TronScript | Automating The Process of Disinfecting Windows Systems

Recently discovered this very handy utility which is an automated open source clean up tool. It runs a a total of 7 stages or 9 if you wish to use custom scripts and some tools that don’t support command-line use. Stages are Prep > Tempclean > De-bloat > Disinfect > Repair >  Patch > Optimize > Wrap-Up. Everything is logged, and I mean everything to C:\Logs\tron\

Here are the stages from the github wiki:

STAGE 0: Prep

link to Stage 0 code

  1. Create System Restore point: Create a pre-run system restore point. Vista and up only, client OS’s only (not supported on Server OS’s, and on Windows 10 does not work if the system is in any form of Safe Mode. This is a known bug, and I spent hours trying to find a workaround but was not able to find a solution, so if you absolutely require a system restore point, recommend running in normal mode
  2. Rkill: Rkill is an anti-malware prep tool; it looks for and kills a number of known malware that interfere with removal tools. Rkill will NOT kill any process listed in \resources\stage_0_prep\rkill\rkill_process_whitelist.txt (link)
  3. Create pre-run profile: Dump list of installed programs and list of all files on the system so we can compare later and see exactly what was removed
  4. GUID dump: Dump list of all installed program GUIDs. These dumps are useful in helping the project bolster the blacklist of known-bad GUIDs
  5. ProcessKiller: Utility provided by /u/cuddlychops06 which kills various userland processes. We use this to further kill anything that might interfere with Tron. ProcessKiller will kill everything in userland EXCEPT: ClassicShellService.exe, explorer.exe, dwm.exe, cmd.exe, mbam.exe, teamviewer.exe, TeamViewer_Service.exe, Taskmgr.exe, Teamviewer_Desktop.exe, MsMpEng.exe, tv_w32.exe, VTTimer.exe, Tron.bat, rkill.exe, rkill64.exe,,, conhost.exe, dashost.exe, wget.exe
  6. Safe mode: Set system to reboot into Safe Mode with Networking if a reboot occurs. Removes this and resets to normal bootup at the end of the script. Accomplished via this command:
    bcdedit /set {default} safeboot network
  7. Set system time via NTP: Set the system clock to sync against the following NTP servers, in this order:,,
  8. Check and repair WMI: Check WMI interface and attempt repair if broken. Tron uses WMI for a lot of stuff including ISO date format conversion, OEM bloatware removal, and various other things, so having it functioning is critical
  9. McAfee Stinger: Anti-malware/rootkit/virus standalone scanner from McAfee. Does not support plain-text logs so we save HTML log to Tron’s %LOGPATH%. Tron executes Stinger as follows:
  1. TDSS Killer: Anti-rootkit utility from Kaspersky Labs. Tron executes TDSSKiller as follows:
tdsskiller.exe -l %TEMP%\tdsskiller.log -silent -tdlfs -dcexact -accepteula -accepteulaksn
  1. Backup registry:: Use erunt to backup the registry prior to commencing scans
  2. VSS purge: Purge oldest set of Volume Shadow Service files (basically snapshot-in-time copies of files). Malware can often hide out here
  3. Reduce system restore space: Restrict System Restore to only use 7% of available hard drive space
  4. Disable sleep mode: Tron uses caffeine.exe to disable sleep mode when the script starts. At the end of the script it resets power settings to Windows defaults. Use the -p flag prevents resetting power settings to Windows default.

STAGE 1: Tempclean

link to Stage 1 code

  1. Internet Explorer cleanup: Executes only on Internet Explorer v7 and up. Runs the following built-in Windows tool to clean and reset Internet Explorer:
rundll32.exe inetcpl.cpl,ClearMyTracksByProcess 4351
  1. CCLeaner: CCLeaner utility by Piriform. Used to clean temp files before running AV scanners. Note that CCleaner wipes %AppData% Local Storage. Edit ccleaner.ini and change (App)Local Storage*=True to (App)Local Storage*=False if you don’t want this behavior. Note that you must also do this for BleachBit (below)
  2. BleachBit: BleachBit utility. Used to clean temp files before running AV scanners. Edit BleachBit.ini and disable any items you wish to preserve (for example, Local Storage for Chrome)
  3. TempFileCleanup.bat: Script I wrote to clean some areas that other tools seem to miss
  4. USB Device Cleanup: Uninstalls unused or not present USB devices from the system (non-existent thumb drives, etc etc). Uses drivecleanup.exe from Uwe Sieber
  5. Cleanup duplicate downloads: Searches for and delete duplicate files found in the Downloads folders of each user profile (ChromeInstaller(1).exe, ChromeInstaller(2)exe, etc). Does not touch any other folders. Uses Sentex’s Find Dupe utility
  6. Clear Windows event logs: Back up Windows event logs to %LOGPATH% directory, then clear all entries
  7. Clear Windows Update cache: Purge uninstaller files for already-installed Windows Updates. Typically frees up quite a bit of space. Accomplished via this command:
    rmdir /s /q %windir%\softwaredistribution\download

STAGE 2: De-bloat

link to Stage 2 code

  1. OEM de-bloat (by name): Use WMI to attempt to uninstall any program listed in this file:
  1. OEM de-bloat (by GUID): Use WMI to attempt to remove specific list of GUIDs listed in this file:
  1. Toolbar & BHOs (by GUID): Use WMI to attempt to remove specific list of GUIDs listed in this file:
  1. Metro de-bloat: Remove many built-in Metro apps that aren’t commonly used (does NOT remove things like Calculator, Paint, etc) then purges them from the cache (can always fetch later from Windows Update). On Windows 8/8.1, removes all stock “Modern” apps. On Windows 10 and up, only removes a few specific Modern apps. You can see the full list of Metro apps removed here (Microsoft) and here (OEM/3rd party). Use the -sb switch (skip all de-bloat) or -m switch (skip only Metro de-bloat) to skip this action
  2. Remove OneDrive integration: Remove forced OneDrive integration (Windows 10 only). Tron first checks if any files exist in the default OneDrive folder (%USERPROFILE%\OneDrive\) and skips removal if any are found. As a additional safety precaution, Tron leaves the OneDrive folder intact regardless whether OneDrive is removed or not.

STAGE 3: Disinfect

link to Stage 3 code

  1. Clear CryptNet SSL cache: Wipe the Windows CryptNet SSL certificate cache by executing this command: certutil -URLcache * delete
  2. Malwarebytes Anti-Malware: Anti-malware scanner. Because there is no command-line support for MBAM, we simply install it and continue with the rest of the script. This way a tech can click Scan whenever they’re around, but the script doesn’t stall waiting for user input. Use the -sa or -sm flags skip this component
  3. KVRT: Kaspersky Virus Removal Tool. Use the -sa or -sk flags skip this component
-l %TEMP%\tdsskiller.log -silent -tdlfs -dcexact -accepteula -accepteulaksn
  1. Sophos Virus Removal Tool: Command-line anti-virus scanner. Use the -v flag gives more verbose output. Use the -sa or -ss flags skip this component

STAGE 4: Repair

link to Stage 4 code

  1. MSI installer cleanup: Use the Microsoft msizap.exe utility to remove orphaned MSI installer files from the installer cache
  2. DISM image check & repair: Microsoft utility for checking the Windows Image Store (sort of a more powerful System File Checker). Windows 8 and up only
  3. Registry permissions reset: Grant SYSTEM and Administrator users full permissions on HKLM, HKCU, and HKCR hives. This is an add-only permissions operation (does not remove any permissions). Use the -srr flag skips this operation
  4. Filesystem permissions reset: Grant SYSTEM and Administrator users full permissions on everything in the %WinDir% directory tree. Use the -sfr flag skips this operation
  5. System File Checker: Microsoft utility for checking the filesystem for errors and attempting to repair if found. Tron runs this on Windows Vista and up only (XP and below require a reboot)
  6. chkdsk: Checks disk for errors and schedules a chkdsk with repair at next reboot (marks volume dirty) if errors are found
  7. Disable Windows “telemetry”: Disable Windows “telemetry” (user tracking), Windows 7 and up only. Tron removes the “bad” updates Microsoft pushed to Windows 7/8/8.1 systems after the Windows 10 release. These updates backport the surveillance/spyware functions that are by default present in Windows 10. See the code to see exactly which updates are removed. See the code (Win7/8/8.1, Win10) to see exactly which KB’s are removed. Tron also stops and deletes the DiagTrack (“Diagnostics Tracking Service”) service. If the system is running Windows 10, Tron does a more in-depth disabling of the Windows telemetry features, including automatically applying all the immunizations from the Spybot Anti-Beacon and O&O ShutUp10 tools. Go over the code in \tron\resources\stage_4_repair\disable_windows_telemetry\ to see exactly what is removed and disabled. NOTE: This section takes a LONG time to run, DO NOT CANCEL IT. Use the -str switch to just turn telemetry off instead of removing it
  8. Disable Windows 10 upgrade: Disables the Windows 10 upgrade nagger on Windows 7/8/8.1 by flipping the appropriate registry switches. Users can still manually upgrade the machine if they desire, but it will no longer nag via the system tray, auto-download, or auto-install Windows 10 without their permission
  9. Network repair: Tron performs minor network repair. Specifically it runs these commands: ipconfig /flushdns, netsh interface ip delete arpcache, netsh winsock reset catalog
  10. File extension repair: Tron repairs most default file extensions with a batch file that loops through a series of registry files stored in \tron\resources\stage_4_repair\repair_file_extensions\

STAGE 5: Patch

link to Stage 5 code

Tron updates these programs if they exist on the system. If a program does not exist, it is skipped:

  1. 7-Zip: Open-source compression and extraction tool. Far superior to just about everything (including the venerable WinRAR). Use the -sap switch to skip this action
  2. Adobe Flash Player: Used by YouTube and various other sites. Use the -sap switch to skip this action
  3. Adobe Reader: Standard PDF reader. Use the -sap switch to skip this action
  4. Java Runtime Environment: I personally hate Java, but it is still widely used, so we at least get the system on the latest version. Use the -sap switch to skip this action
  5. Windows updates: Runs Windows update via this command: wuauclt /detectnow /updatenow. Use the -swu switch to skip this action. If bundled WSUS Offline updates are detected, Tron executes those instead. Use the -swo switch to force skipping WSUS Offline updates even if they’re present in the relevant directory. See Executing bundled WSUS Offline updates above for more information on using offline update packages with Tron
  6. DISM base reset: Recompile the “Windows Image Store” (SxS store). This typically results in multiple GB’s of space freed up. Windows 8 and up only. Any Windows Updates installed prior to this point will become “baked in” (uninstallable). Use the -sdc switch to skip this action

STAGE 6: Optimize

link to Stage 6 code

  1. Page file reset: Reset the system page file settings to “let Windows manage the page file.” Accomplished via this command:

    %WMIC% computersystem where name="%computername%" set AutomaticManagedPagefile=True

    Use the -spr flag skips this action

  2. Defraggler: Command-line defrag tool from Piriform that’s a little faster than the built-in Windows defragmenter. Defrag is automatically skipped if the system drive is an SSD. Use the -sd flag forces Tron to ALWAYS skip defrag

STAGE 7: Wrap-up

stage-specific code is in tron.bat

  1. generate summary logs: Generate before and after logs detailing which files were deleted and which programs were removed. These are placed in <LOGPATH>\tron_summary_logs. Additionally, if -er flag was used or EMAIL_REPORT variable was set, these logs will be attached to the email that is sent out
  2. Create restore point: Create a post-run system restore point to mirror the one we created in Stage 0: Prep. Vista and up only, client OS’s only, on Windows 10 does not work if the system is in any form of Safe Mode. See notes on System Restore in Stage 0 documentation for more information
  3. email_report: Send an email report with the log file attached when Tron is finished. Requires you to specify your SMTP settings in \resources\stage_7_wrap-up\email_report\SwithMailSettings.xml
  4. upload debug logs: Upload ‘tron.log’ and the system GUID dump (list of all installed program GUIDs) to the Tron developer (vocatus). Please use this option if possible, log files are extremely helpful in developing Tron! NOTE: tron.log can contain personal information like names of files on the system, the computer name, user name, etc, so if you’re concerned about this please look through a Tron log first to understand what will be sent. I don’t care what files are on random systems on the Internet, but just something to be aware of

Tron is a glorified batch file free and open-source script that automates the process of disinfecting and cleaning up Windows systems. It is built with heavy reliance on community input and updated regularly.


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top