Skip to content
Picture of PTFM

PTFM

3 Best Ways to Detect Rootkits on Windows

A rootkit is a program or, more often, a collection of software tools that gives a threat actor remote access to and control over a computer or other system. Rootkits can run in either User mode or Kernel mode, with Kernel mode being the most dangerous. There are legitimate rootkits out there, for example Anti-Virus software or Remote Access software. Rootkits can be difficult to detect as they control the way that the operating system behaves or interacts with the user.

1. Memory Dump with Analysis Using Redline

This method is the most effective as it is impossible for malware to hide in memory, by performing a memory dump and analyzing the memory, this option is the most thorough however it is also the most complex.

Take a memory dump of your system, for a quick easy utilize dumpit, start Redline and select analyze memory file

Click next and select output filename and directory

Click Ok the next screen may take some time

2. Windows Defender Offline Scans

Open Windows Security and Select Virus and Threat Protection then Select Scan Options

Select Windows Defender Offline scan and select scan now, this will trigger a restart and will scan the filesystem in a “Safe Mode”

3. GMER

You can download GMER here (Caution will download EXE) or go to GMER site to download here

Once downloaded run and select Scan. GMER will then attempt to find any rootkits by scanning files, registry entries, drives and processes. After scan is finished you will see one of the following windows indicating the results.

GMER No Rootkit Found
GMER Found Rootkit

Share this post