mrt.exe reports back to Microsoft

Microsoft’s Malicious Software Removal Tool (MRT) helps remove malware infections of specific, prevalent malicious software—including Blaster, Sasser, and Mydoom.

If your machine run Windows 2000, XP, Vista, or Windows Server 2003 and you have Automatic Updates enabled on your computer, MRT is automatically updated on the second Tuesday of each month. After MRT runs, it logs it’s findings to the %windir%\debug directory, which is typically c:\Windows\Debug.

Buried in the fine print on the Microsoft web site is the following sentence:

“Also, please be aware that this tool reports anonymous information back to Microsoft in the event that an infection is found or an error is encountered.”

What information is sent to Microsoft? Here is the current list:

• The name of the malicious software that is detected
• The result of malicious software removal
• The operating system version
• The operating system locale
• The processor architecture
• The version number of the tool
• An indicator that notes whether the tool is being run from Microsoft Update, from Windows Update, from Automatic Updates, from the Download Center, or from the Web site.
• An anonymous GUID
• A cryptographic one-way hash (MD5) of the path and file name of each malicious software file that is removed from the computer

If apparently malicious software is found on the computer, the tool prompts you to send information to Microsoft beyond what is listed above. You are prompted in each of these instances, and this information is sent only with your consent. The additional information includes the following:

• The files that are suspected to be malicious software. The tool will identify the files for you.
• A cryptographic one-way hash (MD5) of any suspicious files that are detected.
No other information is sent to Microsoft.

I’m not sure how others feel, but I don’t like any of my information being sent to Microsoft, whether it be anonymous or not. For example, lets say my machine has an infected copy of wgaremover.exe. I can’t believe that Microsoft doesn’t have ways of connecting this program, which allows you to bypass Windows Genuine Advantage, back to my IP address.

Luckily, KB 891796 describes how to disable this reporting component that sends the results of your scan to Microsoft, along with the information regarding the infected files. You can perform the following registry changes to disable the reporting:

add DontReportInfectionInformation with type REG_DWORD and value data: 1

Logging is automatically disabled if the following registry key value exists:


This registry key value indicates that the computer is connected to an SUS server. You can download an updated version of the Malicious Software Removal Tool here, or the 64-bit version here. Note that KB 890830 states:

“The first time that you download and run the tool by using Automatic Updates, Microsoft Update, or Windows Update, you must be logged on to the computer by using an account that is a member of the Administrators group. After you accept the one-time license terms, you can receive future versions of the tool without being logged on to the computer as an administrator.”

If you are experiencing problems with MRT, consult KB 891717 for troubleshooting guidance.

2 Responses to “mrt.exe reports back to Microsoft”

  1. JoWazzoo Says:

    Just a FYI – the reported GUID is certainly NOT anonymous. We all have one that is unique. While for some things it is useful to keep it constant, one can change it with software available.


  2. VW Says:

    When I suspended the process, MRT.exe closed and the automatic update wanted to install Internet Explorer 8. I declined the install because I am very happy with Firefox and Opera. Microsoft wants to stuff themselves down our throats.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: