RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys).

rootkitrevealer [-a [-c] [-m] [-r] outputfile]

-a - Automatically scan and exit when done.
-c - Format output as CSV
-m - Show NTFS metadata files
-r - Don't scan registry

Note that the file output location must be on a local volume.


If you specify the -c option it does not report progress and discrepancies are printed in CSV format for easy import into a database. You can perform scans of remote systems by executing it with the Sysinternals PsExec utility using a command-line like the following:

psexec \\remote -c rootkitrevealer.exe -a c:\windows\system32\rootkit.log

remote - remote host

No comments:

Recent Posts