Professional Documents
Culture Documents
I got tired of running these utilities manually and decided to just script
everything, so Tron is basically a collection of Windows batch files that automate
tasks to clean up and disinfect Windows machines.
CONTENTS:
1. Usage Summary
2. Command-Line Use
3. Script Interruption
4. Notes on Safe Mode
5. Sending a Post-Run Email Report
6. Changing Defaults
7. Executing Custom/3rd-party Scripts
8. Executing bundled WSUS Offline updates
9. Pack Integrity
10. License
11. Contact Info
12. Full description of ALL actions taken
13. Script exit codes
USE:
0. FIRST THINGS FIRST: If there are pending Windows updates, reboot the machine and
allow them to install. This isn't required but is STRONGLY recommended
1. Copy tron.bat and the \resources folder to the DESKTOP of the target machine
2. Tron can be run with Windows in either Safe Mode or Regular mode. Regular mode
is generally recommended for a first go around.
3. Right-click on tron.bat and select "Run as Administrator"
3. Wait anywhere from 3-10 hours (yes, it really takes that long)
(Side note: You'll need to manually click "scan" in the Malwarebytes window
that appears part of the way through Stage 3: Disinfect.
The script will continue in the background though, so it won't stall if
you're not around to click immediately)
5. Reboot. When Tron finishes, REBOOT THE SYSTEM!! before doing anything else
Tron will briefly check for a newer version when it starts up and notify you if one
is found. It will also automatically grab the latest S2 de-bloat lists from Github.
Depending how badly the system is infected, it could take anywhere from 3 to 10
hours to run. I've personally observed times between 4-8 hours, and one user
reported a run time of 30 hours. Basically set it and forget it.
Last note: PLEASE REPORT PROBLEMS AND SUCCESSES TO THE SUBREDDIT! Feedback is very
helpful. Additionally, if you run Tron with the -udl switch it will automatically
email me the run logs at the end of the script. Not required but greatly
appreciated if you can.
COMMAND-LINE USE:
Command-line use is fully supported. All flags are optional and can be used
simultaneously.*
tron.bat [ [-a|-asm] -c -d -dev -e -er -m -o -p -r -sa -sap -scs -sdb -sd -sdc
-sdu -se -sk -sl -sm -sap -spr -ss -str -swu -swo -udl -v -x] | [-h]
SCRIPT INTERRUPTION:
If the script is interrupted e.g. from a crash or a forced reboot (often
encountered during stage_2_de-bloat), it will attempt to resume from the last stage
successfully started. Tron accomplishes this by creating a RunOnce registry key for
the current user at the beginning of Stage 0 (e.g. when jobs start executing), and
deleting it at the end of the script if everything finished without interruption.
More details about this function can be found in the list of all actions Tron
performs at the bottom of this document.
SAFE MODE:
In older versions of Tron (v10.3.1 and back), Safe Mode was recommended vs.
Normal/Regular mode (Windows boot mode). The current recommendation has changed
starting in v10.4.0, and I recommend first running in Normal/Regular mode, and only
attempting a run in Safe Mode if that fails.
EMAIL REPORT:
To have Tron send an email report at completion, edit this file:
\tron\resources\stage_7_wrap-up\email_report\SwithMailSettings.xml
Specify your SMTP server, username, and password. After specifying your settings
you can use the -er flag to have Tron send the email report. The summary logs
(tron_removed_files.txt and tron_removed_programs.txt) will be attached as well.
Keep in mind the username and password for the email account will be stored in
PLAIN TEXT so don't leave it lying around on a system you don't trust.
- To change the master directory where all of Tron's output goes, edit this line:
set LOGPATH=%SystemDrive%\Logs\tron
- To change the name of Tron's master log file, edit this line:
set LOGFILE=tron.log
- To change where Tron stores quarantined files, change this path (note: this is
currently unused by Tron, setting it has no effect):
set QUARANTINE=%LOGPATH%\quarantine
- To change the location of the backups Tron makes (Registry, Event Logs, power
scheme, etc), edit this line:
set BACKUPS=%LOGPATH%\backups
- To change where Tron saves raw unprocessed logs from the various sub-tools,
edit this line:
set RAW_LOGS=%LOGPATH%\raw_logs
- To always reboot to Safe Mode for autorun (requires that AUTORUN also be set to
yes), change this to yes:
set AUTORUN_IN_SAFE_MODE=no
- To have Tron send an email report when finished, change this to yes:
set EMAIL_REPORT=no
- To preserve default Metro apps (don't remove them), change this to yes:
set PRESERVE_METRO_APPS=no
- To prevent Tron from pausing at the end of the script (waiting for a keypress),
change this to yes:
set NO_PAUSE=no
- To shut down the computer when Tron is finished, change this to yes:
set AUTO_SHUTDOWN=no
- To configure post-run reboot, change this value (in seconds). 0 disables auto-
reboot:
set AUTO_REBOOT_DELAY=0
- To skip all anti-virus scan engines (MBAM, KVRT, Sophos), change this to yes:
set SKIP_ANTIVIRUS_SCANS=no
- To skip application patches (don't patch 7-Zip, Java Runtime or Adobe Flash)
change this to yes:
set SKIP_APP_PATCHES=no
- To skip custom scripts (stage 8) regardless whether or not .bat files are
present in the stage_8_custom_scripts folder, change this to yes:
set SKIP_CUSTOM_SCRIPTS=no
- To always skip defrag (even on mechanical drives; Tron automatically skips SSD
defragmentation), change this to yes:
set SKIP_DEFRAG=no
- To prevent Tron from connecting to Github and automatically updating the Stage
2 debloat lists, set this to yes:
set SKIP_DEBLOAT_UPDATE=no
- To skip scanning with Kaspersky Virus Rescue Tool (KVRT), change this to yes:
set SKIP_KASPERSKY_SCAN=no
- To prevent Tron from resetting the page file to Windows defaults, change this
to yes:
set SKIP_PAGEFILE_RESET=no
- To skip removal of Windows telemetry (user tracking) and just turn it off
instead, change this to yes:
set SKIP_TELEMETRY_REMOVAL=no
- To skip only bundled WSUS Offline updates (online updates still attempted),
change this to yes:
set SKIP_WSUS_OFFLINE=no
- To skip Windows Updates entirely (ignore both WSUS Offline and online methods),
change this to yes:
set SKIP_WINDOWS_UPDATES=no
- To automatically upload debug logs to the Tron developer (vocatus), change this
to yes:
set UPLOAD_DEBUG_LOGS=no
- To have Tron delete itself after running (self-destruct), change this to yes:
set SELF_DESTRUCT=no
Place any batch files you want to execute near just prior to Tron's finishing in
this folder: \tron\resources\stage_8_custom_scripts
If for some reason you want to skip the bundled update package on a certain system,
use the -swo switch or set SKIP_WSUS_OFFLINE to yes in
\tron\resources\functions\tron_settings.bat, and Tron will use the regular online
update method for that run.
INTEGRITY:
In every release 'checksums.txt' is signed with my PGP key (0x07d1490f82a211a2,
included). You can use it to verify package integrity.
LICENSE:
Tron and any included subscripts and .reg files I've written are free to
use/redistribute/whatever under the MIT license. It'd be nice if you sent an email
and let me know if you do something cool with it, but it's not required. All 3rd-
party tools Tron calls (MBAM, TDSSK, etc) are bound by their respective licenses.
It is YOUR responsibility to determine if you can use them in your specific
situation.
OTHER:
I try to respond to messages quickly. If you have a question, suggestion or
problem, post it to the subreddit so everyone can get eyes on it. As a last resort
you may email me directly.
- Vocatus
Bitcoin: 1Biw8gx2kD7mZf66ZdNgB9tG1pE9YA3kEd
Monero:
4GG9KsJhwcW3zapDw62UaS71ZfFBjH9uwhc8FeyocPhUHHsuxj5zfvpZpZcZFHWpxoXD99MVt6PnR9QfftX
DV8s6HbYdDuZEDZ947uiEje
#########################
# FULL TRON DESCRIPTION #
#########################
The best way to see what Tron does is simply crack open tron.bat or one of the
stage-specific subscripts with a text editor (preferably one with syntax
highlighting) or on GitHub and just read the code. Every section has comments
explaining what it does, and you don't need to be able to read code to understand
it. Barring that, here's a general description of every action Tron performs.
Scripts in \resources\functions:
initialize_environment.bat Builds the Tron runtime environment during initial
loading. Scans the system and detects various things such as the Windows version,
location of utilities, etc. Don't edit this file.
log.bat Tron's log function. Don't edit this file.
prerun_checks_and_tasks.bat Various checks and tasks Tron performs during
initial loading. Don't edit this file.
tron_settings.bat Tron's default settings file. Use this to
customize how Tron behaves when run.
STAGE 0: Prep
. Create System Restore point Create a pre-run system restore point. Vista and
up only, client OS's only (not supported on Server OS's, and on Windows 10 does not
work if the system is in any form of Safe Mode. This is a known bug, and I spent
hours trying to find a workaround but was not able to find a solution, so if you
absolutely require a system restore point, recommend running in normal mode
. Rkill rkill is an anti-malware prep tool; it looks for
and kills a number of known malware that interfere with removal tools. Rkill will
exclude any process listed in
\resources\stage_0_prep\rkill\rkill_process_whitelist.txt from being closed
. Create pre-run profile Dump list of installed programs and list of all
files on the system so we can compare later and see exactly what was removed
. GUID dump Dump list of all installed program GUIDs. These
dumps are useful in helping the project bolster the blacklist of known-bad GUIDs
. caffeine.exe Tron uses Caffeine to keep the system awake during
the scan. At the end of the script it re-enables the screensaver and resets power
settings to Windows defaults. Use the -p switch to prevent resetting the power
scheme to Windows defaults
. ProcessKiller Utility provided by /u/cuddlychops06 which kills
various userland processes. You can customize this list in the accompanying
whitelist.txt file in the same directory as the ProcessKiller .exe. We use this to
further kill anything that might interfere with Tron. Specifically, it kills
everything in userland with the exception of the following processes:
ClassicShellService.exe, explorer.exe, dwm.exe, cmd.exe, mbam.exe, teamviewer.exe,
TeamViewer_Service.exe, Taskmgr.exe, Teamviewer_Desktop.exe, MsMpEng.exe,
tv_w32.exe, VTTimer.exe, Tron.bat, rkill.exe, rkill64.exe, rkill.com, rkill64.com,
conhost.exe, dashost.exe
. Safe Mode Set system to reboot into Safe Mode with
Networking if a reboot occurs. Removes this and resets to normal bootup at the end
of the script. Accomplished via this command: bcdedit /set {default} safeboot
network
. Set system time via NTP Sync the system clock to time.nist.gov,
3.pool.ntp.org and time.windows.com
. check and repair WMI Check the WMI interface and attempt repair if
broken. Tron uses WMI for a lot of stuff including ISO date format conversion, OEM
bloatware removal, and various other things, so having it functioning is critical
. McAfee Stinger anti-malware/rootkit/virus standalone scanner from
McAfee. Does not support plain-text logs so we save its HTML log to %LOGPATH
%\tron_raw_logs (by default). Tron executes Stinger as follows: stinger32.exe --GO
--SILENT --PROGRAM --REPORTPATH="%LOGPATH%" --RPTALL --DELETE
. TDSS Killer anti-rootkit utility from Kaspersky Labs. Tron
executes TDSSKiller as follows: tdsskiller.exe -l %TEMP%\tdsskiller.log -silent
-tdlfs -dcexact -accepteula -accepteulaksn
. erunt used to backup the registry before beginning a
Tron run
. VSS purge purges oldest set of Volume Shadow Service files
(basically snapshot-in-time copies of files). Malware can often hide out here.
. Reduce system restore space Restrict System Restore to only use 7% of
available hard drive space
STAGE 1: Tempclean
. Internet Explorer cleanup Runs built-in Windows tool to clean and reset
Internet Explorer ( rundll32.exe inetcpl.cpl,ClearMyTracksByProcess 4351 ). Runs on
IE 7 and up
. TempFileCleanup.bat Script I wrote to clean some areas that other
tools seem to miss. Note: it specifically targets, among other things, any .txt
or .bat files at the root of C:\
. CCLeaner CCLeaner utility by Piriform. Used to clean temp
files before running AV scanners
. BleachBit BleachBit utility. Used to clean temp files before
running AV scanners
. Cleanup duplicate downloads Searches for and delete duplicate files found in
the Downloads folders of each user profile (ChromeInstaller(1).exe,
ChromeInstaller(2)exe, etc). Does not touch any other folders. Uses Sentex's [Find
Dupe](http://www.sentex.net/~mwandel/finddupe/) utility
. USB Device cleanup Uninstalls unused or not present USB devices from
the system (non-existent thumb drives, etc). Uses drivecleanup.exe from Uwe Sieber
( www.uwe-sieber.de )
. Clear Windows event logs Backs up Windows event logs to the LOGPATH
directory, then clears all log files
. Clear Windows Update cache Purges uninstaller files for already-installed
Windows Updates. Typically frees up quite a bit of space
STAGE 2: De-bloat
. OEM de-bloat (by name) Use WMI to attempt to uninstall any program listed
in this file: \resources\stage_2_de-bloat\oem\programs_to_target_by_name.txt
. OEM de-bloat (by GUID) Use WMI to attempt to remove specific list of
GUIDs in this file: \resources\stage_2_de-bloat\oem\programs_to_target_by_GUID.txt
. Toolbar & BHOs (by GUID) Use WMI to attempt to remove specific list of
GUIDs in this file: \resources\stage_2_de-
bloat\oem\toolbars_BHOs_to_target_by_GUID.txt
. Metro de-bloat Remove many built-in Metro apps that aren't
commonly used (does NOT remove things like Calculator, Paint) then purges them from
the cache (can always fetch later from Windows Update). On Windows 8/8.1, removes
all stock "Modern" apps. On Windows 10 and up, only removes a few specific Modern
apps. Use the -sdb switch (skip ALL de-bloat) or -m switch (skip only Metro de-
bloat) to skip this action. The list of Metro apps to target are in the
\resources\stage_2_de-bloat\metro\ folder
. Remove OneDrive integration Remove forced OneDrive integration (Windows 10
only). Tron first checks if any files exist in the default OneDrive folder
(%USERPROFILE%\OneDrive\) and skips removal if any are found. As a an additional
safety precaution, Tron leaves the OneDrive folder intact regardless whether
OneDrive is removed or not
STAGE 3: Disinfect
. Clear CryptNet SSL cache Wipe the Windows CryptNet SSL certificate cache by
executing this command: certutil -URLcache * delete
. Malwarebytes Anti-Malware Anti-malware scanner. Because there is no command-
line support for MBAM, we simply install it and continue with the rest of the
script. This way a tech can click "scan" whenever they're around, but the script
doesn't stall while waiting for user input. Use the -sa or -sm flags skip this
component
. Kaspersky Virus Removal Tool Command-line anti-virus scanner. Use the -sa or
-sk flags skip this component
. Sophos Virus Removal Tool Command-line anti-virus scanner. Use the -v flag
gives more verbose output. Use the -sa or -ss flags skip this component
STAGE 4: Repair
. MSI installer cleanup Use the Microsoft 'msizap' utility to remove
orphaned MSI installer files from the installer cache
. DISM image check & repair Microsoft utility for checking the Windows Image
Store (basically like System File Checker on crack). Windows 8 and up only
. System File Checker Microsoft utility for checking the filesystem for
errors and attempting to repair if found. Tron runs this on Windows Vista and up
only (XP and below require a reboot)
. chkdsk Checks disk for errors and schedules a chkdsk with
repair at next reboot
. Disable Windows "telemetry" Disable Windows "telemetry" (user tracking),
Windows 7 and up only. If the system is running Windows 7/8/8.1, Tron removes the
"bad" updates Microsoft pushed to Windows 7/8/8.1 systems after the Windows 10
release. These updates backport the surveillance/spyware functions that are by
default present in Windows 10. See the code to see exactly which updates are
removed. Tron also stops and deletes the Diagtrack ("Diagnostics Tracking Service")
service. If the system is running Windows 10, Tron does a more in-depth disabling
of the Windows telemetry features, including automatically applying all the
immunizations from the Spybot Anti-Beacon and O&O ShutUp10 tools. Go over the code
in \tron\resources\stage_4_repair\disable_windows_telemetry\ to see exactly what is
removed and disabled. NOTE: This section takes a LONG time to run, DO NOT CANCEL
IT. Use the -str switch to just turn telemetry off instead of removing it
. Disable Windows 10 upgrade Disables the Windows 10 upgrade nagger on Windows
7/8/8.1 by flipping the appropriate registry switches. Users can still manually
upgrade the machine if they desire, but it will no longer nag via the system tray,
auto-download, or auto-install Windows 10 without their permission
. Network repair Tron performs minor network repair. Specifically
it runs these commands: ipconfig /flushdns, netsh interface ip delete arpcache,
netsh winsock reset catalog
. File extension repair Tron repairs most default file extensions with a
batch file that loops through a series of registry files stored in
\tron\resources\stage_4_repair\repair_file_extensions\. Thanks to /u/cuddlychops06
STAGE 6: Optimize
. Page file reset Reset the system page file settings to "let
Windows manage the page file." Accomplished via this command: %WMIC% computersystem
where name="%computername%" set AutomaticManagedPagefile=True. Use the -spr flag
skips this action
. Defraggler Command-line defrag tool from Piriform that's a
little faster than the built-in Windows defragmenter
STAGE 7: Wrap-up
. generate summary logs Generate before and after logs detailing which
files were deleted and which programs were removed. These are placed in
LOGPATH\tron_summary_logs. Additionally, if -er flag was used or EMAIL_REPORT
variable was set, these logs will be attached to the email that is sent out
. Create restore point Create a post-run system restore point to mirror
the one we created in Stage 0: Prep. Vista and up only, client OS's only, on
Windows 10 does not work if the system is in any form of Safe Mode. See notes on
System Restore in Stage 0 documentation for more information
. email_report Sends an email report with log file when Tron
finishes. Requires you to specify your SMTP settings in \resources\stage_6_wrap-
up\email_report\SwithMailSettings.xml
. upload debug logs Upload 'tron.log' and the system GUID dump (list
of all installed program GUIDs) to the Tron developer (vocatus). Please use this
option if possible, log files are extremely helpful in developing Tron! NOTE:
tron.log can contain personal information like names of files on the system, the
computer name, user name, etc, so if you're concerned about this please look
through a Tron log first to understand what will be sent. I don't care what files
are on random systems on the Internet, but just something to be aware of
STAGE 9: Manual tools Tron does not run these automatically because most
of them don't support command-line use, or are only useful in special cases
. ADSSpy Scan for hidden NTFS Alternate Data Streams
. AdwCleaner Popular user-suggested adware removal tool
. aswMBR Rootkit scanner
. autoruns Examine and remove programs that run at startup
. ComboFix The "scorched-earth policy" of malware removal.
Only works on Windows XP through Windows 8 (no Windows 8.1 or above)
. PCHunter Tool to scan for rootkits and other malicious
items. Replaces gmer
. Junkware Removal Tool Temp files and random junkware remover
. Net Adapter Repair Utility to repair most aspects of Windows network
connections
. Remote Support Reboot Config Tool to quickly configure auto-login and other
parameters for running Tron via a remote connection. Thanks to /u/cuddlychops06
. Safe Mode Boot Selector.bat Batch file to quickly select bootup method to use
(Safe Mode, Network, etc). Thanks to /u/cuddlychops06
. ServicesRepair.exe ESET utility for fixing broken Windows services
. TempFileCleaner OldTimer utility for cleaning temp files
. Tron Reset Tool Tool to quickly reset Tron if it gets interrupted
or breaks while running
. UserBenchMark.exe Quick automatic system benchmark utility, compares
the system to an online database of similar systems
. VirusTotal uploader tool Uploads a file directly to VirusTotal for scanning
CODE MEANING
0 Success
1 Error (usually fatal)
2 Warning (non-fatal)
3 Unsupported OS (run with -dev to override)
4 Exit pending reboot
5 User is an idiot (aka you tried running from the temp directory
in spite of the instructions clearly saying not to)