RootkitRevealer

RootkitRevealer can detect rootkits in advanced ways. It is compatible with Windows XP 32-bit and Windows Server 2003 32-bit. The output lists Registry and file system API errors that could indicate the existence of a kernel-mode or user-mode rootkit.

RootkitRevealer detects many persistent rootkits, including AFX and Vanquish. (Note: RootkitRevealer can’t detect rootkits such as Fu that hide their files or registry keys.

RootkitRevealer is no longer available as a command-line executable. This is because malware authors started targeting RootkitRevealer’s scanner by using its executable names. Microsoft updated RootkitRevealer so that it executes its scan from a random copy of itself, which runs as a Windows Service. This execution type is not suitable for a command-line interface.

You can also use the command-line option to run an automatic scan, with the results being logged to a file. This is equivalent to the command-line version.

What is a Rootkit?

Rootkit refers to the techniques and mechanisms that malware, including viruses and spyware, uses to hide its presence from anti-virus software, spyware blockers, and other system management tools. There are many rootkit types, depending on whether the malware survives reboot or whether it executes in kernel mode or user mode.

How RootkitRevealer Works

RootkitRevealer compares results from a system scan at each level to determine if there is a persistent rootkit. The Windows API is the highest level. The Registry hive’s raw contents or file system volumes are the lowest. A hive file refers to the Registry’s on-disk storage format. it will detect rootkits in user or kernel mode that alter the Windows API or native API to remove them from a directory listing.

Using RootkitRevealer

RootkitRevealer needs to know that it has been run from an account with the appropriate privileges. This includes the ability to access the Backup files and directories, Load drivers, and Perform volume maintenance tasks (on Windows XP or higher). These privileges are automatically assigned to the Administrators group. it can be run on an inactive system to reduce false positives.

To get the best results, close all programs and leave the system idle during the scanning.

Manual Scanning

To scan a system launch it on the system and press the Scan button. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. The options you can configure:

• Hide NTFS Metadata Files: this option is on by default and has RootkitRevealer not show standard NTFS metadata files, which are hidden from the Windows API.
• Scan Registry: this option is on by default. Deselecting it has RootkitRevealer not perform a Registry scan.