Windows 10 MSRT reports an infected file during scan, then reports no infections on completion RRS feed

  • Question

  • I have a new Surface Book 2 that I ran MRT it was reporting 500 infected files but when the scan finished it reported no infections found.  I ran MRT again watched for what files were being scanned when it found the 500 infections it appeared to be in the Office 365 install files.

    Since this is a brand new machine I did a reset restoring it back factory setting and deleting all the files on the harddrive.  once this was done and I had my Microsoft account back on the machine but before I setup anything else I reran MRT this time MRT showed 29000 files infected.  It again appeared the Office installed files and possibly some of the Windows install and drive install files were the ones being reported.  Again at the end of the scan MRT reported No infected files.

    Tuesday, December 12, 2017 6:35 AM

All replies

  • Hi,

    The MSRT scanning process first completes an initial pass during which it looks for anything potentially suspicious, which may include either files, registry entries or behavior that might be related to malicious software or activity.

    Once that pass is completed, the Microsoft Antimalware client embedded within the MSRT then uses the MAPS (Microsoft Active Protection Service) components within it to communicate with the Microsoft servers.  This is done to verify that the items detected by the scan are truly malicious or whether they might be a false positive or otherwise normal activity that's too new or complex to be properly recognized by the relatively tiny MSRT application.

    At that point, any items found which were determined to be truly malicious will be removed and logged to the MRT.log file, while anything either confirmed to be a false positive or not otherwise identified as known malware will simply be dropped from the results or uploaded to MAPS for analysis.

    Since the MSRT is only a minimal client designed to detect and remove a very small subset of the most common malware currently in the wild, it has no real interface to inform a PC owner what it's really doing, nor to be automatically updated later as with the more complete security clients like Windows Defender or MSE.  In these other clients the abilities with MAPS are more complete and may in some cases provide a more complete result as well, but in most cases the MSRT response is the same as for these other clients within the limited subset of detections it contains.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Wednesday, December 13, 2017 6:30 AM