NAME:

Tron, an automated cleaner/scanner/disinfection tool

AUTHOR:
vocatus on reddit.com/r/TronScript ( vocatus d0t gate@gmail.com ) /
/ PGP key ID: 0x07d1490f82a211a2
BACKGROUND: Why the name? Tron "Fights for the User"
I got tired of running these utilities manually and decided to just automate eve
rything, so Tron basically automates a variety of tasks to clean up/disinfect a
Windows machine.
CONTENTS:
1. Usage Summary
2. Command-Line Use
3. Script Interruption
4. Notes on Safe Mode
5. Sending a Post-Run Email Report
6. Changing Defaults
7. Pack Integrity
8. License
9. Contact Info
10. Full description of ALL actions
USE:
1. Boot into Safe Mode with Network Support (Safe Mode is not required but is st
rongly recommended)
2. Copy tron.bat and the \resources folder to the target machine and run tron.ba
t as an ADMINISTRATOR (Tron does not work if you don't run it as an Administrato
r)
3. Wait anywhere from 3-10 hours (yes, it really does take that long)
4. Reboot
By default the master log file is at C:\Logs\tron\tron.log. If you want to chang
e this, read the section on changing defaults below.
Tron will briefly check for a newer version when it starts up and notify you if
one is found.
Depending how badly the system is infected, it could take anywhere from 3 to 10
hours to run. I've personally observed times between 4-8 hours, and one user rep
orted a run time of 30 hours. Basically set it and forget it.
COMMAND-LINE USE:
Command-line use is fully supported. All flags are optional and can be combined.
*
tron.bat [-a -c -d -e -er -gsl -m -o -p -r -sa -sb -sd -se -sp -sfr -spr -srr -s
w -v -x] | [-h]
-a
-c

Automatic mode (no welcome screen or prompts; implies -e)

Config dump (display current config. Can be used with other
flags to see what WOULD happen, but script will never execute
if this flag is used)
-d Dry run (run through script without executing any jobs)
-e Accept EULA (suppress disclaimer warning screen)
-er Email a report when finished. Requires you to configure SwithMailSettings
.xml
-gsl Generate summary logs. These list exactly what files and programs were re
moved

-h
-m
-np
-o
-p
-r
-sa
-sb
-sd
-se
-sp
-sfr
-spr
-srr
-sw
-v
-x

Display help text

Preserve default Metro apps (don't remove them)
Skip the pause at the end of script
Power off after running (overrides -r)
Preserve power settings (don't reset to Windows default)
Reboot automatically (auto-reboot 15 seconds after Tron completes)
Skip anti-virus scans (MBAM, KVRT, Sophos)
Skip de-bloat (OEM bloatware removal; implies -m)
Skip defrag (force Tron to ALWAYS skip Stage 5 defrag)
Skip Event Log clear (don't clear Windows Event Logs)
Skip patches (do not patch 7-Zip, Java Runtime, Adobe Flash or Reader)
Skip filesystem permissions reset (saves time if you're in a hurry)
Skip page file reset (don't set to "Let Windows manage the page file")
Skip registry permissions reset (saves time if you're in a hurry)
Skip Windows Updates (do not attempt to run Windows Update)
Verbose. Show as much output as possible. NOTE: Significantly slower!
Self-destruct. Tron deletes itself after running and leaves logs intact

* There is no -UPM flag

SCRIPT INTERRUPTION:
If the script is interrupted e.g. from a crash or a forced reboot (often encount
ered during stage_3_de-bloat), it will attempt to resume from the last stage suc
cessfully started. Tron accomplishes this by creating a RunOnce registry key for
the current user at the beginning of Stage 0 (e.g. when jobs start executing),
and deleting it at the end of the script if everything finished without interrup
tion.
More details about this function are in the list of all Tron actions at the bott
om of this document.
SAFE MODE:
Microsoft, in their long-standing tradition of breaking useful, heavily-used fun
ctionality for no reason, changed how to get into Safe Mode for Windows 8, disab
ling the traditional F8 method. Tron re-enables the F8 method as part of it's pr
ep tasks (before actually running), but here's how to manually re-enable the old
-style boot menu that supports the F8 key. From an admin command prompt, run thi
s command:
bcdedit /set {default} bootmenupolicy legacy
Reboot and you should now be able to use F8 to select Safe Mode. Note that this
command is the same one Tron runs, so if you launch Tron to the menu and then ex
it, you'll accomplish the same thing.
EMAIL REPORT:
To have Tron send an email report at completion, edit this file:
\resources\stage_6_wrap-up\email_report\SwithMailSettings.xml
Specify your SMTP server, username, and password. After specifying your settings
you can use the -er flag to have Tron send the email report. If you used the -g
sl flag (generate summary logs) then tron_removed_files.txt and tron_removed_pro
grams.txt will be attached as well.
Keep in mind the username and password for the email account will be stored in P
LAIN TEXT so don't leave it lying around on a system you don't trust.

CHANGE DEFAULTS (advanced):

If you don't want to use the command-line and don't like Tron's defaults, you ca
n change the following default variables. Keep in mind command-line flags will a
lways override their respective default option when used.
- To change the master directory where all of Tron's output goes, edit this li
ne:
set LOGPATH=%SystemDrive%\Logs\tron
- To change the name of Tron's master log file, edit this line:
set LOGFILE=tron.log
- To change where Tron stores quarantined files, change this path (note: this
is currently unused by Tron, setting it has no effect):
set QUARANTINE=%LOGPATH%\quarantine
- To change the location of the backups Tron makes (Registry, Event Logs, powe
r scheme, etc), edit this line:
set BACKUPS=%LOGPATH%\backups
- To change where Tron saves raw unprocessed logs from the various sub-tools,
edit this line:
set RAW_LOGS=%LOGPATH%\raw_logs
- To change where Tron saves summary logs (generated if the -gsl flag is used)
, edit this line:
set SUMMARY_LOGS=%LOGPATH%\summary_logs
- To always run automatically (no welcome screen, implies acceptance of EULA),
change this to yes:
set AUTORUN=no
- To always do a dry run (don't actually execute jobs), change this to yes:
set DRY_RUN=no
- To permanently accept the End User License Agreement (suppress display of di
sclaimer warning screen), change this to yes:
set EULA_ACCEPTED=no
- To have Tron send an email report when finished, change this to yes:
set EMAIL_REPORT=no
- To have Tron generate summary logs (listing deleted files and removed progra
ms), change this to yes:
set GENERATE_SUMMARY_LOGS=no
- To preserve default Metro apps (don't remove them), change this to yes:
set PRESERVE_METRO_APPS=no
- To prevent Tron from pausing at the end of the script (waiting for a keypres
s), change this to yes:
set NO_PAUSE=yes
- To shut down the computer when Tron is finished, change this to yes:
set AUTO_SHUTDOWN=no
- To preserve the power scheme (instead of resetting to Windows defaults), cha
nge this to yes:

set PRESERVE_POWER_SCHEME=no
- To configure post-run reboot, change this value (in seconds). 0 disables aut
o-reboot:
set AUTO_REBOOT_DELAY=0
- To skip anti-virus scan engines (MBAM, KVRT, Sophos), change this to yes:
set SKIP_ANTIVIRUS_SCANS=no
- To skip OEM debloat, change this to yes:
set SKIP_DEBLOAT=no
- To always skip defrag, regardless whether C:\ is an SSD or not, change this
to yes:
set SKIP_DEFRAG=no
- To skip Event Log clearing, change this to yes:
set SKIP_EVENT_LOG_CLEAR=no
- To skip patches (don't patch 7-Zip, Java, Adobe Flash and Reader) change thi
s to yes:
set SKIP_PATCHES=no
- To prevent Tron from granting the SYSTEM and Administrator accounts full per
missions to everything under the %WinDir% directory structure, change this to ye
s:
set SKIP_FILEPERMS_RESET=no
- To prevent Tron from resetting the page file to Windows defaults, change thi
s to `yes`:
set SKIP_PAGEFILE_RESET=no
- To prevent Tron from granting the SYSTEM and Administrator accounts full per
missions to the HKLM, HKCU, and HKCR hives, change this to yes:
set SKIP_REGPERMS_RESET=no
- To skip Windows Updates (don't attempt to run Windows Update) change this to
yes:
set SKIP_WINDOWS_UPDATES=no
- To display as much output as possible (verbose), change this to yes:
set VERBOSE=no
- To have Tron delete itself after running (self-destruct), change this to yes
:
set SELF_DESTRUCT=no
INTEGRITY:
In every release 'checksums.txt' is signed with my PGP key (0x07d1490f82a211a2,
included). You can use it to verify package integrity.
LICENSE:
Tron and any included subscripts and .reg files I've written are free to use/red
istribute/whatever under the MIT license. It'd be nice if you sent an email and
let me know if you do something cool with it, but it's not required. Any of the
sub-tools Tron calls (TDSSK, MBAM, etc) are bound by their respective licenses.
It is YOUR responsibility to determine if you can use them in your specific situ
ation.

OTHER:
I try to keep everything updated. If you notice some of the packages are out of
date, PM me on reddit or send me an email (listed above), I respond pretty quick
ly most days.
Hope this is helpful to other PC techs,
- Vocatus
If you feel overly charitable:
1LSJ9qDzuHyRx6FfbUmHVSii4sLU3sx2TF
#########################
# FULL TRON DESCRIPTION #
#########################
The best way to see what Tron does is simply to crack open Tron.bat with a text
editor (preferably one with syntax highlighting) or on Github and just read the
code. Every section has comments explaining exactly what it does, and you don't
need to be able to read code to understand it. However, barring that, here's a g
eneral description of every action Tron performs.
tron.bat
Master script that launches all other tools. It
performs a lot of actions on its own, but for any task we can't perform directl
y, we call an external utility or script
Tron-internal prep jobs:
(These are all executed even if Tron is canceled before running)
. Detect Windows version
Determines quite a few things in the script, su
ch as which versions of various commands get executed
. Detect SSD
Detect solid state hard drives. If found, tron
skips the Stage 5 defrag
. Detect free space
Detect and save available hard drive space to c
ompare against later. Simply used to show how much space was reclaimed; does not
affect any script functions
. Detect resume
Detect whether or not we're resuming after an i
nterrupted run (e.g. from a reboot)
. Enable F8 Safe Mode selection Re-enable the ability to use the F8 key on boot
up (Windows 8/8.1 only; enabled by default on Server 2012/2012 R2)
. Check for update
Use wget to pull down sha256sums.txt from the T
ron mirror and see if we're on the current version. Tron will ask to automatical
ly download the newest version. If you answer yes, it will download a copy to th
e desktop, verify the SHA256 hash, and then self-destruct the current copy
. Detect Administrator rights Detect whether or not we're running as Administ
rator and alert the user if we're not
. Detect Safe Mode
Detect whether or not we're in Safe Mode and no
tifies the user if we're not
. Make log directories
Create the master log directory and sub-directo
ries if they don't exist
STAGE 0: Prep
. Create RunOnce entry
Create the following registry key to support re
suming if there is an interruption: HKCU\Software\Microsoft\Windows\CurrentVersi
on\RunOnce /v "tron_resume" /t REG_SZ /d "%~dp0tron.bat %-resume"
. Create System Restore point Windows Vista and up only; client OS's only (no
t supported on Server OS's). Tron creates a system restore snapshot before begin
ning operations
. Rkill
rkill is an anti-malware prep tool; it looks fo
r and kills a number of known malware that interfere with removal tools. Rkill w
ill exclude any process listed in \resources\stage_0_prep\rkill\rkill_process_wh

itelist.txt from being closed

. Disable sleep & screensaver Tron disables sleep mode and the screensaver wh
en the script starts. At the end of the script it resets power settings to Windo
ws defaults, unless you run with the -p flag, and re-enables the screensaver
. ProcessKiller
Utility provided by /u/cuddlychops06 which kill
s various userland processes. We use this to further kill anything that might in
terfere with Tron. Specifically, it kills everything in userland with the except
ion of the following processes: ClassicShellService.exe, explorer.exe, dwm.exe,
cmd.exe, mbam.exe, teamviewer.exe, TeamViewer_Service.exe, Taskmgr.exe, Teamview
er_Desktop.exe, MsMpEng.exe, tv_w32.exe, VTTimer.exe, Tron.bat, rkill.exe, rkill
64.exe, rkill.com, rkill64.com, conhost.exe, dashost.exe, wget.exe
. Safe Mode
Set system to reboot into Safe Mode with Networ
king if a reboot occurs. Removes this and resets to normal bootup at the end of
the script. Accomplished via this command: bcdedit /set {default} safeboot netwo
rk
. Set system time via NTP
Sync the system clock to time.nist.gov, 3.pool.
ntp.org and time.windows.com
. McAfee Stinger
anti-malware/rootkit/virus standalone scanner f
rom McAfee. Does not support plain-text logs so we save its HTML log to %LOGPATH
%\tron_raw_logs (by default). Tron executes Stinger as follows: stinger32.exe -GO --SILENT --PROGRAM --REPORTPATH="%LOGPATH%" --RPTALL --DELETE
. TDSS Killer
anti-rootkit utility from Kaspersky Labs. Tron
executes TDSSKiller as follows: tdsskiller.exe -l %TEMP%\tdsskiller.log -silent
-tdlfs -dcexact -accepteula -accepteulaksn
. erunt
used to backup the registry before beginning a
Tron run
. VSS purge
purges oldest set of Volume Shadow Service file
s (basically snapshot-in-time copies of files). Malware can often hide out here.
. Reduce system restore space Restrict System Restore to only use 7% of avail
able hard drive space
. check and repair WMI
Check the WMI interface and attempt repair if b
roken. Tron uses WMI for a lot of stuff including ISO date format conversion, OE
M bloatware removal, and various other things, so having it functioning is criti
cal
STAGE 1: Tempclean
. Internet Explorer cleanup
Runs built-in Windows tool to clean and reset I
nternet Explorer ( rundll32.exe inetcpl.cpl,ClearMyTracksByProcess 4351 )
. TempFileCleanup.bat
Script I wrote to clean some areas that other t
ools seem to miss. Note: it specifically targets, among other things, any .txt o
r .bat files at the root of C:\
. CCLeaner
CCLeaner utility by Piriform. Used to clean tem
p files before running AV scanners
. BleachBit
BleachBit utility. Used to clean temp files bef
ore running AV scanners
. USB Device cleanup
Cleans unused/not present USB device drivers. U
ses drivecleanup.exe from Uwe Sieber ( www.uwe-sieber.de )
. Clear Windows event logs
Backs up Windows event logs to the LOGPATH dire
ctory, then clears all log files
. Clear Windows Update cache
Purges uninstaller files for already-installed
Windows Updates. Typically frees up quite a bit of space
STAGE 2: De-bloat, programs specified in: \resources\stage_3_de-bloat\programs_t
o_target_by_name.txt
. OEM de-bloat (by name)
Use WMI to attempt to uninstall any program lis
ted in this file: \resources\stage_3_de-bloat\oem\programs_to_target_by_name.tx
t
. OEM de-bloat (by GUID)
Use WMI to attempt to remove specific list of G
UIDs in this file: \resources\stage_3_de-bloat\oem\programs_to_target_by_GUID.ba
t

. Metro de-bloat
Remove built-in Metro apps that no one uses (pr
ograms like Calculator, Paint etc are NOT removed). Purges them from the cache (
can always fetch from Windows Update later).
STAGE 3: Disinfect
. RogueKiller
anti-rootkit utility and anti-malware prep tool
. Similar to rkill
. Malwarebytes Anti-Malware
Anti-malware scanner. Because there is no comma
nd-line support for MBAM, we simply install it and continue with the rest of the
script. This way a tech can click "scan" whenever they're around, but the scrip
t doesn't stall while waiting for user input. Using Tron's -sa flag skips this c
omponent
. Kaspersky Virus Removal Tool Command-line anti-virus scanner. Using Tron's sa flag skips this component
. Sophos Virus Removal Tool
Command-line anti-virus scanner. Using Tron's v flag gives more verbose output. Using Tron's -sa flag skips this component
. DISM image check & repair
Microsoft utility for checking the Windows Imag
e Store (basically like System File Checker on crack). Windows 8 and up only
STAGE 4: Repair
. Registry permissions reset
Grant SYSTEM and Administrator users full permi
ssions on HKLM, HKCU, and HKCR hives. This is an add-only permissions operation
(does not remove any permissions). Using Tron's -srr flag skips this operation
. Filesystem permissions reset Grant SYSTEM and Administrator users full permi
ssions on everything in the %WinDir% directory tree. Using Tron's -sfr flag skip
s this operation
. System File Checker
Microsoft utility for checking the filesystem f
or errors and attempting to repair if found. Tron runs this on Windows Vista and
up only (XP and below require a reboot)
. chkdsk
Checks disk for errors and schedules a chkdsk w
ith repair at next reboot
STAGE 5: Patch
Tron installs or updates these programs:
. 7-zip
Open-source compression and extraction tool. Fa
r superior to just about everything (including the venerable WinRAR). Using Tron
's -sp flag skips this component
. Adobe Flash Player
Used by YouTube and various other sites. Using
Tron's -sp flag skips this component
. Adobe Reader
Standard PDF reader. Using Tron's -sp flag skip
s this component
. Java Runtime Environment
I hate Java, but it is still widely used so we
at least get the system on the latest version. Using Tron's -sp flag skips this
component
. Windows updates
Self-explanatory
. DISM base reset
Recompile the "Windows Image Store" after we fi
nished purging old files from it earlier. Windows 8 and up only
STAGE 6: Optimize
. Page file reset
Reset the system page file settings to "let Win
dows manage the page file." Accomplished via this command: %WMIC% computersystem
where name="%computername%" set AutomaticManagedPagefile=True. Using Tron's -sp
r flag skips this action
. Defraggler
Command-line defrag tool from Piriform that's a
little faster than the built-in Windows defragmenter
STAGE 7: Wrap-up
. email_report
Sends an email report with log file when Tron f
inishes. Requires you to specify your SMTP settings in \resources\stage_6_wrap-u
p\email_report\SwithMailSettings.xml
. generate summary logs
If selected with -gsr flag or GENERATE_SUMMARY_

LOGS variable, Tron will generate before and after logs detailing which files we
re deleted and which programs were removed. These are placed in LOGPATH\tron_sum
mary_logs. Additionally, if -er flag was used or EMAIL_REPORT variable was set,
these logs will be attached to the email that is sent out
STAGE 8: Manual tools
Tron does not run these automatically because m
ost of them don't support command-line use, or are only useful in special cases
. ADSSpy
Scan for hidden NTFS Alternate Data Streams
. AdwCleaner
Popular user-suggested adware removal tool
. aswMBR
Rootkit scanner
. autoruns
Examine and remove programs that run at startup
. ComboFix
The "scorched-earth policy" of malware removal
. PCHunter
Tool to scan for rootkits and other malicious i
tems. Replaces gmer
. Junkware Removal Tool
Temp files and random junkware remover
. Net Adapter Repair
Utility to repair most aspects of Windows netwo
rk connections
. ServicesRepair.exe
ESET utility for fixing broken Windows services
. TempFileCleaner
OldTimer utility for cleaning temp files
. UserBenchMark.exe
Quick automatic system benchmark utility, compa
res the system to an online database of similar systems
. VirusTotal uploader tool
Uploads a file directly to VirusTotal for scann
ing