MRT.EXE - reduce size

swampy · Post by **swampy** » Tue Jun 19, 2007 2:47 am

Save some more space: mrt.ex_ from 7.01 MB to 3 KB.

Open mrt.exe with reshacker, remove all resources except Version Info & save.

mrt.exe = 6 KB

mrt.ex_ = 3 KB

It passes MU with no Microsoft Windows Malicious Software Removal Tool required.

yumeyao · Post by **yumeyao** » Wed Jul 11, 2007 3:00 am

oops, i will use this on my next XP re-installation.

HiDefHusker · Post by **HiDefHusker** » Wed Jul 11, 2007 4:08 pm

Deleting resources is tedious. Here's a ResHacker script to remove all resources from MRT.exe except the VERSIONINFO resource for language 1033.

Code: Select all

[FILENAMES]
Exe=      MRT.exe
SaveAs=   MRT_new.exe
Log=      MRT_new.log

[COMMANDS]
-delete   BITMAP,,
-delete   DIALOG,,
-delete   ICONGROUP,,
-delete   RCDATA,,
-delete   RT_RCDATA,,
-delete   STRINGTABLE,,
-delete   24,,
-delete   VERSIONINFO,,1025
-delete   VERSIONINFO,,1028
-delete   VERSIONINFO,,1029
-delete   VERSIONINFO,,1030
-delete   VERSIONINFO,,1031
-delete   VERSIONINFO,,1032
//-delete   VERSIONINFO,,1033
-delete   VERSIONINFO,,1035
-delete   VERSIONINFO,,1036
-delete   VERSIONINFO,,1037
-delete   VERSIONINFO,,1038
-delete   VERSIONINFO,,1040
-delete   VERSIONINFO,,1041
-delete   VERSIONINFO,,1042
-delete   VERSIONINFO,,1043
-delete   VERSIONINFO,,1044
-delete   VERSIONINFO,,1045
-delete   VERSIONINFO,,1046
-delete   VERSIONINFO,,1049
-delete   VERSIONINFO,,1053
-delete   VERSIONINFO,,1055
-delete   VERSIONINFO,,2052
-delete   VERSIONINFO,,2070
-delete   VERSIONINFO,,3082

newsposter · Post by **newsposter** » Wed Jul 11, 2007 4:52 pm

this might be something worth passing along to nuhi for his nlite utility as well as for creation here as an 'addon'.

grief · Post by **grief** » Wed Jul 11, 2007 8:55 pm

i'd use it as a addon

yumeyao · Post by **yumeyao** » Wed Jul 11, 2007 9:16 pm

HiDefHusker wrote:Deleting resources is tedious. Here's a ResHacker script to remove all resources from MRT.exe except the VERSIONINFO resource for language 1033.

how to use this script?
save it to 1.spt

then...... put it to the same folder as MRT.exe
then run "reshacker.exe 1.spt"?

Xable · Post by **Xable** » Wed Jul 11, 2007 10:52 pm

I hate to be a party poper but, in the past and maybe in the future MU checked for the presence of mrt.exe. At least for now it doesn`t, so you can leave it out alltegether.

As long as you`ve got these reg entries (and the version value is up to date) MU won`t miss it one bit.

Code: Select all

HKLM,"SOFTWARE\Microsoft\RemovalTools\MRT","EULA",0x10001,1
HKLM,"SOFTWARE\Microsoft\RemovalTools\MRT","Version",,"4AD02E69-ACFE-475C-9106-8FB3D3695CF8"

Post by **RyanVM** » Thu Jul 12, 2007 12:36 am

That's good to hear. Thanks for the heads-up, Xable

yumeyao · Post by **yumeyao** » Thu Jul 12, 2007 12:54 am

thx, Xable.
as updatepack goes very huge, i'm considering to remove MRT.exe.

MrNxDmX · Post by **MrNxDmX** » Thu Jul 12, 2007 6:29 pm

yumeyao wrote:as updatepack goes very huge, i'm considering to remove MRT.exe.

Good idea.
v1,31 is 15,5mb

yumeyao · Post by **yumeyao** » Mon Jul 16, 2007 4:30 am

yes, and compressed is 7M.....

DizzyDen · Post by **DizzyDen** » Mon Jul 16, 2007 7:38 am

yumeyao wrote:
HiDefHusker wrote:Deleting resources is tedious. Here's a ResHacker script to remove all resources from MRT.exe except the VERSIONINFO resource for language 1033.
how to use this script?
save it to 1.spt

then...... put it to the same folder as MRT.exe
then run "reshacker.exe 1.spt"?

The actual conext is "reshacker.exe -script 1.spt" without quotes

code65536 · Post by **code65536** » Tue Jul 17, 2007 4:57 pm

I'd personally prefer leaving a stub that would direct the user to the download page for the MRT. Sure, it's one extra file compared to the leave-it-out method, but useful in case some newbie had been instructed to do Start > Run > "mrt" (I've told someone to do that before). It's easier to do than all that reshacking, anyway (which leaves a file that does nothing). Just one line...

Code: Select all

#include <windows.h>

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
	ShellExecute(NULL, NULL, "http://www.microsoft.com/security/malwareremove/", NULL, NULL, 0);
}

And for people without a C compiler: mrt_stub.7z (smaller than an ISO sector

)

OuTman · Post by **OuTman** » Wed Jul 18, 2007 7:28 pm

code65536, about your MRT stub: excellent idea

however, I think it could be even better if it was a separate addon

yumeyao · Post by **yumeyao** » Wed Jul 18, 2007 11:49 pm

@OuTman: just tell me you're gonna running MRT.exe after your XP installation immediately...

OuTman · Post by **OuTman** » Thu Jul 19, 2007 12:04 am

nonono you misunderstood me ^^

(I've NEVER run mrt.exe, simply because I never needed it.)

what I said, is that RyanVM Update Pack (and subsequent intermediate update packs like code66536's) could stay integrating mrt.exe as usual.

it is the "mrt.exe stub trick" (and not the vanilla mrt.exe) that should be proposed as a separate addon.

so, the average user (for exemple if you reinstall someone's computer) has mrt.exe ready-to-use. (for exemple, that average user phones you because he grabbed AGAIN a spyware, probably due to a Russian porn site, so first you tell him to run mrt.exe, because it's already on the computer, it is quick and easy, and might solve, at least partially, the problem)

and, let's say the "advanced user" use the addon to save space and install time, because he already knows he will never use mrt.exe

to conclude, it's only a personnal suggestion, do what you consider best

code65536 · Post by **code65536** » Thu Jul 19, 2007 12:12 am

Personally, I'm going to keep the stubbed MRT in my pack because it's a nice middle ground between killing MRT entirely and keeping the full MRT. Seeing as how stripping out the full MRT reduced the size of the pack by nearly half, I'm not going to put the full MRT back in. It's simply too damn big (think of the bandwidth). Besides, if anyone wants to add the full MRT back in, they could do so very easily by just dropping in the file since all the proper entries are already in txtsetup.sif and dosnet.inf (whereas re-adding the full MRT would be slightly more troublesome for a pack that has it completely removed since you'll have to re-add the dosnet and txtsetup entries).

And the advanced user would never need MRT, either full or stubbed. The whole purpose of stubbing was so that the newbie user for whom you helped reinstall the OS would be able to find the latest MRT very easily (or even run Microsoft's online scan in lieu of the offline MRT).

yumeyao · Post by **yumeyao** » Thu Jul 19, 2007 12:28 am

@OuTman, then that guy will be a quick victim. once a month(in fact less than a month) is passed, he will have the newest MRT.exe via WU.

@code2^16, yes this MRTstub avoids many troubles.

OuTman · Post by **OuTman** » Thu Jul 19, 2007 12:32 am

yes, but something a month (or... less than a month

) is already too long

major part of problems with a new user happens in the first 3-4 days in my experience

I might consider changing friends

anyway, this mrt.exe stub is really a good idea, but the final decision is up to RyanVM. at any case, this trick is and will remain useful for a lot of people (including myself), directly in the main update pack or as a separate addon.

another edit: yeah, actually I already considered the bandwidth saving

finally, all possible solutions are good. they're equal or better than the current situation. so all's fine

Vid0 · Post by **Vid0** » Thu Aug 23, 2007 6:49 pm

code65536 - nice idea. Make MRT.EXE even smaller with #pragma:

Code: Select all

#include <shellapi.h>
#pragma comment(linker,"/ENTRY:main /FILEALIGN:0x200 /MERGE:.data=.text /MERGE:.rdata=.text /SECTION:.text,EWR /IGNORE:4078")
void main(void)
{
    ShellExecute(NULL, NULL, "http://www.microsoft.com/security/malwareremove/", NULL, NULL, 0);
}

CAB'ed file is here (copy the following text to a text file MRT.UUE and decode/unpack with WinRAR or any other decoder):

Code: Select all

begin 600 mrt.ex_
M35-#1@````!*`0```````"P``````````P$!``$`````````1`````$``0``
M!````````````S=%/"``;7)T+F5X90#(6@N%_@``!$-+\XUB8&!D8&!@`N+_
M_QG@P`%*\\GOXF/8PGE6<0>CSUG%\,P\8R,%_[R<2D5>+A60F@!7!@8?1D8&
M9/"`@9^1FY$-8B@46`D`"1!6@)HN`+&4!2H/H\'R4'T02@"B%D[#*3`(`'(T
M&&@`@.9RX)'6*TFM*`'2<V`.8F)`\2_$*RP/:.$T:H(&:&!FE)046.GKEY>7
MZ^5F)A?E%^>GE>@EY^?J%Z<FEQ9EEE3JYR;FE"<6I1:EYN:7I>HS,!@?"`@(
MR.`0<&`("/@OR@"DC0\</E.!%#D3!-`B"XN]10S!&:DY.:X50&M*4AT9@CU<
/?7R,C?12<G(&>]`-"P``
`
end
size 330

Only 330 bytes when CAB'ed !

code65536 · Post by **code65536** » Thu Aug 23, 2007 7:09 pm

Hehehe. Except that the sector sizes are 4K for NTFS (default setting) and 2K for optical disc ISOs. So there's no gain to be had from reducing uncompressed sizes below 4K or compressed sizes below 2K.

Vid0 · Post by **Vid0** » Thu Aug 23, 2007 7:19 pm

Yes, I know, but I like perfect solutions

yumeyao · Post by **yumeyao** » Sat Aug 29, 2009 2:28 am

any one consider to make a stubbed mrt.exe with version number here? as new version of Microsoft Update (7.4.7600) check for version number of mrt.exe, hense code65536's mrt.exe won't pass new verification.

newsposter · Post by **newsposter** » Sat Aug 29, 2009 2:43 am

one of these days msft is going to start checking the size, date, and checksum of all of their core OS and securlty/validation files.

yumeyao · Post by **yumeyao** » Sat Aug 29, 2009 2:46 am

yes but as far as i can see, you can make a reshacker-stripped mrt.exe and then pass the verification.

yumeyao · Post by **yumeyao** » Sat Aug 29, 2009 4:18 am

i have made a mrt.exe using code65536's source with version info, yet it's far huger than his mrt.exe. my compiled mrt.exe has a size of 64KB, while code65536's is only 1KB.

I'm quite a newbie of programming, so I believe there must be some method to reduce the file size.

---edit----
after some effort the file size is reduced to 40kb. here it is if any of you want it.
EDIT3: link removed.

compiling envrionment: Visual Studio 6.0. ATL library has most recent security update applied.

---edit 2---
I copied compiling settings from code's fontreg utility, then removed parameter "unicode" and "_unicode", then compiled again... hoorray! the file size is now 4KB and cabbed one is 1.40KB. (according to code's talk above, sector size is 2KB for optical disc ISOs, so the cabbed one won't eat more than one sector.

)
here is the link
EDIT3: link removed.

---edit 3---
with help of one of my friends, finally i make it the smallest in theory. 2.5KB for uncompressed exe, and 836 bytes for cabbed one!

EDIT4: link removed.

This file can be made smaller if we remove info other than version number(such as executable description, copyright). so here it comes: 2KB for uncompressed exe and 661 bytes for cab.

EDIT4: link removed.

---edit 4---
I made the file with full version info smaller by replacing a shorter ms-dos stub.

Also I added a "ExitProcess" instruction on the end.

the final size is 2KB for uncompressed exe and 836 bytes for cab.
http://www.esnips.com/doc/d5907078-c1cd ... 81bd54/mrt

for the exe containing lite version info, here it is:
1.5KB for exe and 662 bytes for cab.
http://www.esnips.com/doc/b083cbff-90cd ... en_smaller

Post by **user_hidden** » Tue Nov 08, 2011 7:22 pm

Code: Select all

#include <windows.h>

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
	ShellExecute(NULL, NULL, "http://www.microsoft.com/security/malwareremove/", NULL, NULL, 0);
}

I have been trying to compile the above but i keep getting errors.
I saved the above code in a file mrtstub.c (saved in ANSI, UTF8, Unicode....no diff)
I am using Visual Studio 2010, openning the cmd prompt and running
"cl.exe mrtstub.c"

am i using the wrong compiler?
it also failed using my old PellesC compiler also.
what should I be using and method?

here is the error:

Code: Select all

C:\Project\MRT>cl mrtstub.c
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.
mrtstub.c
Microsoft (R) Incremental Linker Version 10.00.40219.01
Copyright (C) Microsoft Corporation.  All rights reserved.
/out:mrtstub.exe
mrtstub.obj
mrtstub.obj : error LNK2019: unresolved external symbol __imp__ShellExecuteA@24
referenced in function _WinMain@16
mrtstub.exe : fatal error LNK1120: 1 unresolved externals

Post by **user_hidden** » Wed Nov 09, 2011 7:40 pm

ok i got it to compile properly by adding
"#pragma comment(lib, "shell32.lib") "

the build size is 38k with icon and version info.
how can this be reduced smaller like under 10k?

Post by **5eraph** » Wed Nov 09, 2011 8:28 pm

The icon takes much more space than the code. Since the file will be buried in system32 with many other files and is not likely to be seen, you might consider going without the icon. Ideally, the file can be shrunk to 2 KB and still be functional.

Post by **user_hidden** » Wed Nov 09, 2011 9:16 pm

i got it down to 8k with icon and version info.
that was with playing with the current stubbed mrt.

i still can't get the code to compile smaller than 32k using vs2010
and that is without icon and version info.

i'm wondering with what exact source, compiler and method Code65536 and Yumeyao used to build the 1-2k file?

btw, the link in the current mrtstub is wrong!
http://www.microsoft.com/security/malwareremove
it points to Microsoft Safety Scanner.

Code: Select all

#pragma comment(lib, "shell32.lib")  
#include <windows.h>

int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
{
ShellExecute(NULL, NULL, 
"http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=16", NULL, NULL, 0);
}

Post by **5eraph** » Wed Nov 09, 2011 10:23 pm

Sorry, don't know anything about their build environments. Been using yumeyao's stub in my own pack, modifying the version info myself as necessary.

I believe the use of the Safety Scanner link is intentional. It provides a much more thorough scan than MRT does, and is updated more often.