Unusual behavior from the Windows Malicious Software Removal Tool

Note: This mystery has been solved. See the July 15th update at the bottom. 

July 9th was patch Tuesday and I dutifully ran Windows Update on a few PCs. I thought perhaps that the Windows Malicious Software Removal Tool was installing itself repeatedly, but I don't pay close attention to each bug fix.

This is a compliment for Microsoft, as it means their patching software works well enough most of the time that it can just be left to do its thing. Every Patch Tuesday there are always articles in the press about the assorted bug fixes, but I gave up worrying about the details long ago.

Of course, any computer that I work on is periodically backed up with a full disk image because bug fixes can cause more problems than they fix. 

On the next few PCs I started paying closer attention and sure enough, the July 2013 edition of the Windows Malicious Software Removal Tool (MSRT) installed itself twice on every computer. I saw this on Windows 7, 8 and XP. 

MSRT can be thought of as anti-virus lite. Microsoft is very clear that it is not anti-virus software. The big differences are that it does nothing to protect from infection and it only runs on demand. In addition, it is targeted at a select few pieces of malware, rather than the broad range that regular anti-virus software deals with. 

Normally there is one edition of MSRT a month. 

If you let Windows Update do its thing in fully automated mode you won't notice the double installation of MSRT this month. If you run Windows Update manually, you also won't see anything out of the ordinary. To notice the double-install, you need to run Windows Update manually, reboot, then run it again. That's what I do.

Is this double installation a bug?

I have seen patches that install and install and install yet again. Sometimes Windows Update ends up in a loop, unaware that the patch is already installed.That doesn't seem to be the case here,however, as the July 2013 edition of MSRT is always installed twice, never three times. 

The Malicious Software Removal Tool is file mrt.exe in C:\Windows\System32. The properties of this file tell the tale. 

WINDOWS 7

One Windows 7 machine started out with the June 2013 edition of MSRT. The properties of mrt.exe showed it was last modified June 2, 2013 at 5:11pm. The file version was 4.21.7500.0. 

After the first installation of the July 2013 edition of MSRT, the mrt.exe file was version 4.22.7601.0 and it was last modified July 9, 2013 at 4:25pm. As you might expect both the modification date and file version advanced.

Other Windows 7 machines showed different last modified timestamps, but all were version 4.22.7601.0 of mrt.exe.  

After the second installation of the July 2013 edition of MSRT, the file version was 5.2.9201.0 and the last modification date was June 24, 2013 at 12:57AM. So while the version increased, the date went backwards. 

You can see the double installation below. MSRT, on 64 bit Windows 7 systems, is shown as "Windows Malicious Software Removal Tool x64 - July 2013 (KB890830)". 

windows.update.msrt_.twice_.gif

WINDOWS 8

The Windows 8 system that I used was a few months behind on bug fixes. The last time MSRT had been installed was March 2013. 

On July 10th I ran Windows Update and installed  the "Windows Malicious Software Removal Tool for Windows 8 - July 2013 (KB890830)". Then I re-booted and ran Windows Update again. As on Windows 7, it again wanted to install the July 2013 edition of MSRT. 

After the second go-round, file mrt.exe was at version 5.2.9201.0, the same as on Windows 7. The last modification date was June 24, 2013 at 12:37AM, also the same as Windows 7. 

WINDOWS XP  

A Windows XP system started with  file mrt.exe at version 4.19.7304.0, last modified May 6, 2013 at 3:38PM. This was the April 2013 edition of MSRT. 

The first run of Windows Update (on July 11th) installed a July 2013 edition of MSRT. The resulting mrt.exe file was version 4.22.7601.0, last modified on June 24, 2013 at 12:16AM.

The next run of Windows Update (also on July 11th) installed another copy of MSRT also dated July 2013. Afterwards file mrt.exe was at version 5.2.9201.0, the same as on Windows 7 and 8. The last modification date was June 24, 2013 at 12:37AM, again matching the other versions of Windows. 

windows.update.installing.msrt_.gif

WHATS GOING ON? 

It seems that the first installation of MSRT for July 2013 always installs version 4.22.7601.0. The last modification date/time of the file varies however (it may be related to when Windows Update executed). The second go-round for the July 2013 edition of MSRT always installs version 5.2.9201.0 with a consistent last update date of June 24, 2013 at 12:37AM. 

Why the change in behavior? I have been unable to find any documentation about this from Microsoft. None of the articles I read about the July 2013 patches mentioned MSRT at all. 

Microsoft has an article about the Microsoft Windows Malicious Software Removal Tool (Article ID: 890830) that was last reviewed today, July 12th. It says "Microsoft releases a new version of the Microsoft Malicious Software Removal Tool every month". Clearly this is not true as there were two editions this month.

The Release Information section of the article shows that MSRT was last updated in June 2013 and is at version 4.21, so the review today was less than ideal.

The download page for MSRT shows it be at version 5.2. If that is the latest version, and it appears to be, then why make every computer first install version 4.x before upgrading to version 5.2? 

I have been in contact with Microsoft and if I hear back from them will update this.

  Update: Microsoft declined to comment.   

For more about MSRT, see my 2009 blog What you don't know about the Windows Malicious Software Removal Tool.

Update July 13, 2013. Some further searching of microsoft.com revealed that someone named Seffrid asked a question in the Microsoft Community about this on July 11th. The response from Pinaki Mohanty, who is identified as a Support Engineer, presumed it was a bug in Windows Update.  

Update July 15, 2013. Susan Bradley found a Technet chat about the July 2013 patches that addressed this. According to Microsoft "We are in the process of rolling out a new version of MSRT and to manage the risk, we are releasing the new version in stages over a few months." Thank you Susan. 

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies