RootkitRevealer for Windows

RootkitRevealer, an advanced rootkit detection tool, is available. It runs on Windows NT 4 or higher. It lists Registry and file system API errors that could indicate the presence a user-mode, kernel-mode rootkit.

RootkitRevealer detects many persistent rootkits, including AFX and Vanquish. (note: RootkitRevealer can't detect rootkits such as Fu that hide their files or registry keys.

RootkitRevealer compares results from a system scan at each level to determine if there is a persistent rootkit. The Windows API is the highest level. The Registry hive's raw contents or file system volume are the lowest levels.

RootkitRevealer will detect rootkits in user or kernel mode that manipulate the Windows API, or the native API, to remove them from a directory listing. This is because there is a discrepancy between what the Windows API returns and what is seen in the raw scans of FAT or NTFS volumes' file system structures.