RootkitRevealer turns root kits' tactics back at them

A contributor reviews freeware RootkitRevealer from Sysinternals.

"Root kit" is a catch-all term used to describe the mechanism or mechanisms by which any form of malware (including a virus, spyware or Trojan) hides its presence from both the system at large and from programs that attempt to detect and remove it.

Root kit functions are not only dangerous, but incredibly frustrating to deal with as well: you know there's a problem, but you just can't find it. Root kits come in several different flavors, each of which conceals itself from the system in a slightly different way, making it all the more difficult to flush them out and destroy them.

One new tool that helps you fight root kits is RootkitRevealer from Sysinternals, a Web site that provides utilities and source code related to Windows NT/2000/XP/2K3 and Windows 9x, Windows Me internals.

Every exploit has to start off by being a file somewhere. Since root kits go to great lengths to conceal their presence from the system as a file, RootkitRevealer uses this very tactic against them. It works by taking two manifests of the contents of the system -- one via the standard file system or Registry APIs, and another by reading the raw contents of the file system or the Registry (depending on how the root kit hides) and comparing the two. Wherever there are differences between the two, that's usually a telltale sign that a root kit is at work.

RootkitRevealer works as both a GUI and a command-line application. When run, it produces a report of all the files and Registry entries present in the system currently hidden from the system's APIs. The report also lists other located discrepancies, such as when a Registry's raw hive data size is not consistent with the size reported by the Windows APIs. One important thing to note is that not all hidden objects are malicious. For instance, most files with a "$" prefix (such as $Volume or $Logfile) are NT file system meta data and are not dangerous.

Neither does RootkitRevealer take any action on its own as far as deleting files or editing meta data; that should only be done by the administrator and only in a controlled fashion (i.e., booting to a known good copy of the OS and editing the file system or the Registry remotely).

Always know exactly what you need to do and what you should be doing, before interpreting the results of RootkitRevealer as a plan for action.

More Information

About the author
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check it out for his latest advice and musings on the world of Windows network administrators -- please share your thoughts as well!

This tip originally appeared on our sister site,

This was last published in March 2005

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.