Script to Download and Execute Microsoft Malicious Software Removal Tool
In order to bolster the overall security of their Windows operating systems, Microsoft publishes every patch Tuesday an updated Malicious Software Removal (MSRT) tool. This comes down each month through Windows Update and performs a stealthy malware scan as part of the Windows Update schedule. This silent and unobtrousive approach taken by Microsoft is quite deliberate -they understandably don't want user's even suspecting that this is a substitute for a fully fledged anti-virus product.
The one fly in the ointment with this tool is that is doesn't appear to run if triggered through the Windows Update Agent API (like in our Windows Update script).
This means that should you have client tasks which utilise the Windows Update API objects you could hit an infinite loop. For example, we execute a sequence of tasks called "Run Windows Update Script" and "Reboot" until no more updates are left. If a new MSRT has been released the result is that this update will always be pending, and thus your reboot cycle will never end. The Atkin cul-de-sac is now your home.
But fear not. The solution we came up with is to have a script which downloads and executes the latest software removal tool directly from Microsoft. Once the tools runs, it puts it's stamp in the registry which Windows Update finds and therefore marks the tool as being no longer required.
If this article gets more than 5 votes, Darren Collins gets a Thorntons double chocolate dairy ice cream.
How To Run The Script
The script is attached to this article as MSRT_Latest.vbs.txt. Just download and remove the .txt extension so it's ready to run. I find it takes just a couple of minutes in my environment to do it's job.
This script should work in both the x86 and x64 releases of Windows XP, Vista and Windows 7. Windows 8 just came out today so haven't had the time to test there!
26/10/2012 13:29:32 - 26/10/2012 13:29:32 - Starting KB890830 (Malicious Software Removal Tool) Downloader 26/10/2012 13:29:32 - 32-bit OS detected 26/10/2012 13:29:32 - URL Root: http://download.microsoft.com/download/4/a/a/4aa52... 26/10/2012 13:29:36 - Cannot find Windows-KB890830-V4.1.exe 26/10/2012 13:29:36 - Cannot find Windows-KB890830-V4.2.exe 26/10/2012 13:29:37 - Cannot find Windows-KB890830-V4.3.exe 26/10/2012 13:29:38 - Cannot find Windows-KB890830-V4.4.exe 26/10/2012 13:29:38 - Cannot find Windows-KB890830-V4.5.exe 26/10/2012 13:29:39 - Cannot find Windows-KB890830-V4.6.exe 26/10/2012 13:29:40 - Cannot find Windows-KB890830-V4.7.exe 26/10/2012 13:29:41 - Cannot find Windows-KB890830-V4.8.exe 26/10/2012 13:29:41 - Cannot find Windows-KB890830-V4.9.exe 26/10/2012 13:29:42 - Cannot find Windows-KB890830-V4.10.exe 26/10/2012 13:29:43 - Cannot find Windows-KB890830-V4.11.exe 26/10/2012 13:29:43 - Cannot find Windows-KB890830-V4.12.exe 26/10/2012 13:29:47 - Successfully downloaded Windows-KB890830-V4.13.exe as C:\Windows\TEMP\KB890830.exe 26/10/2012 13:29:48 - Cannot find Windows-KB890830-V4.14.exe 26/10/2012 13:29:48 - Cannot find Windows-KB890830-V4.15.exe 26/10/2012 13:29:49 - Cannot find Windows-KB890830-V4.16.exe 26/10/2012 13:29:50 - Cannot find Windows-KB890830-V4.17.exe 26/10/2012 13:29:51 - Cannot find Windows-KB890830-V4.18.exe 26/10/2012 13:29:51 - Cannot find Windows-KB890830-V4.19.exe 26/10/2012 13:29:52 - Cannot find Windows-KB890830-V4.20.exe 26/10/2012 13:29:53 - Cannot find Windows-KB890830-V4.21.exe ... ... 26/10/2012 13:30:26 - Cannot find Windows-KB890830-V4.93.exe 26/10/2012 13:30:26 - Cannot find Windows-KB890830-V4.94.exe 26/10/2012 13:30:26 - Cannot find Windows-KB890830-V4.95.exe 26/10/2012 13:30:27 - Cannot find Windows-KB890830-V4.96.exe 26/10/2012 13:30:27 - Cannot find Windows-KB890830-V4.97.exe 26/10/2012 13:30:28 - Cannot find Windows-KB890830-V4.98.exe 26/10/2012 13:30:28 - Cannot find Windows-KB890830-V4.99.exe 26/10/2012 13:30:29 - Cannot find Windows-KB890830-V4.100.exe 26/10/2012 13:30:29 - Executing C:\Windows\TEMP\KB890830.exe 26/10/2012 13:31:06 - Return code: 0 26/10/2012 13:31:06 - Script Complete
--------------------------------------------------------------------------------------- Microsoft Windows Malicious Software Removal Tool v4.13, October 2012 Started On Fri Oct 26 13:30:34 2012 ->Scan ERROR: resource process://pid:1748 (code 0x00000490 (1168)) Results Summary: ---------------- No infection found. Microsoft Windows Malicious Software Removal Tool Finished On Fri Oct 26 13:31:06 2012 Return code: 0 (0x0)
How The Script Works
Each month, Microsoft releases the x86 and x64 versions of the removal tool on it's downloads site,
Leaving for now the horrible path for these executables, we can see that the x86 and x64 file names are respectively Windows-KB890830-Vx.y and Windows-KB890830-x64-Vx.y (where x and y above are the major and minor build version numbers for the tool). At the time of writing (October 2012) the tool's version number is 4.13.
The challenge with the above GUID folders on download.microsoft.com is that they cannot be indexed. This means we can't use wildcard downloaders to download the tool by just asking for Windows-KB890830-*.exe to download the program. On the plus side, the name and location of the file is fairly predictable, so we can guess. In fact, we can be really primitive here and programatically request for ask for Windows-KB890830-V4.1.exe, then Windows-KB890830-V4.2.exe then Windows-KB890830-V4.3.exe and so on. The last tool that successfully downloads is the right one.
And don't worry -this doesn't mean you'll end up hundreds of MSRTs -Microsoft is pretty good at cleaning up the folder and you'll rarely find more than two present.
At the top of the script you'll find the following variable declarations which declare the extent of the filename search on download.microsoft.com,
IntMajor=4 IntMinor=1 IntMinorMax=100
StrArch=wshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%") 'We need the correct download URL for the executing system OS architecture if instr(StrArch,"%") then writelog("32-bit OS detected") StrURL="http://download.microsoft.com/download/4/a/a/4aa524c6-239d-47ff-860b-5b397199cbf8/Windows-KB890830-V" else writelog("64-bit OS detected") StrURL="http://download.microsoft.com/download/2/C/5/2C563B99-54D9-4D85-A82B-45D3CD2F53CE/Windows-KB890830-x64-V" end if
- Just download the tool and save the file to a specific location. This might be helpful to run as a regular scheduled task to always ensure you've got the latest tool available on a file share
- Downloads and runs the tool with the full scan options. The log file could then be emailed at the end of the tool run to an administrator which makes the script suitable to execution by Deployment Server.
Thanks as usual to Darren Collins for letting me bug endlessly and giving me some sample code for the XMLHttpRequest object. I won't mention the fact he nicked one of my Bourbon creams on last Thursday. That would be petty.
http://support.microsoft.com/kb/891717 - Troubleshooting errors with the removal tool
http://support.microsoft.com/kb/891716 -Deployment of the removal tool