Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Script to Download and Execute Microsoft Malicious Software Removal Tool

Created: 26 Oct 2012 | 1 comment
ianatkin's picture
+2 2 Votes
Login to vote

In order to bolster the overall security of their Windows operating systems, Microsoft publishes every patch Tuesday an updated Malicious Software Removal (MSRT) tool. This comes down each month through Windows Update and performs a stealthy malware scan as part of the Windows Update schedule. This silent and unobtrousive approach taken by Microsoft is quite deliberate -they understandably don't want user's even suspecting that this is a substitute for a fully fledged anti-virus product.

The one fly in the ointment with this tool is that is doesn't appear to run if triggered through the Windows Update Agent API (like in our Windows Update script).

This means that should you have client tasks which utilise the Windows Update API objects you could hit an infinite loop. For example, we execute a sequence of tasks called  "Run Windows Update Script" and "Reboot" until no more updates are left. If a new MSRT has been released the result is that this update will always be pending, and thus your reboot cycle will never end. The Atkin cul-de-sac is now your home.

But fear not. The solution we came up with is to have a script which downloads and executes the latest software removal tool directly from Microsoft. Once the tools runs, it puts it's stamp in the registry which Windows Update finds and therefore marks the tool as being no longer required.

If this article gets more than 5 votes, Darren Collins gets a Thorntons double chocolate dairy ice cream.

 

How To Run The Script

The script is attached to this article as MSRT_Latest.vbs.txt. Just download and remove the .txt extension so it's ready to run. I find it takes just a couple of minutes in my environment to do it's job.

This script should work in both the x86 and x64 releases of Windows XP, Vista and Windows 7. Windows 8 just came out today so haven't had the time to test there! 

Once the script has completed, you can check what happened by looking into the log file, %WinDir%\Temp\KB890830.log. Below shows some typical output,
26/10/2012 13:29:32 - 
26/10/2012 13:29:32 - Starting KB890830 (Malicious Software Removal Tool) Downloader
26/10/2012 13:29:32 - 32-bit OS detected
26/10/2012 13:29:32 - URL Root: http://download.microsoft.com/download/4/a/a/4aa52...
26/10/2012 13:29:36 -  Cannot find Windows-KB890830-V4.1.exe
26/10/2012 13:29:36 -  Cannot find Windows-KB890830-V4.2.exe
26/10/2012 13:29:37 -  Cannot find Windows-KB890830-V4.3.exe
26/10/2012 13:29:38 -  Cannot find Windows-KB890830-V4.4.exe
26/10/2012 13:29:38 -  Cannot find Windows-KB890830-V4.5.exe
26/10/2012 13:29:39 -  Cannot find Windows-KB890830-V4.6.exe
26/10/2012 13:29:40 -  Cannot find Windows-KB890830-V4.7.exe
26/10/2012 13:29:41 -  Cannot find Windows-KB890830-V4.8.exe
26/10/2012 13:29:41 -  Cannot find Windows-KB890830-V4.9.exe
26/10/2012 13:29:42 -  Cannot find Windows-KB890830-V4.10.exe
26/10/2012 13:29:43 -  Cannot find Windows-KB890830-V4.11.exe
26/10/2012 13:29:43 -  Cannot find Windows-KB890830-V4.12.exe
26/10/2012 13:29:47 -  Successfully downloaded Windows-KB890830-V4.13.exe as C:\Windows\TEMP\KB890830.exe
26/10/2012 13:29:48 -  Cannot find Windows-KB890830-V4.14.exe
26/10/2012 13:29:48 -  Cannot find Windows-KB890830-V4.15.exe
26/10/2012 13:29:49 -  Cannot find Windows-KB890830-V4.16.exe
26/10/2012 13:29:50 -  Cannot find Windows-KB890830-V4.17.exe
26/10/2012 13:29:51 -  Cannot find Windows-KB890830-V4.18.exe
26/10/2012 13:29:51 -  Cannot find Windows-KB890830-V4.19.exe
26/10/2012 13:29:52 -  Cannot find Windows-KB890830-V4.20.exe
26/10/2012 13:29:53 -  Cannot find Windows-KB890830-V4.21.exe

...
...

26/10/2012 13:30:26 -  Cannot find Windows-KB890830-V4.93.exe
26/10/2012 13:30:26 -  Cannot find Windows-KB890830-V4.94.exe
26/10/2012 13:30:26 -  Cannot find Windows-KB890830-V4.95.exe
26/10/2012 13:30:27 -  Cannot find Windows-KB890830-V4.96.exe
26/10/2012 13:30:27 -  Cannot find Windows-KB890830-V4.97.exe
26/10/2012 13:30:28 -  Cannot find Windows-KB890830-V4.98.exe
26/10/2012 13:30:28 -  Cannot find Windows-KB890830-V4.99.exe
26/10/2012 13:30:29 -  Cannot find Windows-KB890830-V4.100.exe
26/10/2012 13:30:29 -  Executing C:\Windows\TEMP\KB890830.exe
26/10/2012 13:31:06 -  Return code: 0
26/10/2012 13:31:06 - Script Complete
 
All the "cannot find" entries are of expected -ideally we really only expect to download one executable as explained in next section.
 
For those thinking where is the log file for MSRT itself, you'll find all the info you'll need in %WinDir\Debug\mrt.txt. A typical output is shown below,
 
---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v4.13, October 2012
Started On Fri Oct 26 13:30:34 2012
->Scan ERROR: resource process://pid:1748 (code 0x00000490 (1168))

Results Summary:
----------------

No infection found.
Microsoft Windows Malicious Software Removal Tool Finished On Fri Oct 26 13:31:06 2012
Return code: 0 (0x0)
 
 

How The Script Works

Each month, Microsoft releases the x86 and x64 versions of the removal tool on it's downloads site,

  • x86
    http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-Vx.y
     
  • x64
    http://download.microsoft.com/download/2/C/5/2C563B99-54D9-4D85-A82B-45D3CD2F53CE/Windows-KB890830-x64-Vx.y

Leaving for now the horrible path for these executables, we can see that the x86 and x64 file names are respectively Windows-KB890830-Vx.y and  Windows-KB890830-x64-Vx.y (where x and y above are the major and minor build version numbers for the tool). At the time of writing (October 2012) the tool's version number is 4.13.

The challenge with the above GUID folders on download.microsoft.com is that they cannot be indexed. This means we can't use wildcard downloaders to download the tool by just asking for Windows-KB890830-*.exe to download the program. On the plus side, the name and location of the file is fairly predictable, so we can guess. In fact, we can be really primitive here and programatically request for ask for Windows-KB890830-V4.1.exe, then Windows-KB890830-V4.2.exe then Windows-KB890830-V4.3.exe and so on. The last tool that successfully downloads is the right one.

And don't worry -this doesn't mean you'll end up hundreds of MSRTs -Microsoft is pretty good at cleaning up the folder and you'll rarely find more than two present. 

At the top of the script you'll find the following variable declarations which declare the extent of the filename search on download.microsoft.com,

IntMajor=4
IntMinor=1
IntMinorMax=100
Here we can see that we limit ourselves to searching for files with a major version of x=4, and minor versions in the range of y=1-100. The first thing you should do it set intMinor=13 before running this script as this will save you cycling fruitlessly through the first12 prospective filenames 
 
To download the executable, the script employs the XMLHttpRequest Object to GET the file. Any file retrieved will be saved as %WINDIR%\Temp\KB890830.exe and the script action will be likewise logged to %WINDIR%\Temp\KB890830.log
 
As all the MSRT executables are saved as files of the same name into the temp folder, if more than one file is found in the search the file is simply overwritten with the latest version. At the end of the loop seeks all files with a minor version from IntMinor to IntMajor, the file %WINDIR%\Temp\KB890830.exe will always be the latest one.
 
The trick for deciding which OS architecture is required is made in the following few lines of code,
 
StrArch=wshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%")


'We need the correct download URL for the executing system OS architecture
if instr(StrArch,"%") then
  writelog("32-bit OS detected")
  StrURL="http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-V"
else
  writelog("64-bit OS detected")
  StrURL="http://download.microsoft.com/download/2/C/5/2C563B99-54D9-4D85-A82B-45D3CD2F53CE/Windows-KB890830-x64-V"
end if
 
Essentially, if the environment variable ProgramFiles(x86) exists, then we have a 64-bit OS installed and we'll need the 64-bit download.
 

Summary

 
Today's download is a vbscript which will help you download and run the latest Microsoft Malicious Software Removal tool. The script can be tweaked for your own ends, for example you can have variants which,
  1. Just download the tool and save the file to a specific location. This might be helpful to run as a regular scheduled task to always ensure you've got the latest tool available on a file share
  2. Downloads and runs the tool with the full scan options. The log file could then be emailed at the end of the tool run to an administrator which makes the script suitable to execution by Deployment Server.

Kind Regards,
Ian./

 

Thanks

Thanks as usual to Darren Collins for letting me bug endlessly and giving me some sample code for the XMLHttpRequest object. I won't mention the fact he nicked one of my Bourbon creams on last Thursday. That would be petty.

 

Further Reading

http://support.microsoft.com/kb/891717 - Troubleshooting errors with the removal tool

http://support.microsoft.com/kb/891716 -Deployment of the removal tool

http://blogs.computerworld.com/what_you_dont_know_about_the_windows_malicious_software_removal_tool

http://www.microsoft.com/security/pc-security/malware-removal.aspx

 

Comments 1 CommentJump to latest comment

CableGuy41's picture

thank you for the download

Thanks,

CableGuy
Do not forget to mark a SOLUTION

0
Login to vote