Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Updated RootkitRevealer

Yesterday we released RootkitRevealer v1.30. This release is in direct response to Microsoft Product Support Services (PSS) discovering actual installations of the Hacker Defender rootkit on customer systems that target RootkitRevealer.

RootkitRevealer works by comparing a high-level scan of the system via the Windows API with a low-level direct scan of file system and Registry on-disk structures. Rootkits that cloak by modifying a system view at any level above the on-disk structures will be visible as discrepancies between the two scans - that is, if their cloaking is active.

Hacker Defender's installation includes a configuration file where a malware author specifies the files, drivers, services, and other items that should be cloaked. The configuration file also includes a section where ‘root’ processes are specified. A Hacker Defender root process is one that Hacker Defender allows to see an unmodified system view. Microsoft PSS found that RootkitRevealer wasn’t detecting discrepancies on some customer that they verified had Hacker Defender installations. Their investigation revealed that the RootkitRevealer had been added to the ‘root’ process section of the configuration file. Thus, RootkitRevealer’s two scans showed no differences.

To defeat this Microsoft started renaming RootkitRevealer’s executable before a scan. Bryce and I decided that many users would likely not know to do this and requiring a manual rename is inconvenient, so we modified RootkitRevealer to perform the rename automatically. When you execute RootkitRevealer it makes a copy of itself in \Windows\System32 with a randomly-generated name. It then installs that copy as a Windows service that displays its UI on the console desktop and cleans up the service installation when the scan is complete. Since this approach doesn’t work well with a command-line executable we added command-line options for automatic scanning and logging to a file.

Is this the last modification we’ll have to make? Not likely. This was an easy attack since it required no modification of Hacker Defender, but more sophisticated attacks are possible where a rootkit can detect a scan of RootkitRevealer in other ways, like version information or behavior analysis, and disable cloaking so as not to be detected. That’s why a better approach to detection is to combine the detector with a virus scanner: if the rootkit cloaks it will be detected by the rootkit detector and if it doesn’t virus scanning can pick it up. The bottom line is that there can never be a universal rootkit detector – only ones that work against certain types of rootkit technology.

People have asked us to add a rootkit removal feature like the “rename” functionality of F-Secure’s Blacklight product. We’ve decided not to for several reasons. First, renaming of rootkit files is easily defeated by a rootkit that activates before the rename operation and blocks the rename. Second, if the rootkit detector hasn’t detected all of the components of the malware the rename can result in only a partial removal of the rootkit. We’ve already seen spyware and adware that automatically repairs its own broken installations and its so its also possible for rootkits to reinstall disabled components.

Rootkits are a very scary thing. The focus of the security community and IT professional should be on preventing their installation. Detection is a last resort with uncertain results.

posted by Mark Russinovich @ 10:25 AM

I'm having difficulty to run rootkitrevealer.
I'm getting window
"Rootkitrevealer must be run from console" no matter what I do.
Thanks for help.
I still get some of what appear to be false positives from deeply nested files that look like shortcuts and appear to have truncated file names

Seeing as RootkitRevealer doesn't allow me to easily highlight an item and copy the full path I can't easily cut and paste a single item and then quickly get to the directory....

It would be a nice enhancement to allow users to quickly browse to the appropriate key and/or directory

Back to this report here is an example

C:\Program Files\JerMar Software\Tweaki...for Power Users\Undo\DTOP\Registry\os_settings040607\IE\Admin\Favorites\Anti-Virus, Anti-Spam\Bayesian Spam Filtering Software - Email Clients, Anti-Spam Tools and Other Software Using Statistical Anti-Spam Filter 23/12/2004 7:10 PM 68 bytes Hidden from Windows API.
Mark - all

On the hacker web site listed on the RRR web page I saw a comment posted at RRR 1.10 or so. The writer posted that he could easily get around RRRs methods and that it was no worry.

You have beat this - good.

What if the rootkit can get the startup of RRR and discover the instance name? Does RRR prevent this? I assume that it may not be possible if you only take info from the file before renaming.
This is a quote from an e-mail sent about RootkitRevealer v. 1.4 on the Sysintervals site :

"Mr. Bryce Cogswell :

Yours was the only e-mail address I could find on Sysintervals site for contact information. It would be nice if there was a better way to find contact information. Even the site map didn't help.

There is a little confusion as to whether RootkitRevealer can be used on Win9x/ME and Win XP/2K3 operating systems. This is a quote from the page :

" RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. "

This freeware is listed in the Win NT/2000/XP/2K3 Utilities at, but it is not listed in the Win 95/98/ME Utilities.

I was going to provide a link to the freeware utility, but would like to be able to include the information in a more clearer form as to exactly which operating systems it can be used on.

Thanks for your time.

Major Payne"

Would like a response ASAP.
"NT 4 and higher" generally means no Win9x support. RKR doesn't run on Win9x. We are in fact phasing out support of Win9x with new tools.

As far as contact information, our names, wich are listed at the top of every single page on the site including the front page, are hperlinks to our e-mail addresses.
Hi Mark,

I agree with your prognosis that a two-pronged attack could prove beneficial, although if they're two separate processes then the RootKit has the ability to ensure the RootKit scan yields no differences whilst the Virus Scan is cloaked.

If the two features were rolled into one binary then it would not be possible for a RootKit to enforce different behaviours on the same physical binary.

For example, RootKit Revealer could use "simple" heuristics to determine if the system is too clean and, if it determines so, then it could then run an internal RootKit file scan as it can be fairly confident it has un-cloaked access to the system.

If performed within a single binary then the RootKit would not be able to defend itself adequately and the the chance of detection could be greatly increased.
try open a Command Prompt window and then run RootkitRevealer there.
Hi Mark, I'm seeing the "RootkitRevealer must be run from console" message too.
This is on WinXP Pro SP2. It occurs whether it's launched from GUI or CLI.

I've used Rootkit Revealer successfully on other systems (both compromised and apparently clean ones), so I don't *think* I'm doing anything particularly stupid.

I don't have any reason to believe that this machine is compromised, but it does occur to me that making it hard to launch a diagnostic might be one way to evade detection...

Thanks for all the great stuff.
Hi Mark,

When I downloaded Rootkit Revealer V1.4 on april 4, I could launch it successfully from GUI.

But now I'm seeing the
"RootkitRevealer must be run from console" message too.

This is on WinXP Pro SP1. It occurs whether it's launched from GUI or CLI.

I'm suspecting a compromission. So I will try an offline analysis from a brand new disk.

Process explorer:

There is no doubt that your all softs offered are of great value to people especially process explorer. But this is also a fact that some time process explorer failes to kill an unwanted applications. Some applications are so sticky and suborn that in order to kill them I donot find any other way but to restart my pc.


[email protected]
I get "Rootkitrevealer must be run from console". I have tried running it from the console and no help.
Download page says "Note: the executables are signed with Sysinternals code signing key". But sigcheck says:

Verified: Unsigned
File date: 2:02 PM 4/7/2005

Oversight? Thanks for putting this out there.
I am experiencing the same problem as others with the can not run from console using windows xp pro SP2
Adris et al.,
I believe that "must be run from console" error has something to do with either Spybot S&D's "immunizations" or Microsoft Antispyware. I had a desktop (XP SP2) on which RootkitRevealer 1.4 ran successfully. I then installed MS Antispyware and also ran an updated Spybot immunization. Then RR started giving me that error. This all took place in < 15 minutes, and nothing else changed with the system except what I note above.

Hey Guys

I resolved the console error by recreating my windows profile.

I noticed that when I logged on with my user account the RootkitRevealer would not work but when I logged on with the admin account it worked fine.

When I recreated my windows profile it all worked fine.

Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

RSS Feed



Full Blog Index

Recent Posts

More on MSN Desktop Search
MSN Desktop Search
More on Google Desktop
Google Desktop


03/01/2005 - 03/31/2005
04/01/2005 - 04/30/2005
05/01/2005 - 05/31/2005
06/01/2005 - 06/30/2005
07/01/2005 - 07/31/2005
08/01/2005 - 08/31/2005
09/01/2005 - 09/30/2005
10/01/2005 - 10/31/2005
11/01/2005 - 11/30/2005
12/01/2005 - 12/31/2005
01/01/2006 - 01/31/2006
02/01/2006 - 02/28/2006
03/01/2006 - 03/31/2006
04/01/2006 - 04/30/2006
05/01/2006 - 05/31/2006
07/01/2006 - 07/31/2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer