We have a script that declines KB890830 updates for our on-premise Windows Update Server, but we recently found someone approved one of the monthly updates before the script could run and the Malicious Software Removal Tool (MRT) was installed on all of our servers.
We've had issues with MRT in the past and want to remove it, but now the script has declined the update and we cannot find anything under the View installed updates section to remove it. We also tried running wusa.exe /uninstall /KB:890830 but it returned the error:
The update KB890830 is not installed on this computer.
According to the C:\Windows\debug\mrt.log, C:\Windows\System32\MRT.exe is being run daily during the "Automatic Maintenance" window defined in the Action Center section of the control panel. So it is definitely installed and being run daily.
I tried using SysInternals AutoRuns and looking at the Scheduled Tasks but was not able to find where it was being started.
How can we disable or uninstall the Malicious Software Removal Tool on our Windows Servers to prevent it from running?
Turns out the Automatic Maintenance tasks are managed by
C:\Windows\System32\MSchedExe.exeand the Scheduled Tasks under the\Microsoft\Windows\TaskSchedulerfolder. It then will run other tasks that are defined but don't have a specified trigger, one being theMRT_HBtask under\Microsoft\Windows\RemovalTools\.Here you can see it calling MRT.exe to run the scan, and the last run time matches the information from the Action Center:
If you disable this Scheduled Task it should prevent the Malicious Software Removal Tool from running. You also can delete the task and the MRT.exe program using the following in an elevated PowerShell prompt:
Note, however, that if you haven't disabled the KB890830 update in WSUS or via the registry it likely will be reinstalled, as MRT gets updated every patch Tuesday.