How to Detect Rootkits on a Computer

by Contributor

Rootkits are used by hackers to hide intrusions into a computer. Rootkits are often used to obtain administrator privileges to the system and to other machines on the network so that they can spread malware, track keystrokes or open a backdoor into the system. Because of their stealthy nature, rootkit detection is difficult.

Make note of strange behavior on computers that were previously reliable. Look for disabled antivirus software, blue screens and system crashes and reboots. Check for new drivers, legitimate software or windows updates that coincide with this behavior. If you find none, a rootkit may be to blame.

Use free and inexpensive programs to detect rootkits. HijackThis, WinPFind and Silent Runners software are some programs that may find a rootkit. Free or beta versions of rootkit detectors and Microsoft's Malicious Software Removal Tool also can be used to look for rootkits.

Run your computer in safe mode. Do a virus scan. Some rootkits won't run in safe mode, so they're visible to the antivirus software during this time.

Combine different kinds of spyware and malware detection programs to seek out rootkits. One might find what the others did not. If you choose to keep the computer on the network, use a network analyzer or a personal firewall to detect strange activity.

Purchase a rootkit detector. You may have to use more than one, since rootkits are constantly rewritten to avoid detection by popular detectors. Check reviews on sites like PC Magazine.


  • check Unless you're planning to prosecute the hacker or want to learn how to prevent future rootkits, trying to detect a rootkit may take too much time and resources. Generally, removal won't restore the system back to normal. It usually leaves the system so unstable that it needs to be reformatted anyway.
  • check If you plan to take legal action, document each step that you take in the detection process and keep the hard drive intact.


  • close If you suspect rootkit infection, it's best to immediately remove the system from the network if possible.