Using RootkitRevealer

Rootkit Revealer

Using RootkitRevealer

RootkitRevealer comes in two forms: a GUI and a command-line version. Both versions require that the account from which they are run have assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks (on Windows XP and higher) privileges. The Administrators group is assigned these privileges by default.

For best results exit all applications and keep the system otherwise idle during the RootkitRevealer scanning process.

Manual Scanning

To scan a system launch it on the system and press the Scan button. RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. The options you can configure:

Hide NTFS Metadata Files: this option is on by default and has RootkitRevealer not show standard NTFS metadata files, which are hidden from the Windows API. Scan Registry: this option is on by default. Deselecting it has RootkitRevealer not perform a Registry scan.

Launching an Automatic Scan

RootkitRevealer supports several options for auto-scanning systems:

usage: rootkitrevealer [-a [-c] [-m] [-r] outputfile]


Automatically scan and exit when done.


Format output as CSV


Show NTFS metadata files


Don't scan the Registry.


Note that the file output location must be on a local volume.

If you specify the -c option it does not report progress and discrepancies are printed in CSV format for easy import into a database. You can perform scans of remote systems by executing it with the Sysinternals PsExec utility using a command-line like the following:

psexec \\remote -c rootkitrevealer.exe -a c:\windows\rootkit.log