How to Permanently Disable or Remove KB890830 Malicious Software Removal Tool (MRT) from Windows Servers


4 views

Despite declining KB890830 updates through WSUS policies, many Windows Server administrators (myself included) have encountered situations where the Malicious Software Removal Tool gets installed unexpectedly. The tool runs silently during Automatic Maintenance cycles despite not appearing in standard uninstall interfaces.

Check these locations to confirm MRT is present:

# File existence check
Test-Path "C:\Windows\System32\MRT.exe"

# Log verification
Get-Content "C:\Windows\debug\mrt.log" -Tail 50

# Process check during maintenance window
Get-ScheduledTask | Where-Object {$_.TaskName -like "*MRT*"}

Standard uninstall commands fail because Microsoft considers MRT a system component. Here are proven removal techniques:

# Method 1: Force removal via PowerShell
Takeown /F C:\Windows\System32\MRT.exe
icacls C:\Windows\System32\MRT.exe /grant administrators:F
Remove-Item -Force C:\Windows\System32\MRT.exe

# Method 2: Registry modification to prevent reinstallation
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\MRT" -Name "DontOfferThroughWUAU" -Value 1 -Type DWord

Even after removal, Windows may reinstall MRT. Implement these additional controls:

# Disable the maintenance trigger
schtasks /change /tn "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /disable

# Create a permanent deny ACL
$acl = Get-Acl C:\Windows\System32\MRT.exe
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","FullControl","Deny")
$acl.SetAccessRule($rule)
Set-Acl -Path C:\Windows\System32\MRT.exe -AclObject $acl

Prevent future installations through these WSUS configurations:

  1. Create a computer group specifically for servers
  2. Decline KB890830 in all classifications (Critical, Security, etc.)
  3. Configure automatic approval rules to exclude MRT updates

Run this weekly audit script to ensure MRT remains disabled:

$mrtStatus = @{
    FileExists = Test-Path "C:\Windows\System32\MRT.exe"
    ScheduledTask = (Get-ScheduledTask -TaskName "*MRT*" -ErrorAction SilentlyContinue).State
    RegistrySetting = Get-ItemPropertyValue "HKLM:\SOFTWARE\Policies\Microsoft\MRT" -Name "DontOfferThroughWUAU" -ErrorAction SilentlyContinue
}

if ($mrtStatus.FileExists -or $mrtStatus.ScheduledTask -ne "Disabled") {
    Write-Warning "MRT remediation required"
    # Add your remediation logic here
}

Many sysadmins discover too late that KB890830 (Microsoft's Malicious Software Removal Tool) gets installed through Windows Update despite active decline policies. The tool runs silently during Automatic Maintenance cycles, creating these common pain points:

  • Unnecessary resource consumption during maintenance windows
  • False positives in security audits from unexpected processes
  • Lack of proper enterprise management controls

Before taking action, confirm MRT's presence using these verification methods:

# Check installed version
Get-ItemProperty "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\HotFix\\KB890830"

# Verify execution logs
Get-Content C:\\Windows\\debug\\mrt.log -Tail 50

# Locate the binary
Test-Path C:\\Windows\\System32\\MRT.exe

The primary execution trigger comes from hidden scheduled tasks. Disable them with:

# PowerShell method
Get-ScheduledTask -TaskPath "\\Microsoft\\Windows\\WindowsUpdate\\" | 
Where-Object {$_.TaskName -like "*MRT*"} | 
Disable-ScheduledTask -Verbose

# Command line alternative
schtasks /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\MRT_HB" /DISABLE

For complete removal where uninstall fails, modify these registry keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
"DontOfferThroughWUAU"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update]
"ExcludeWUDriversInQualityUpdate"=dword:00000001

For domain environments, deploy this PowerShell script through GPO:

# MRT_Disabler.ps1
$taskPath = "\\Microsoft\\Windows\\WindowsUpdate\\"
$tasks = @("MRT_HB","MRT_NOT_HB")

foreach ($task in $tasks) {
    try {
        $taskObj = Get-ScheduledTask -TaskPath $taskPath -TaskName $task -ErrorAction Stop
        $taskObj | Disable-ScheduledTask | Out-Null
        Set-ItemProperty -Path "HKLM:\\SOFTWARE\\Policies\\Microsoft\\MRT" -Name "DontOfferThroughWUAU" -Value 1 -Force
    }
    catch {
        Write-EventLog -LogName Application -Source "MRT Cleanup" -EventId 1001 -EntryType Information -Message "MRT task $task not found"
    }
}

Create this monitoring script to ensure MRT stays disabled:

$mrtProcess = Get-Process -Name MRT -ErrorAction SilentlyContinue
$mrtTasks = Get-ScheduledTask -TaskPath "\\Microsoft\\Windows\\WindowsUpdate\\" | 
            Where-Object {$_.State -ne "Disabled" -and $_.TaskName -like "*MRT*"}

if ($mrtProcess -or $mrtTasks) {
    Send-MailMessage -To "admin@domain.com" -Subject "MRT Reactivation Alert" -Body "MRT detected running on $env:COMPUTERNAME"
}