Earlier this week, Update Tuesday occurred, bringing with it anywhere from one to two dozen updates (more for machines with MS Office installed, less for those without). As is my usual practice, I updated the half-dozen plus computers here in the house, and watched them go through the update process. This time around, the usual monthly installment of the Windows Malicious Software removal tool came up in the number three spot as the process chunked through its sequence of applying those updates. I couldn’t help but notice that while this element usually takes minutes to grind to completion on most PCs, it was taking an inordinately long time on one of my PCs (the production machine, wouldn’t you know it?) — about an hour, in fact, by the time it was finished.
This is pretty much standard text for the MRT, as it’s usually abbreviated, repeated like clockwork every month.
This caused me to do a little digging to learn more about the tool, and how it works. Along the way I came across a couple of useful resources I’d like to share:
1. The Microsoft Safety & Security Center has a page (and a download link for the standalone version) on the MRT entitled “Malicious Software Removal Tool”
2. MS Support offers an informative page entitled “How to troubleshoot an error when you run the Microsoft Windows Malicious Software Removal Tool”
Among other things, I learned that the program writes to a log file each time it runs, and that log file is named mrt.log, which resides in the
%systemroot%\debug directory (that environment variable translates into “C:\Windows” on most PCs, BTW). My thinking was that the program took such a long time to complete because it found something interesting, so I hoped that a gander at the log file would show me what, if anything, the program had found. Alas, it showed only a return code of 0 which, as all long-time Windows-heads know, means successful completion and thus also, no errors found (or fixed).
I did observe something else interesting, though: despite the documentation indicating that MRT runs only when its downloaded from the Windows Update center, my MRT log shows it running several times a day, every day, for only a few seconds at a time (typically, 2 or 3). It looks like MRT must be scheduled to run on a regular basis — how else to explain the recurring, multiple-times-a-day log entries? So, although I didn’t find any problems reported from running the MRT after the last updates, I did learn something interesting about the program and its behavior.