Someone reviewed v on Jul 5, 2022

Pros: 555

Cons: 555

Bottom Line: 555

walruz reviewed v1.71 on Nov 12, 2006

Gotta love RootkitRevealer. You should download it now, before M$ starts using WGA on it.. :(

c4p0ne reviewed v1.71 on Nov 12, 2006

Still labeled "1.7" in the help|about.

Canuckistani reviewed v1.7 on Feb 3, 2006

Mikko Hyppönen, the Chief Research Officer at F-Secure, does not think Blacklight a replacement for Rootkit Revealer. But, it is a quick and simple way to help stem the tide of infection and every little bit helps. Mikko has a great deal of respect for Sysinternals and Mark Russinovich. The advantage of Blacklight is in the results. For a not so computer savvy user the results from Rootkit Revealer may be confusing. Blacklight just gives a yes or no answer but, doesn't give any clues about what it might have missed.

jordenpro reviewed v1.7 on Feb 3, 2006

Great Program!!

Please don't say 'blacklight' is better. If your serious about detecting rootkits, you'll use more than one for detection.

RootkitRevealer
Blacklight
IceSword

And if you really want to know the best, it's IceSword. ;)

nefarious1 reviewed v1.7 on Feb 3, 2006

@veeoh:

F-Secure BlackLight is simpler to use, for sure, but why is it "better"? Does it work better? I have no reason to think it does. And it is only free to use while in beta--it will be shareware once final.

@devilrider:

Ignoring drives and/or directories would defeat the purpose of finding rootkits, because they can be hidden anywhere.

Priority doesn't matter, because you are supposed to run RKR on an idle system, as the documentation clearly states. I have quite a loaded system, but RKR takes only a few minutes to run.

You aren't supposed to surf the web while running RKR. If you do, then new files are added while RKR is scanning, and that's why it finds those file system objects. It is a user issue, not a software issue.

-------

RKR is a valuable tool. Not infallible, but valuable. Every Windows system should run it occasionally.

devilrider reviewed v1.7 on Feb 3, 2006

Was nice when it was new, but its bugged, memory eating, slow and not tweaked.

a) add option to ignore directories
b) add option to ignore drives
c) Write/flush fix for Log File noone nowadays writes all in one Flush.
d) allow Priority change, 5 Hours 99% cpu usage suxx, could at last Websurf if it would not eat all memory and cpu.

This thingy finds way to much stuff thats actually ok (like whole firefox stuff). 65k + Entries and no option to tweak on that so it finds only whats of interest.

I scanned my 900 gig of software (most time comsumes all the Source stuff and SDK's). just as info i have 6541 Programs installed MS Studio 2005 Express and most SDK's fom M$ and Local copys from allot of SourceForge projects i'm involved or personally interested in.

Scan took about 5 Hours, saveing Log File i aborted after 3 hours waiting, RootKitRevealer dropt from over 200 meg Mem-usage and 99% CPU usage to 54k memusage and 0% CPU usage for 30 mins and still no LogFile saved.

So you see why i request for those options to be implemented, could skip 500 GIG of source files and own Compiled stuff.

Maybe i test on a Non-Working machine with only few programs installed, and update this post after that.

nefarious1:
IT ran on idle system, running while i sleep I call idle. Maybe you mean run in savemode with all services and tasks stopped ?

bourgeoisdude reviewed v1.60 on Dec 9, 2005

If there's one positive outcome from sony's mistakes, it's that more and more people will download this program! Works great, finds the Sony BMG rootkit...

olorinpc reviewed v1.60 on Dec 9, 2005

vanleeuwen: Did you actually download the program and test it before reviewing? If you go to help > about and look at the version number, it is 1.60.

Program works well and pics up some interesting things.

vanleeuwen reviewed v1.60 on Dec 8, 2005

Good program but this is not v1.6 its still v1.56 there web site is also only v1.56 ??

ZenWarrior reviewed v1.60 on Dec 8, 2005

To: mike_loldrup

I bet SONY BMG thinks this little jewel is *too* good. It certainly nailed them! ;)

robmanic44 reviewed v1.60 on Dec 8, 2005

As someone who suffers from brain damage I resent this sort of I'm more computer literate than you attitude. I have managed to consruct my own desktop by carefully determining programs that do what I want them to do and not relying on "so called" experts.

Kramy reviewed v1.60 on Dec 8, 2005

If you get a rootkit and don't discover it because you don't use this tool, then if you lose everything you deserved it.*

*does not apply to people that did not read this.

I think I'll keep this around just incase. You never know what's going to be put in CD's in the near future.

httpd.confused reviewed v1.56 on Nov 21, 2005

You guys are insane. Everyone should use this utility. Read the docs; it's not hard. Too many people shy away from using more than 2% of their brain capacity, as if they'll suffer some sort of brain meltdown.

And what's this whining? This is a good utility. Could be improved, could support offline mode, but overall it's pretty good at what it does.

And I'll say it again: If you have a rootkit on your system, REFORMAT, because you cannot be sure you removed the entire rootkit!

mike_loldrup reviewed v1.56 on Oct 29, 2005

From sysinternals there are many good programs, but this is not one of them

ranma.2 reviewed v1.56 on Oct 29, 2005

well some intelligent rewievers are here
i quote

*Just not for 99% of people out there. *

wooooww - step back this is seriuous busines.
but on my pc it report itself as a rootk
Other programs from sysinternals are very good
but this ?
Wow you must be like the masterminds earlier
and think you could use this for anything
but you can't

tremens reviewed v1.56 on Oct 28, 2005

Does what it says it does.

this how I turn DEP off
"/noexecute=AlwaysOff"

benZin reviewed v1.56 on Oct 28, 2005

it would be useful!

Kramy reviewed v1.56 on Oct 28, 2005

This program has its uses. Just not for 99% of people out there.

http://www.betanews.com/...tkit/1130965475#c109380

guevara reviewed v1.56 on Oct 28, 2005

normally i love the progs from sysinternal

but

My Opinion is
This one is useless crap

tipsyboy reviewed v1.51 on Jun 28, 2005

"c4pOne" ---- I'll try that. Thanx for your help.
---------

I HAVE tried it - still disappears, but is still running. BUT: this time the "processXpler" tells me "no visible windows found for this process" when I demand "bring to front". I dunno. A bug?

BTW - Systernals are great!!!!

c4p0ne reviewed v1.51 on Jun 28, 2005

Funny, even the authors of rootkit programs like hxdef have problems with this v1.51. Hmmm, I haven't had not ONE problem either here (XPSP2 AMD x86-64) or at work (W2K3SP1 Intel No HT). Perhaps it's because I have DEP turned completely OFF!!!

You should do it to, DEP sucks anyway some Russian dudes (so whats new) already wrote an exploit to bypass it. Anyway just use the /EXECUTE switch in boot.ini to COMPLETELY 100% disable DEP. ;)

Zoroaster reviewed v1.51 on Jun 27, 2005

RootkitRevealer 1.51 crashes here also. Starts scanning then suddely disapears. The exe though is still in memory.

ranma.2 reviewed v1.51 on Jun 27, 2005

Same here
Crashes on
my machine
it start scanning,
and then Crashes
But all the other programs from sysinternals
are exelent

tipsyboy reviewed v1.5 on Jun 24, 2005

Crashes on my machine, while scanning the hives of the registry. - I just wonder WHY? - As it works fine on everybody else's machine, I give it a three.

rcutnik reviewed v1.5 on Jun 23, 2005

Excellent tool!
I had the issue mentioned about O&O Defrag, but I believe it did good finding it: why would O&O would choose to hide their info in that way?

Systernals does a great work with their tools!

Slavic reviewed v1.5 on Jun 23, 2005

Excellent idea, version 1.4 worked well.
Unfortunately, version 1.5 is crushed on XP SP2 with x86-64 CPU: DEP error occurs. Wait until corrected version will be issued.

Kramy reviewed v1.4 on Apr 18, 2005

Very useful program!(if you know what you're doing)

It didn't find anything on my comp, but I rate that as a plus since I just formatted this comp and fresh installed to see what programs give false positives. :D

guevara reviewed v1.4 on Apr 8, 2005

Agree-
This prog is EXELENT !!!!!

(all the other prog's
from Sysinternals are exelent too)

c4p0ne reviewed v1.4 on Apr 8, 2005

Oh by the way, any that don't know, heres a little heads up on a false alarm that RKR1.4 will give those of you who are running products such as the server defragmenter from O&O software.. RKR throws a false alarm for "embedded nulls" on machines that have O&O stuff installed. This is because O&O uses this technique to hide the licensing data to their software in the registry.

later.

rudolph reviewed v1.4 on Apr 7, 2005

I just found out about this yesterday.

I caught a worm two days ago and after cleaning that out my computer was still "screwy". I couldn't run netstat.exe and the file was somehow hidden (I could see the file when viewing my drive over a network share, but not when viewing the drive locally). Finally, after lots of research I learned about rootkits.

This did help me find the rootkit (it was esp_something) as well as see the files it was hiding (like netstat, kerio firewall, among others).

So this is useful on windows machines. I agree, it would be better if it was definition based and had some sort of resolution for the problems it finds, instead of simply reporting them. That's why I give it a 4.

I also used F-Secure BlackLight, which is what I used to "fix" the problem. It does the same thing as RR, but doesn't scan the registry. BlackLight does provide some sort of "fix" -- it allows you to rename the hidden files you find. I could have done it myself by finding the files and renaming them, but it's more convenient to do it within the program. RR should provide some kind of similar feature. Maybe also provide a list of the files you have last renamed so you know where to find them and so you can delete them after you reboot.

httpd.confused reviewed v1.4 on Apr 7, 2005

What are you talking about, mjm01010101? Seriously. RkR isn't "useless" in Windows; it is designed to run that way, and you can't run it "offline".

Rootkits have been around a long time, but have they been a prevalent threat for Windows users for a long time? No.

Regarding signature detection, per rudolph above: There are a number of reasons that signature scanning isn't done in RkR. To me, they're all obvious, and I don't feel like explaining them here. But take the time to read the RkR help file; it may... help. But also, consider this: Your anti-virus application uses signature-based scanning methods. Did it help you detect that rootkit? There you go.

There has been one noted way around RkR, that being the INI edit trick of Hacker Defender. But that was easily subverted, and the current version of RkR defeats that approach. So, please, do tell us how a "real rootkit" gets around RkR. Or, are you blowing smoke like so many other people do, just to instill paranoia?

I'm not saying that RkR can't be beaten; I'm just saying that unless you have specifics, you're just spreading useless FUD.

Two other points:

Yes, O&O Software uses an insidious method for hiding its trial-version registry data (a practice I find apalling). You can remove it quite easily though: http://groups-beta.google.com/groups?q=o%26o+embedded+nulls+character .

Regarding the whining over RkR's inability to remove rootkits for you: Stop. Now. Please. You want everything to be automatic for you. "Click a button, undo my past stupidity." But rootkits don't work that way. If you detect a rootkit, you should perform a clean install of Windows, and then try not to do the same stupid thing(s) you did before. Yes, this sucks. Yes, I would also like to kill the malware authors. But that's life. You cannot trust any rootkit detector to work thoroughly--the task is too complicated, there are too many unknowns, and there is too much at stake.

gawd21 reviewed v1.31 on Mar 22, 2005

Not usefull on Windows.

mjm01010101 reviewed v1.31 on Mar 22, 2005

Surpised people are rating this so high. While a useful tool, rootkits have been around a while and this tool takes quite a bit of patience to truly detect a very good rootkit.

This tool is fairly useless in windows against real rootkits, only use offline. Combinated with definition based scanning it would be a powerful tool.

VikingBlade reviewed v1.20 on Mar 10, 2005

Into my tool kit usb drive it goes. Hopefully I won't have to use this any time soon.

httpd.confused reviewed v1.10 on Mar 4, 2005

"found it no useful at all"

Loose translation: "i do no want to know if my system has rookit installed on it".

Accurate translation: "Uhduhhhh..."

Klusternisse reviewed v1.10 on Mar 3, 2005

found it no useful at all

normal_blue reviewed v1.10 on Mar 3, 2005

This is the best and powerfull one. This tool may already known in Linux but this is the first that made for windows. Anyway, user need to understand how it work and what they need to look and what is the action they need to take..not so easy, but ofcouse I am not wonder if not much ppl know it and you all guys give it 5 point..I would like to give it 5++ if i could :)

c4p0ne reviewed v1.10 on Mar 3, 2005

This is a new and powerful weapon against a growing trend of the "rootkit" that unfortunately is no longer limited to the truly "l337". Now, the rootkit has almost become a commonly used term among little pipsqueak idiots that barely know how to setup and use a trojan-horse. When you put power (rootkit) like this in the hands of complete morons it only stands to reason that a tool like this should become available in order to allow the user to weed out kiddy rootkits and leave the pwnage to the real professionals.

httpd.confused reviewed v1.01 on Feb 28, 2005

No, you're wrong, anede2002. RootkitRevealer is a forensics tool, not a "malware detector", per se. It finds stuff, but it's up to you to figure out what belongs, and what is suspicious, and then to deal with it accordingly.

In other words, once you know it's there, you can handle it with other utilities. If you don't know how to do that, you won't know how to interpret the results from RootkitRevealer anyway. This tool should not degenerate into a utility designed to detect and remove specific, known rootkits. We already have a ton of those utilities, and look how much good they do.

anede2002 reviewed v1.01 on Feb 28, 2005

Rookit only finds a lot of registries, but how to delete them. The program itself cannot delete anything, so what is the use of this program. There must be a function in this program that give u the option to delete malicious files and registries.

E.T. reviewed v1.01 on Feb 25, 2005

It looks great but how all those rootkits can be removed if they can only be seen by this program?

CyberHobo reviewed v1.01 on Feb 25, 2005

Another fantastic release from Sysinternals. I don't know how they do it.

phiber0ptik reviewed v1.01 on Feb 25, 2005

wow! Better than Microsoft's Strider Ghostbuster? :)

c4p0ne reviewed v1.0 on Feb 23, 2005

This tool does a tremendous service and DIS-service to me simultaneiously. =(

eh, what the he11, it rocks. It needs some filtering capability though. Add scanning internal kernel memory structures to uncover hidden processes and their root and you've got a DYNAMITE tool. BTW watch out for interaction with KAV.

shimanov reviewed v1.0 on Feb 23, 2005

Truth in advertising -- a wonderful thing. This tool offers a practical method to detect existing rootkits. The software offers insight into the Windows system heretofore not widely available. Aside from signature-based scanners, most "security" software should be regarded as utility software. This software is no different, and it is left for the user to interpret it's analysis and take action.

httpd.confused reviewed v1.0 on Feb 23, 2005

Great concept, and from the most-competent authors around.

Users of Kaspersky Anti-Virus 5.x with iChecker/iStreams enabled take note: Every single file on your system will end up in the list! My report has almost 81,000 discrepancies because of this.

Thanks, Kaspersky; what a help. It hadn't struck me before now that Kaspersky literally uses rootkit techniques to hide its ADS.

DocMyst reviewed v1.0 on Feb 23, 2005

Nice...good to see SysInternals are on top of this upcoming threat...Nice release...