2

Whenever my system starts the last few days, windows (10 x64) asks me to install this

"C:\Windows\System32\mrt.exe" /R /RE

Now, I don't want to install it, so I deleted that file, but a couple of next start ups there it is again.

My questions are, what do the /R and the /RE after the file mean to windows and why is that file again in my system?

Update:

Thanks for the switches information (/R /RE), (as @TOOGAM correctly stated, I will try what you said later today) I corrected the information about the file, which didn't show the white spaces between the "file name" and the switches at the prompt, when hitting 'more info' on the dialog,

I tried which mrt ; system says which is not recognized. @DavidPostill probably meant mrt -version which shows the prompt in his answer, as with every other parameter... does it mean it's already installed, so the attempt of installing at startup is suspicious?

nicorellius
  • 6,815
user701679
  • 21

3 Answers3

4

MRT is the Malicious Software Removal Tool. It is a one-time run Antivirus scan that comes through Windows Update every month. The R and RE switches probably tell it to create a task to run later, or register it as a service. It isn't malware.

The switches /R and /RE appear to be undocumented yet valid. I ran several different switches from command line and viewed the output in the MRT log file (C:\Windows\debug\mrt.log).

I first ran "mrt.exe /Q" as a baseline. This added an entry with "Run Mode: Scan Run in Quite Mode".

Next I ran an invalid switch "mrt.exe /X" which didn't add any output.

"mrt.exe /R" Added "Run Mode: Post Reboot Actions" which leads me to believe it is telling MRT to run either the scan or perhaps some cleanup actions after a reboot.

"mrt.exe /RE" Added "Run Mode: Interactive Graphical Mode" which opened up a wizard which had different configuration options for the scan, and guided me through the scanning procedure. This is what happens when you open MRT.exe without any switches, but since the effect was different than an invalid switch like /X it still seems to do something.

Both /R and /RE together added "Run Mode: Post Reboot Actions".

While I wasn't able to verify the exact effect both of those switches have, they do appear to be valid in the normal MRT program. The reason the program keeps reappering is probably due to Windows Updates running and replacing the file, or a System File Check running and replacing the file from the WinSxS store.

CConard96
  • 1,329
  • 1
  • 11
  • 12
1

What do the /R and the /RE after the file mean to windows?

As explained in the other answers they are command line switches.

However the official Microsoft Malicious Software Removal Tool (mrt.exe) does not support these options (see below).

This implies that the version your system is trying to install may be malware.

See How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC? for instructions on removing malware.

mrt command line options

WMSRT MRT.exe supports four command line switches listed below, which is optional and most of the time not necessary unless you’re administrator for corporate network:

  • /Q or /quiet – Use quiet mode. This option suppresses the user interface of the tool.
  • /? – Display a dialog box that lists the command-line switches.
  • /N – Run in detect-only mode. In this mode, malicious software will be reported to the user but will not be removed.
  • /F – Force an extended scan of the computer.
  • /F:Y – Force an extended scan of the computer and automatically clean any infections found.

Source How to Use Windows Malicious Software Removal Tool

> which mrt
C:\Windows\System32\MRT.exe

> mrt /?

Displays the following dialog:

enter image description here

DavidPostill
  • 162,382
0

Some of the questions you have do not have clear complete answers. Here is what we do know.

As LPChip's comment correctly stated, the /R/RE appear to be switches. In the traditional command prompt, placing a forward slash on the command line specifies the start of a switch. e.g., "dir/w" means to use the "dir" command, and specify the "/w" switch. (Switches are also called "parameters".)

In PowerShell, that doesn't work: you would need a space before the switch. The Registry is just a giant collection of data, so whether the space is needed, or not, would depend on what program is using that data.

Since you're being asked about installing the program, I'm guessing that the prompt is coming from "user account control" ("UAC"). So UAC is effectively protecting you from having the program be installed. Just say no.

Now, as for why that is happening for every reboot, that is something that I cannot readily say, but I can provide some advice for figuring this out. There are multiple ways that Microsoft Windows allows a program to start up. You can check the Startup folder (from your Start menu), but most likely you'll find your answer in the registry. Check out these keys in RegEdit:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_Local_Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

That is probably how the program is starting.

However, although deleting that registry entry will likely stop the program from running, this doesn't answer the question of how the program keeps coming back after you successfully delete it. This is not very normal behavior, except if your computer is already compromised by malicious software (a.k.a. "malware"). If malware is re-creating the file, chances are good that malware will also re-create the registry entry.

So you probably need to find the malware. The easy way to do that is likely to run a scan with anti-malware software. If whatever you have installed doesn't work, try Malware Bytes (which is often good at finding stuff, and often works alongside existing anti-malware software), and/or other anti-malware software (although you may need to uninstall each anti-malware software before trying another, as multiple pieces of anti-malware software often tend to conflict with each other).

Hopefully that works; sometimes you need to do some more serious efforts to successfully get the machine cleaned, which may involve not booting from the long term storage device (e.g., "hard drive", "solid state drive") that you're using (because the drive you're currently using might be sufficiently compromised).

TOOGAM
  • 16,486