stopped distributing the tool to Windows 2000 users via Windows Update. The last version of the tool that could run on Windows 2000 was 4.20, released on May 14, 2013. Starting with version 5.1, released on June 11, 2013, support for Windows 2000 was dropped altogether. Although Windows XP support ended on April 8, 2014, updates for the Windows XP version of the Malicious Software Removal Tool would be provided until August, 2016; version 5.39. The latest version of MSRT for Windows Vista is 5.47, released on 11 April 2017.

Despite Microsoft ending general support for the Windows 7 operating system in 2020, updates are still provided to Windows 7 users via the standard Windows Update delivery mechanism.

Operation
MSRT does not install a shortcut in the Start menu. Hence, users must manually execute. The tool records its results in a log file located at.

The tool reports anonymized data about any detected infections to Microsoft. MSRT's EULA discloses this reporting behavior and explains how to disable it.

Impact
In a June 2006 Microsoft report, the company claimed that the tool had removed 16 million instances of malicious software from 5.7 million of 270 million total unique Windows computers since its release in January 2005. The report also stated that, on average, the tool removes malicious software from 1 in every 311 computers on which it runs. On May 19, 2009, Microsoft claimed that the software has removed password stealer threats from 859,842 machines.

In August 2013, the Malicious Software Removal Tool deleted old, vulnerable versions of the Tor client to end the spread of the Sefnit botnet (which mined for bitcoins without the host owner's approval and later engaged in click fraud). Approximately two million hosts had been cleaned by October; although this was slightly less than half of the estimated infections, the rest of the suspected machines presumably did not have their automatic Windows Updates enabled or manually run.