How To Run Windows Malicious Software Removal Tool

The Windows Malicious Software Removal Tool is intended for utilize with the operating systems that are listed in the "Applies to" section. Operating systems that are not included in the list were not tested and therefore are non supported. These unsupported operating systems include all versions and editions of embedded operating systems.

Introduction

Microsoft generally releases Windows Malicious Software Removal Tool (MSRT) monthly as part of Windows Update or every bit the standalone tool. Use this tool to find and remove specific prevalent threats and reverse the changes they accept made (see covered threats). For comprehensive malware detection and removal, consider using Microsoft Safety Scanner.

This tool works in a complementary manner with existing antimalware solutions and tin exist used on well-nigh current Windows versions (see Properties section).

The information contained in this article is specific to the enterprise deployment of the tool. Nosotros recommend that you lot review the following cognition base article for more than information about the tool:

890830 Remove specific prevalent malware with Windows Malicious Software Removal Tool

Download the tool

Yous tin can manually download the MSRT from the Microsoft Download Center. The following files are available for download from the Microsoft Download Middle:

For 32-bit x86-based systems:

Download icon Download the x86 MSRT package at present.

For 64-chip x64-based systems:

Download icon Download the x64 MSRT package now.

Deployment overview

The tool can be deployed in an enterprise environment to heighten existing protection and as part of a defense force-in-depth strategy. To deploy the tool in an enterprise environment, you can use one or more than of the following methods:

Windows Server Update Services
Microsoft Systems Management Software (SMS) software package
Grouping Policy-based figurer startup script
Group Policy-based user logon script

The current version of this tool does non support the following deployment technologies and techniques:

Windows Update Itemize
Execution of the tool against a remote computer
Software Update Services (SUS)

Additionally, the Microsoft Baseline Security Analyzer (MBSA) does not discover execution of the tool. This article includes information near how y'all tin verify execution of the tool as part of deployment.

Code sample

The script and the steps that are provided here are meant to be but samples and examples. Customers must examination these sample scripts and example scenarios and alter them accordingly to work in their environment. Y'all must change the ServerName and the ShareName co-ordinate to the setup in your surroundings.

The following code sample does the following things:

Runs the tool in silent manner
Copies the log file to a preconfigured network share
Prefixes the log the file name past using the name of the figurer from which the tool is run and the user proper noun of the current user

Note You must set advisable permissions on the share according to the instructions in the Initial setup and configuration department.

            REM In this example, the script is named RunMRT.cmd. REM The Slumber.exe utility is used to filibuster the execution of the tool when used as a  REM startup script. See the "Known issues" department for details. @echo off call \\ServerName\ShareName\Sleep.exe 5 Start /expect \\ServerName\ShareName\Windows-KB890830-V5.99.exe /q  copy %windir%\debug\mrt.log \\ServerName\ShareName\Logs\%computername%_%username%_mrt.log

Annotation In this lawmaking sample, ServerName is a placeholder for the name of your server, and ShareName is a placeholder for the proper noun of your share.

Initial setup and configuration

This section is intended for administrators who are using a startup script or a logon script to deploy this tool. If you are using SMS, you can continue to the "Deployment methods" section.

To configure the server and the share, follow these steps:

Set upwards a share on a member server. Then name the share
ShareName.
Copy the tool and the sample script, RunMRT.cmd, to the share. Encounter the Code sample section for details.
Configure the following share permissions and NTFS file organisation permissions:
- Share permissions:
  1. Add together the domain user account for the user who is managing this share, and then click Full Command.
  2. Remove the Everyone group.
  3. If you use the figurer startup script method, add together the Domain Computers group together with Change and Read permissions.
  4. If you use the logon script method, add the Authenticated Users grouping together with Change and Read permissions.
- NTFS permissions:
  1. Add the domain user account for the user who is managing this share, and then click Full Command.
  2. Remove the Everyone group if information technology is in the listing.
    
    Note If you receive an fault message when you remove the Everyone grouping, click Avant-garde on the Security tab, and then click to clear the Let inheritable permissions from parent to propagate to this object check box.
  3. If you employ the computer startup script method, grant the Domain Computers group Read & Execute permissions, List Folder Contents permissions, and Read permissions.
  4. If you lot utilise the logon script method, grant the Authenticated Users group Read & Execute permissions, List Folder Contents permissions, and Read permissions.
Under the ShareName binder, create a folder that is named "Logs."

This folder is where the final log files will be collected after the tool runs on the client computers.
To configure the NTFS permissions on the Logs folder, follow these steps.

Note Do not change the Share permissions in this footstep.
1. Add the domain user account for the user who is managing this share, and and then click Full Control.
2. If you lot utilize the computer startup script method, give the Domain Computers group Alter permissions, "Read & Execute" permissions, List Folder Contents permissions, Read permissions, and Write permissions.
3. If y'all use the logon script method, give the Authenticated Users group Modify permissions, "Read & Execute" permissions, Listing Folder Contents permissions, Read permissions, and Write permissions.

Deployment methods

Note To run this tool, you must have Administrator permissions or Organization permissions, regardless of the deployment option that you choose.

How to utilise the SMS software package

The following example provides step-by-step instructions for using SMS 2003. The steps for using SMS ii.0 resemble these steps.

Extract the Mrt.exe file from the package that is named Windows-KB890830-V1.34-ENU.exe /x.
Create a .bat file to start Mrt.exe and to capture the return code by using ISMIF32.exe.

The post-obit is an case.

@echo off Commencement /wait Mrt.exe /q If errorlevel 13 goto error13 If errorlevel 12 goto error12 Goto cease :error13 Ismif32.exe –f MIFFILE –p MIFNAME –d "text about error xiii" Goto cease :error12 Ismif32.exe –f MIFFILE –p MIFNAME –d "text nigh error 12" Goto end :end
For more information most Ismif32.exe, go to the following commodity in the Microsoft Knowledge Base:

268791 How a condition Management Information Format (MIF) file produced by the ISMIF32.exe file is processed in SMS 2.0

186415 Status MIF creator, Ismif32.exe is bachelor
To create a package in the SMS 2003 panel, follow these steps:
1. Open the SMS Ambassador Console.
2. Right-click the Packages node, click
  New, so click Bundle.
  
  The
  Package Properties dialog box is displayed.
3. On the General tab, name the package.
4. On the Data Source tab, click to select the This bundle contains source files check box.
5. Click Prepare, and so cull a source directory that contains the tool.
6. On the Distribution Settings tab, set the Sending priority to Loftier.
7. On the Reporting tab, click Use these fields for status MIF matching, and then specify a name for the MIF file name field and for the
  Proper name field.
  
  Version and Publisher are optional.
8. Click OK to create the package.
To specify a Distribution Point (DP) to the package, follow these steps:
1. In the SMS 2003 console, locate the new package under the Packages node.
2. Expand the bundle. Right-click Distribution Points, point to New, and so click Distribution Points.
3. Commencement the New Distribution Points Wizard. Select an existing Distribution Point.
4. Click Finish to exit the sorcerer.
To add together the batch file that was previously created to the new bundle, follow these steps:
1. Under the new package node, click the Programs node.
2. Right-click Programs, signal to
  New, and then click Programme.
3. Click the Full general tab, and then enter a valid proper name.
4. At the Command line, click
  Browse to select the batch file that y'all created to start Mrt.exe.
5. Change Run to
  Hidden. Change After to No activity required.
6. Click the Requirements tab, and then click This program can run merely on specified customer operating systems.
7. Click All x86 Windows XP.
8. Click the Environment tab, click
  Whether a user is logged in the Program can run list. Set the Run mode to Run with administrative rights.
9. Click OK to shut the dialog box.
To create an advert to advertise the program to clients, follow these steps:
1. Right-click the Advertisement node, click New, and so click
  Advertisement.
2. On the General tab, enter a name for the advertisement. In the Packet field, select the package that you previously created. In the Program field, select the program that you previously created. Click Browse, and then click the All Organisation drove or select a collection of computers that simply includes Windows Vista and later versions.
3. On the Schedule tab, get out the default options if you desire the plan to only run ane time. To run the program on a schedule, assign a schedule interval.
4. Set the Priority to High.
5. Click OK to create the advertisement.

How to utilize a Group Policy-based reckoner startup script

This method requires y'all to restart the client computer after you set the script and after you lot use the Group Policy setting.

Set up upward the shares. To do this, follow the steps in the
Initial setup and configuration department.
Set up the startup script. To exercise this, follow these steps:
1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click
  Properties.
2. Click the Grouping Policy tab.
3. Click New to create a new Group Policy Object (GPO), and blazon MRT Deployment for the proper name of the policy.
4. Click the new policy, and so click Edit.
5. Expand Windows Settings for Figurer Configuration, and so click Scripts.
6. Double-click Logon, and so click Add together.
  
  The Add together a Script dialog box is displayed.
7. In the Script Name box, type
  \\ServerName\ShareName\RunMRT.cmd.
8. Click OK, and then click Apply.
Restart the client computers that are members of this domain.

How to use a Group Policy-based user logon script

This method requires that the logon user business relationship is a domain account and is a fellow member of the local administrator's group on the customer computer.

Gear up the shares. To practice this, follow the steps in the
Initial setup and configuration department.
Gear up up the logon script. To do this, follow these steps:
1. In the Active Directory Users and Computers MMC snap-in, right-click the domain proper name, and and so click
  Backdrop.
2. Click the Group Policy tab.
3. Click New to create a new GPO, and then type MRT Deployment for the name.
4. Click the new policy, and then click
  Edit.
5. Expand Windows Settings for User Configuration, and and then click Scripts.
6. Double-click Logon, and then click Add. The Add a Script dialog box is displayed.
7. In the Script Proper noun box, type
  \\ServerName\ShareName\RunMRT.cmd.
8. Click OK, and and so click Apply.
Log off and and then log on to the client computers.

In this scenario, the script and the tool will run nether the context of the logged-on user. If this user does not belong to the local administrators group or does not have sufficient permissions, the tool will non run and will not return the appropriate return lawmaking. For more information virtually how to utilize startup scripts and logon scripts, get to the following article in the Microsoft Cognition Base of operations:

198642 Overview of logon, logoff, startup, and shutdown scripts in Windows 2000

322241 How to assign scripts in Windows 2000

Additional information that is relevant to enterprise deployment

How to examine return codes

You tin can examine the return code of the tool in your deployment logon script or in your deployment startup script to verify the results of execution. See the Lawmaking sample section for an instance of how to do this.

The post-obit listing contains the valid return codes.

0	=	No infection plant
1	=	OS Environment Error
two	=	Not running every bit an Administrator
3	=	Non a supported OS
iv	=	Error Initializing the scanner. (Download a new copy of the tool)
v	=	Not used
6	=	At to the lowest degree one infection detected. No errors.
7	=	At least ane infection was detected, but errors were encountered.
8	=	At least one infection was detected and removed, only manual steps are required for a complete removal.
9	=	At to the lowest degree 1 infection was detected and removed, only transmission steps are required for complete removal and errors were encountered.
10	=	At least one infection was detected and removed, but a restart is required for complete removal
11	=	At least one infection was detected and removed, but a restart is required for consummate removal and errors were encountered
12	=	At least one infection was detected and removed, simply both manual steps and a restart is required for complete removal.
thirteen	=	At to the lowest degree one infection was detected and removed, but a restart is required. No errors were encountered.

How to parse the log file

The Malicious Software Removal Tool writes details about the issue of its execution in the %windir%\debug\mrt.log log file.

Notes

This log file is available only in English language.
Starting with version one.2 of the removal tool (March 2005), this log file uses Unicode text. Before version 1.ii, the log file used ANSI text.
The log file format has changed with version i.2, and nosotros recommend that you download and utilise the latest version of the tool.

If this log file already exists, the tool appends to the existing file.
You tin can utilize a command script that resembles the previous example to capture the return code and to collect the files to a network share.
Because of the switch from ANSI to Unicode, version i.two of the removal tool volition re-create whatsoever ANSI versions of the Mrt.log file in the %windir%\debug folder to Mrt.log.old in the same directory. Version one.two also creates a new Unicode version of the Mrt.log file in that same directory. Like the ANSI version, this log file will be appended to each month's release.

The following example is an Mrt.log file from a computer that was infected with the MPnTestFile worm:

              Microsoft Windows Malicious Software Removal Tool v5.3, August 2013 (build 5.3.9300.0) Started On Tue Jul xxx 23:34:49 2013   Quick Scan Results: ------------------- Threat Detected: Virus:Win32/MPnTestFile.2004 and Removed!  Action: Remove, Result: 0x00000000  regkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\v5mpn  runkey://HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\\v5mpn  file://c:\temp\mpncleantest.exe  SigSeq: 0x00002267735A46E2  Results Summary: ---------------- Found Virus:Win32/MPnTestFile.2004 and Removed! Microsoft Windows Malicious Software Removal Tool Finished On Tue Jul thirty 23:35:39 2013   Return lawmaking: six (0x6)

The following is an instance log file where no malicious software is establish.

              Microsoft Windows Malicious Software Removal Tool v5.three, August 2013 (build five.3.9300.0) Started On Thu Aug 01 21:xv:43 2013   Results Summary: ---------------- No infection found. Microsoft Windows Malicious Software Removal Tool Finished On Thu Aug 01 21:16:28 2013   Return lawmaking: 0 (0x0)

The following is a sample log file in which errors are plant.

For more information about warnings and errors that are acquired by the tool, go to the following article in the Microsoft Knowledge Base:

891717 How to troubleshoot an error when y'all run the Microsoft Windows Malicious Software Removal Tool Microsoft Windows Malicious Software Removal Tool v5.3, August 2013 (build v.3.9300.0) Started On Friday Aug 02 sixteen:17:49 2013 Browse Results: ------------- Threat Detected: Virus:Win32/MPTestFile.2004, partially removed. Functioning failed. Action: Clean, Outcome: 0x8007065E. Please use a full antivirus product ! ! file://d:\temp\mpcleantest.7z->mpcleantest.exe SigSeq: 0x00001080D2AE29FC containerfile://d:\temp\mpcleantest.7z Results Summary: ---------------- Found Virus:Win32/MPTestFile.2004, partially removed. Microsoft Windows Malicious Software Removal Tool Finished On Fri Aug 02 16:18:09 2013 Return lawmaking: 7 (0x7)

Known issues

Known result 1

When yous run the tool past using a startup script, error letters that resemble the following error message may be logged in the Mrt.log file:

Error: MemScanGetImagePathFromPid(pid: 552) failed.
0x00000005: Admission is denied.

Note The pid number volition vary.

This error message occurs when a procedure is just starting or when a process has been recently stopped. The only effect is that the process that is designated by the pid is not scanned.

Known issue ii

In some rare cases, if an administrator chooses to deploy the MSRT by using the /q quiet switch (also known every bit silent mode), this may not completely resolve cleaning for a small subset of infections in situations in which additional cleaning is required after a restart. This has been observed only in the removal of sure rootkit variants.

FAQ

Q1. When I test my startup or logon script to deploy the tool, I don't see the log files that are being copied to the network share that I set upwards. Why?

A1. This is frequently caused by permissions issues. For example, the account that the removal tool was run from does non have Write permission to the share. To troubleshoot this, first brand certain that the tool ran past checking the registry key. Alternatively, you can look for the presence of the log file on the customer reckoner. If the tool successfully ran, you can examination a simple script and brand certain that information technology can write to the network share when it runs under the same security context in which the removal tool was run.

Q2. How exercise I verify that the removal tool has run on a client figurer?

A2. You can examine the value data for the post-obit registry entry to verify the execution of the tool. You tin can implement such an exam as part of a startup script or a logon script. This process prevents the tool from running multiple times.

Subkey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT
Entry name:
Version

Every time that the tool is run, the tool records a GUID in the registry to point that it has been executed. This occurs regardless of the results of the execution. The following table lists the GUID that corresponds to each release.

ID	Title
March 2022	528C99D1-D536-476A-97CC-AE56E360B841
February 2022	B5DDA3D9-48FA-4217-9F36-D9DC7FA91FD5
January 2022	A84F59DF-616B-4F7B-B64D-4F3C42C6E377
December 2021	5C859D8A-C553-48AA-AEE0-68E0FB58FD6C
Nov 2021	F2DBB55A-EAF9-4F8D-BDD6-D2C15C5C6823
October 2021	4E7B66E3-987E-4788-BBB3-A5030922FC8D
September 2021	2A9893F6-6CFA-4C4E-8CDC-F6C06E9ADAFD
August 2021	2B0ABF61-2643-4716-9B15-4813BC505DF4
July 2021	8AE004C7-42D7-4FEC-9ABE-48A7E4C1CBC8
June 2021	E3A0B6EE-FE26-44C1-96DB-2BFDB5BDB305
May 2021	8586F868-D88E-461F-8C9F-85D50FCBCC84
April 2021	439B1947-E9BC-40E0-883D-517613D95818
March 2021	3DC01EF0-0E9D-4D88-8BC7-A3F3801FAB49
February 2021	45EEFC65-BFCF-458A-8760-ECC7ACEC73A2
January 2021	0AAB5944-A7BC-4D17-9A3A-2FAB07286EE9
Nov 2020	F7A1FB98-0884-4986-884D-FFBEA881A2A1
September 2020	E0118D9B-6F80-4A16-92ED-A8EB4851C84C
May 2020	EFB903C3-1459-4C91-B79D-B7438E15C972
March 2020	71562B8C-C50D-4375-91F3-8EE0DD0EF7E3
February 2020	9CCD5E4F-11C8-4064-8C37-6D1BA8C1ED37
January 2020	38281425-A1C7-400F-AE79-EFE8C1E9E38F
December 2019	6F46913B-8294-43FD-8AA8-46984911C881
November 2019	1ED49A70-3903-4C40-B575-93F3DD50B283
Oct 2019	E63797FA-851A-4E25-8DA1-D453DD437525
August 2019	96F83121-A86A-497A-8B18-7F1BBAE6448D
July 2019	FCF0D56B-99A4-4A39-BAC8-2ED52EF10FEC
June 2019	10188A60-F140-42EF-984F-E4B3CA369BD1
May 2019	A8F12582-E642-4070-91E6-D6CF31796C0B
April 2019	7C55425A-FBE7-44D0-A226-6FF46F085EAF
March 2019	5DCD306C-136C-4C03-B0E4-3C1E78DE5A19
February 2019	3A57513A-D489-4B41-A40D-5ACD998F294A
January 2019	8F732BDE-182D-4A10-B8CE-0C538C878F87
Dec 2018	FD672828-AC76-41B9-95E0-6F5859BDDB74
Nov 2018	F1E75593-4ACF-4C29-BD2D-0F495D7B8396
October 2018	D84C2D59-B81F-4163-BC39-3CDDD8BB68BC
September 2018	18674908-417F-4139-A22C-F418420D2B7B
Baronial 2018	6600605A-7534-41BF-B117-579EA0F5997D
July 2018	3A88B54D-626C-4DBE-BBB3-4EE0E666A730
June 2018	968E16D7-8605-4BA4-9BE5-86127A0FAC87
May 2018	02683B53-543A-4200-8D43-B69C3B3CE0E9
Apr 2018	62F357BA-9FC0-4CED-A90C-457D02B33DEE
March 2018	C43B8734-0004-446C-8F37-FD8AD3F3BCF0
Feb 2018	CED42968-8B11-4886-8477-8F22956192B0
January 2018	C6BD56EC-B2C1-4D20-B94D-234F8A9C5733
Dec 2017	3D287184-25B3-4DDC-ADD3-A93C626CD7EB
November 2017	AAF1DA7A-77D4-4997-9C0C-38E0CFA6AB92
Oct 2017	9209C00F-BD62-4CB8-9702-C4B9A4F8D560
September 2017	FE854017-795E-4685-95CE-3CCB1FFD743D
August 2017	1D3AE7A6-F7BA-4787-A240-284C46162AFA
July 2017	2A9D9E6C-14F4-4E84-B9B5-B307DDACA125
June 2017	28BE7B9C-E473-4A73-8770-83AB99A596F8
May 2017	E43CFF1D-46DB-4239-A583-3828BB9EB66C
April 2017	507CBE5F-7915-416A-9E0E-B18FEA08237D
March 2017	F83889D4-A24B-44AA-8E34-BCDD8912FAD7
February 2017	88E3BAB3-52CF-4B15-976E-0BE4CFA98AA8
Jan 2017	A5E600F5-A3CE-4C8E-8A14-D4133623CDC5
December 2016	F6945BD2-D48B-4B07-A7FB-A55C4F98A324
Nov 2016	E36D6367-DF23-4D09-B5B1-1FC38109F29C
October 2016	6AC744F7-F828-4CF8-A405-AA89845B2D98
September 2016	2168C094-1DFC-43A9-B58E-EB323313845B
Baronial 2016	0F13F87E-603E-4964-A9B4-BF923FB27B5D
July 2016	34E69BB2-EFA0-4905-B7A9-EFBDBA61647B
June 2016	E6F49BC4-1AEA-4648-B235-1F2A069449BF
May 2016	156D44C7-D356-4303-B9D2-9B782FE4A304
April 2016	6F31010B-5919-41C2-94FB-E71E8EEE9C9A
March 2016	3AC662F4-BBD5-4771-B2A0-164912094D5D
February 2016	DD51B914-25C9-427C-BEC8-DA8BB2597585
January 2016	ED6134CC-62B9-4514-AC73-07401411E1BE
December 2015	EE51DBB1-AE48-4F16-B239-F4EB7B2B5EED
November 2015	FFF3C6DF-56FD-4A28-AA12-E45C3937AB41
October 2015	4C5E10AF-1307-4E66-A279-5877C605EEFB
September 2015	BC074C26-D04C-4625-A88C-862601491864
August 2015	74E954EF-6B77-4758-8483-4E0F4D0A73C7
July 2015	82835140-FC6B-4E05-A17F-A6B9C5D7F9C7
June 2015	20DEE2FA-9862-4C40-A1D4-1E13F1B9E8A7
May 2015	F8F85141-8E6C-4FED-8D4A-8CF72D6FBA21
April 2015	7AABE55A-B025-4688-99E9-8C66A2713025
March 2015	CEF02A7E-71DD-4391-9BF6-BF5DEE8E9173
February 2015	92D72885-37F5-42A2-B199-9DBBEF797448
January 2015	677022D4-7EC2-4F65-A906-10FD5BBCB34C
December 2014	386A84B2-5559-41C1-AC7F-33E0D5DE0DF6
November 2014	7F08663E-6A54-4F86-A6B5-805ADDE50113
Oct 2014	5612279E-542C-454D-87FE-92E7CBFDCF0F
September 2014	98CB657B-9051-439D-9A5D-8D4EDF851D94
August 2014	53B5DBC4-54C7-46E4-B056-C6F17947DBDC
July 2014	43E0374E-D98E-4266-AB02-AE415EC8E119
June 2014	07C5D15E-5547-4A58-A94D-5642040F60A2
May 2014	91EFE48B-7F85-4A74-9F33-26952DA55C80
April 2014	54788934-6031-4F7A-ACED-5D055175AF71
March 2014	254C09FA-7763-4C39-8241-76517EF78744
February 2014	FC5CF920-B37A-457B-9AB9-36ECC218A003
January 2014	7BC20D37-A4C7-4B84-BA08-8EC32EBF781C
December 2013	AFAFB7C5-798B-453D-891C-6765E4545CCC
November 2013	BA6D0F21-C17B-418A-8ADD-B18289A02461
October 2013	21063288-61F8-4060-9629-9DBDD77E3242
September 2013	462BE659-C07A-433A-874F-2362F01E07EA
August 2013	B6345F3A-AFA9-42FF-A5E7-DFC6C57B7EF8
July 2013	9326E352-E4F2-4BF7-AF54-3C06425F28A6
June 2013	4A25C1F5-EA3D-4840-8E14-692DD6A57508
May 2013	3DAA6951-E853-47E4-B288-257DCDE1A45A
April 2013	7A6917B5-082B-48BA-9DFC-9B7034906FDC
March 2013	147152D2-DFFC-4181-A837-11CB9211D091
February 2013	ED5E6E45-F92A-4096-BF7F-F84ECF59F0DB
January 2013	A769BB72-28FC-43C7-BA14-2E44725FED20
Dec 2012	AD64315C-1421-4A96-89F4-464124776078
November 2012	7D0B34BB-97EB-40CE-8513-4B11EB4C1BD6
October 2012	8C1ACB58-FEE7-4FF0-972C-A09A058667F8
September 2012	02A84536-D000-45FF-B71E-9203EFD2FE04
August 2012	C1156343-36C9-44FB-BED9-75151586227B
July 2012	3E9B6E28-8A74-4432-AD2A-46133BDED728
June 2012	4B83319E-E2A4-4CD0-9AAC-A0AB62CE3384
May 2012	D0082A21-13E4-49F7-A31D-7F752F059DE9
April 2012	3C1A9787-5E87-45E3-9B0B-21A6AB25BF4A
March 2012	84C44DD1-20C8-4542-A1AF-C3BA2A191E25
February 2012	23B13CB9-1784-4DD3-9504-7E58427307A7
January 2012	634F47CA-D7D7-448E-A7BE-0371D029EB32
December 2011	79B9D6F6-2990-4C15-8914-7801AD90B4D7
November 2011	BEB9D90D-ED88-42D7-BD71-AE30E89BBDC9
October 2011	C0177BCC-8925-431B-AC98-9AC87B8E9699
September 2011	E775644E-B0FF-44FA-9F8B-F731E231B507
August 2011	F14DDEA8-3541-40C6-AAC7-5A0024C928A8
July 2011	3C009D0B-2C32-4635-9B34-FFA7F4CB42E7
June 2011	DDE7C7DD-E76A-4672-A166-159DA2110CE5
May 2011	852F70C7-9C9E-4093-9184-D89D5CE069F0
April 2011	0CB525D5-8593-436C-9EB0-68C6D549994D
March 2011	AF70C509-22C8-4369-AEC6-81AEB02A59B7
February 2011	B3458687-D7E4-4068-8A57-3028D15A7408
January 2011	258FD3CF-9C82-4112-B1B0-18EC1ECFED37
December 2010	4E28B496-DD95-4300-82A6-53809E0F9CDA
November 2010	5800D663-13EA-457C-8CFD-632149D0AEDD
October 2010	32F1A453-65D6-41F0-A36F-D9837A868534
September 2010	0916C369-02A8-4C3D-9AD0-E72AF7C46025
August 2010	E39537F7-D4B8-4042-930C-191A2EF18C73
July 2010	A1A3C5AF-108A-45FD-ABEC-5B75DF31736D
June 2010	308738D5-18B0-4CB8-95FD-CDD9A5F49B62
May 2010	18C7629E-5F96-4BA8-A2C8-31810A54F5B8
April 2010	D4232D7D-0DB6-4E8B-AD19-456E8D286D67
March 2010	076DF31D-E151-4CC3-8E0A-7A21E35CF679
February 2010	76D836AA-5D94-4374-BCBF-17F825177898
Jan 2010	ED3205FC-FC48-4A39-9FBD-B0035979DDFF
December 2009	A9A7C96D-908E-413C-A540-C43C47941BE4
November 2009	78070A38-A2A9-44CE-BAB1-304D4BA06F49
October 2009	4C64200A-6786-490B-9A0C-DEF64AA03934
September 2009	B279661B-5861-4315-ABE9-92A3E26C1FF4
Baronial 2009	91590177-69E5-4651-854D-9C95935867CE
July 2009	F530D09B-F688-43D1-A3D5-49DC1A8C9AF0
June 2009	8BD71447-AAE4-4B46-B652-484001424290
May 2009	AC36AF73-B1E8-4CC1-9FF3-5A52ABB90F96
April 2009	276F1693-D132-44EF-911B-3327198F838B
March 2009	BDEB63D0-4CEC-4D5B-A360-FB1985418E61
February 2009	C5E3D402-61D9-4DDF-A8F5-0685FA165CE8
January 2009	2B730A83-F3A6-44F5-83FF-D9F51AF84EA0
December 2008	9BF57AAA-6CE6-4FC4-AEC7-1B288F067467
Dec 2008	9BF57AAA-6CE6-4FC4-AEC7-1B288F067467
November 2008	F036AE17-CD74-4FA5-81FC-4FA4EC826837
October 2008	131437DE-87D3-4801-96F0-A2CB7EB98572
September 2008	7974CF06-BE58-43D5-B635-974BD92029E2
August 2008	F3889559-68D7-4AFB-835E-E7A82E4CE818
July 2008	BC308029-4E38-4D89-85C0-8A04FC9AD976
June 2008	0D9785CC-AEEC-49F7-81A8-07B225E890F1
May 2008	0A1A070A-25AA-4482-85DD-DF69FF53DF37
April 2008	F01687B5-E3A4-4EB6-B4F7-37D8F7E173FA
March 2008	24A92A45-15B3-412D-9088-A3226987A476
February 2008	0E918EC4-EE5F-4118-866A-93f32EC73ED6
January 2008	330FCFD4-F1AA-41D3-B2DC-127E699EEF7D
December 2007	73D860EC-4829-44DD-A064-2E36FCC21D40
November 2007	EFC91BC1-FD0D-42EE-AA86-62F59254147F
October 2007	52168AD3-127E-416C-B7F6-068D1254C3A4
September 2007	A72DDD48-8356-4D06-A8E0-8D9C24A20A9A
Baronial 2007	0CEFC17E-9325-4810-A979-159E53529F47
July 2007	4AD02E69-ACFE-475C-9106-8FB3D3695CF8
June 2007	234C3382-3B87-41ca-98D1-277C2F5161CC
May 2007	15D8C246-6090-450f-8261-4BA8CA012D3C
April 2007	57FA0F48-B94C-49ea-894B-10FDA39A7A64
March 2007	5ABA0A63-8B4C-4197-A6AB-A1035539234D
February 2007	FFCBCFA5-4EA1-4d66-A3DC-224C8006ACAE
January 2007	2F9BC264-1980-42b6-9EE3-2BE36088BB57
Dec 2006	621498ca-889b-48ef-872b-84b519365c76
Nov 2006	1d21fa19-c296-4020-a7c2-c5a9ba4f2356
October 2006	79e385d0-5d28-4743-aeb3-ed101c828abd
September 2006	ac3fa517-20f0-4a42-95ca-6383f04773c8
August 2006	37949d24-63f1-4fdc-ad24-5dc3eb3ad265
July 2006	5df61377-4916-440f-b23f-321933b0afd3
June 2006	7cf4b321-c0dd-42d9-afdf-edbb85e59767
May 2006	ce818d5b-8a25-47c0-a9cd-7169da3f9b99
April 2006	d0f3ea76-76c8-4287-8cdf-bdfee5e446ec
March 2006	b5784f56-32ca-4756-a521-ca57816391ca
February 2006	99cb494b-98bf-4814-bff0-cf551ac8e205
January 2006	250985ee-62e6-4560-b141-997fc6377fe2
Dec 2005	F8FEC144-AA00-48B8-9910-C2AE9CCE014A
November 2005	1F5BA617-240A-42FF-BE3B-14B88D004E43
October 2005	08FFB7EB-5453-4563-A016-7DBC4FED4935
September 2005	33B662A4-4514-4581-8DD7-544021441C89
August 2005 A	4066DA74-2DDE-4752-8186-101A7C543C5F
August 2005	3752278B-57D3-4D44-8F30-A98F957EC3C8
July 2005	2EEAB848-93EB-46AE-A3BF-9F1A55F54833
June 2005	63C08887-00BE-4C9B-9EFC-4B9407EF0C4C
May 2005	08112F4F-11BF-4129-A90A-9C8DD0104005
April 2005	D89EBFD1-262C-4990-9927-5185FED1F261
March 2005	F8327EEF-52AA-439A-9950-CE33CF0D4FDD
February 2005	805647C6-E5ED-4F07-9E21-327592D40E83
January 2005	E5DD9936-C147-4CD1-86D3-FED80FAADA6C

Q3. How can I disable the infection-reporting component of the tool and then that the report is not sent back to Microsoft?

A3. An administrator can choose to disable the infection-reporting component of the tool by adding the following registry key value to computers. If this registry key value is set up, the tool will not report infection information back to Microsoft.

Subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
Entry name: \DontReportInfectionInformation
Type: REG_DWORD
Value data: i

Q4. In the March 2005 release, data in the Mrt.log file appears to accept been lost. Why was this data removed, and is there a way for me to think it?

A4. Starting with the March 2005 release, the Mrt.log file is being written equally a Unicode file. To make sure of compatibility, when the March 2005 version of the tool is run, if an ANSI version of the file is on the system, the tool volition copy the contents of that log to Mrt.log.old in %WINDIR%\debug and create a new Unicode version of Mrt.log. Like the ANSI version, this Unicode version will be appended to with each successive execution of the tool.