-
Notifications
You must be signed in to change notification settings - Fork 5
mrt_scan.ps1
Windows Malicious Software Removal Tool (MRT) scanner with configurable scan modes.
Executes the built-in Windows Malicious Software Removal Tool (MRT.exe) with configurable scan mode. Designed for RMM deployment via SuperOps, allowing administrators to trigger Quick or Full silent scans on target endpoints. Displays scan status and log preview upon completion.
Executes the built-in Windows Malicious Software Removal Tool (MRT.exe) with configurable scan mode. Designed for RMM deployment via SuperOps, allowing administrators to trigger Quick or Full silent scans on target endpoints. Displays scan status and log preview upon completion.
- PowerShell 5.1 or later
- Administrator privileges required
- Windows OS with MRT.exe available (included in Windows by default)
- SuperOps module available via $SuperOpsModule variable
-
$SuperOpsModule: Path to SuperOps module (injected by RMM; non-empty string) -
$ScanMode: Scan type - must be 'Quick' or 'Full' (case-insensitive)
This script uses RMM variable injection for the scan mode. Configure SuperOps to replace the $ScanMode value at runtime. No hardcoded subdomain or API keys.
- Hardcoded values (scan mode defined within script body)
- MRT executable from Windows System32 directory
- MRT log file at %WINDIR%\debug\mrt.log
- Validates administrative privileges are present
- Validates scan mode is 'Quick' or 'Full'
- Locates MRT.exe in system path
- Executes MRT with appropriate arguments (/Q for Quick, /F /Q for Full)
- Waits for scan completion (may take minutes to hours depending on mode)
- Displays last 50 lines of MRT log file for review
- Reports success or failure with detailed diagnostics
- No secrets (API keys, passwords) are used or logged
- Executes only signed Microsoft utility (MRT.exe)
- Log output limited to last 50 lines to control data exposure
- No network calls beyond what MRT.exe performs internally
- 0 : Success - scan completed and log displayed
- 1 : Failure - validation error, missing privileges, or execution failure
[ INPUT VALIDATION ]
--------------------------------------------------------------
SuperOpsModule : C:\Program Files\SuperOps\Modules\SuperOps.psm1
ScanMode : Quick
Admin Privileges : Confirmed
[ SYSTEM INFO ]
--------------------------------------------------------------
Computer Name : WKSTN-FIN-01
MRT Path : C:\WINDOWS\system32\MRT.exe
MRT Version : 5.129.22621.4602
[ SCAN EXECUTION ]
--------------------------------------------------------------
Scan Type : Quick
Arguments : /Q
Status : Running silent scan...
Note : This may take several minutes
[ SCAN COMPLETE ]
--------------------------------------------------------------
Duration : Scan process completed
Exit Code : 0
[ LOG PREVIEW ]
--------------------------------------------------------------
Log Path : C:\WINDOWS\debug\mrt.log
Showing : Last 50 lines
-------------------------------------------------->
Microsoft Windows Malicious Software Removal Tool v5.129
Started On Fri Sep 12 10:24:17 2025
Results Summary:
----------------
No malicious software was detected.
Finished On Fri Sep 12 10:28:45 2025
<--------------------------------------------------
[ FINAL STATUS ]
--------------------------------------------------------------
Result : SUCCESS
MRT scan completed successfully
[ SCRIPT COMPLETED ]
--------------------------------------------------------------
- 2025-11-29 v1.1.0 Refactored to Limehawk Style A with improved validation, MRT version detection, process exit code capture, and enhanced error handling.
- 2025-09-12 v1.0.0 Initial release with Quick/Full scan modes.
- View Script Source
- Scripts - Back to script index