What Is MRT.exe? Safety Check & High CPU Usage Fix

Seeing mrt.exe spike your CPU? It is a legitimate Microsoft tool. Learn how to verify it, fix high CPU, read mrt.log scan results, and understand mrtstub.exe.

Ekin Yalgın

9 January 2026·4 min read

What Is MRT.exe? Safety Check & High CPU Usage Fix

MRT.exe is the Windows Malicious Software Removal Tool - a built-in Microsoft utility that runs a targeted scan once a month after Windows Update. The sudden CPU spike in Task Manager is almost always just a scheduled maintenance task, not a threat.

Legitimate location: C:\Windows\System32
Companion file: mrtstub.exe
Trigger event: Patch Tuesday (second Tuesday of the month)
Log location: C:\Windows\Debug\mrt.log

Why is MRT.exe Causing High CPU Usage?

The Malicious Software Removal Tool does not provide real-time protection like your main antivirus software. It wakes up exactly once a month to hunt down specific, widespread threats and goes back to sleep when finished. Microsoft pushes this tool through Windows Update on the second Tuesday of every month. If you are also seeing Antimalware Service Executable high CPU in Task Manager, that is a separate Windows Defender process.

How to Verify if MRT.exe is a Virus

Hackers sometimes name their malware after legitimate system files to avoid detection. Checking the exact file location is the absolute fastest way to confirm its authenticity.

Right-click the process in Task Manager and select Open file location. The legitimate file only lives inside the C:\Windows\System32 folder. If the window opens to your AppData folder or a random directory, you are dealing with a malicious clone. Right-click the legitimate file, select Properties, and check the Digital Signatures tab to ensure it is officially signed by Microsoft Windows.

What is Mrtstub.exe?

Seeing two strange processes running simultaneously is terrifying for most users. You might spot mrtstub.exe running right next to the main executable in Task Manager. This companion file is completely harmless.

It is simply the temporary extraction package that unpacks the latest 2026 virus definitions before the scan begins. It deletes itself automatically when the extraction job finishes.

How to Fix MRT.exe High CPU and Disk Usage

The best solution is usually doing nothing. Let the process run for 10 to 15 minutes, and it will close on its own. You can safely end the task if it completely freezes your workflow.

Open Task Manager, right-click the process, and select End task. This stops the current scan without damaging your operating system. You can force a manual scan later by pressing Win + R, typing mrt, and following the on-screen prompts.

How to Read Your MRT Scan Results in mrt.log

Microsoft does not show a pop-up notification when the background scan finishes successfully. You have to check the hidden log file to see the actual results of the scan.

Navigate to C:\Windows\Debug and open mrt.log with Notepad. Scroll to the very bottom of the text document to find the most recent entry. A line saying Return code: 0 means your system is completely clean. Any other return code indicates that the tool found and successfully removed a specific threat.

How to Run or Disable MRT Manually

Advanced users might want to stop this tool from running automatically every single month. Disabling it via Task Scheduler prevents unexpected CPU spikes during critical work hours.

Press Win + S, type Task Scheduler, and hit Enter. Navigate to Task Scheduler Library > Microsoft > Windows > RemovalTools. Right-click the MRT_HB task and select Disable. This stops the monthly background triggers completely.

Next Steps: Running a Windows Defender Offline Scan

Finding a fake executable outside the System32 folder requires immediate action. Deleting the file manually is never enough because malware leaves hidden registry hooks behind. Once your system is clean, consider switching to a more capable real-time scanner from our list of best free antivirus software.

Open Windows Security and go to Virus and threat protection. Click on Scan options, select Microsoft Defender Offline scan, and click Scan now. Your computer will restart immediately and hunt down the rootkit before the operating system even has a chance to load.

FAQ

Frequently Asked Questions

The legitimate mrt.exe is a safe Microsoft tool located at C:\Windows\System32. If the file is in any other folder such as AppData or a temp directory, it is likely malware impersonating the real tool.

MRT.exe runs a full malware scan in the background once a month after Patch Tuesday updates. The high CPU usage is normal and temporary. The process finishes on its own within 10 to 15 minutes.

Open C:\Windows\Debug\mrt.log in Notepad and scroll to the bottom. A Return code: 0 means no threats were found. Any other return code means the tool detected and removed something.

Yes. Mrtstub.exe is a companion process that extracts the latest virus definitions before the MRT scan runs. It is created and deleted automatically by Windows Update and poses no threat.

MRT runs once a month, triggered by Windows Update on the second Tuesday of the month, commonly known as Patch Tuesday. It does not run continuously or provide real-time protection.

You can delete or disable it, but Windows Update will re-download the tool on the next Patch Tuesday. To stop it permanently, disable the MRT_HB task in Task Scheduler under Microsoft > Windows > RemovalTools.

Press Win + R, type mrt, and press Enter. The tool will open and let you choose between a quick scan, full scan, or customized scan of specific folders.

Published in

Operating Systems