Tron Script Wiki

What is “Tron Script”?

Tron is a script that “fights for the User.” It’s basically a glorified collection of Windows batch files that automate a bunch of scanning/disinfection/cleanup tools. I got tired of running the utilities manually and decided to just automate everything. I hope this helps other techs, admins, and users in general.

Tron’s goal is to take a badly-running Windows system (bloated, infected, whatever) and automate ~85% of the work involved in getting it running well again. That’s pretty much it. At this point it seems to accomplish that goal fairly well on most systems.

The whole project is built with heavy reliance on community input and updated regularly. If you have a problem or bug, REPORT IT and we’ll fix it as quickly as possible.

Fair Warning

Attempting to clean/fix a PC (with Tron or any other tool) that’s been compromised by malware and such can result in partially or completely disabling that PC, and can require a full reinstallation of Windows to restore full functionality. This isn’t a “Tron issue”, this is just how PCs are. Before you run Tron, be aware that the act of cleaning/repairing your PC can inadvertently disable your PC or adversely affect your data in the process. Your system may or may not be repairable; your data may or may not be recoverable. If you choose to run Tron anyway you must be prepared for the possibility of reformatting the hard drive, reinstalling Windows, and recovering your data from a backup.

Stages of Tron:

1. Prep: rkill, ProcessKiller, TDSSKiller, Stinger, registry backup, WMI repair, sysrestore clean, oldest VSS set purge, create pre-run System Restore point, SMART disk check, NTP time sync
2. Tempclean: TempFileCleanup, CCleaner, BleachBit, backup & clear event logs, Windows Update cache cleanup, Internet Explorer cleanup, USB device cleanup
3. De-bloat: remove OEM bloatware; customizable list is in \resources\stage_2_de-bloat\oem\; Metro OEM debloat (Win8 and up only)
4. Disinfect: Clear CryptNet SSL cache, Kaspersky Virus Removal Tool, Malwarebytes Anti-Malware
5. Repair: Registry permissions reset, Filesystem permissions reset, DISM image check (Win8 and up only), SFC /scannow, chkdsk
6. Patch: Updates 7-Zip and disables nag/update screens (uses some of our PDQ packs); then installs any pending Windows updates
7. Optimize: page file reset, defrag %SystemDrive% (usually C:\; skipped if system drive is an SSD or a VM)
8. Wrap-up: Send job completion email report (if configured; specify SMTP settings in \resources\stage_7_wrap-up\email_report\SwithMailSettings.xml)
9. Manual stuff: Additional tools that can’t currently be automated (ComboFix, AdwCleaner, aswMBR, autoruns, etc.)

Saves a log to C:\Logs\tron\tron.log (configurable).

0. FIRST THINGS FIRST: REBOOT THE COMPUTER BEFORE RUNNING TRON. This is to allow any pending updates to finish. If you don’t do this and the computer reboots during Tron with pending updates, it can brick the system. To re-iterate: it is very important to reboot the computer before running Tron.

1. Download Tron. If you download the self-extracting .exe file, run it and it will extract tron.bat and the \resources folder to the current directory. Copy both of them to the Desktop of the target machine.

2. Tron can be run with Windows in either Safe Mode or Regular mode. Regular mode is generally recommended unless the system is severely infected.

3. Right-click tron.bat and select “Run as Administrator“

4. Wait anywhere from 3-10 hours (it really takes that long; do not cancel it in the middle of running)

   Note: You’ll need to manually click “scan” in the MBAM window that appears part of the way through Stage 3: Disinfect. Tron will continue in the background with its other tasks while waiting for you though, so the script won’t stall if you’re not around to hit “scan” immediately.

5. Reboot! Reboot the system before doing anything else.

By default the master log is at C:\logs\tron\tron.log. If you want to change this, read the section on changing defaults below.

Depending how badly the system is infected, it could take anywhere from 3 to 10 hours to run. I’ve personally observed times between 4-8 hours, and one user reported a run time of 30 hours. Basically set it and forget it.

If you run with the -udl switch, it will automatically email me the run logs at the end of the script. Not required but greatly appreciated if you can.

NOTE: Each sub-stage script (e.g. stage_2_de-bloat.bat) can be run individually apart from Tron. Just remember to run them as Administrator if you go this route.

Command-line use is fully supported. All switches are optional and can be used simultaneously. *

tron.bat [ [-a | -asm] -c -d -dev -e -er -m -o -p -pmb -r -sa -sac -sap -scc -scs -sd -sdb
      -sdc -sdu -se -sk -sl -sm -sor -spr -str -swu -swo -udl -v -x] | [-h]

Optional switches (can be combined):

 -a   Automatic mode (no welcome screen or prompts; implies -e)
 
 -asm Automatic mode (no prompts; implies -e; reboots to Safe Mode first)
 
 -c   Config dump (display current config. Can be used with other
      switches to see what WOULD happen, but script will never execute
      if this switch is used)

 -d   Dry run (run through script without executing any jobs)

 -dev Override OS detection (allow running on unsupported Windows versions)

 -e   Accept EULA (suppress disclaimer warning screen)

 -er  Email a report when finished. Requires you to configure SwithMailSettings.xml

 -m   Preserve default Metro apps (don't remove them)

 -o   Power off after running (overrides -r)

 -p   Preserve power settings (don't reset to Windows default)

 -pmb Preserve Malwarebytes (don't uninstall it) after Tron is complete
 
 -r   Reboot automatically (auto-reboot 15 seconds after completion)
 
 -sa  Skip ALL anti-virus scans (AdwCleaner, KVRT, MBAM, SAV)

 -sac Skip AdwCleaner scan

 -sap Skip application patches (don't patch 7-Zip)

 -scs Skip custom scripts (has no effect if you haven't supplied custom scripts)

 -scc Skip cookie cleanup (not recommended, Tron auto-preserves most common login cookies)

 -sd  Skip defrag (force Tron to ALWAYS skip Stage 6 defrag)

 -sdb Skip de-bloat (entire OEM bloatware removal process; implies -m)
 
 -sdc Skip DISM component (SxS store) cleanup
 
 -sdu Skip debloat update. Prevent Tron from auto-updating the S2 debloat lists

 -se  Skip Event Log backup and clear (don't clear Windows Event Logs)

 -sk  Skip Kaspersky Virus Rescue Tool (KVRT) scan

 -sm  Skip Malwarebytes Anti-Malware (MBAM) installation

 -sor Skip OneDrive removal regardless whether it's in use or not

 -spr Skip page file reset (don't set to "Let Windows manage the page file")

 -str Skip Telemetry Removal (just turn telemetry off instead of removing it)

 -swu Skip Windows Updates entirely (ignore both WSUS Offline and online methods)

 -swo Skip user-supplied WSUS Offline updates (if they exist; online updates still attempted)
 
 -udl Upload debug logs. Send tron.log and the system GUID dump to the Tron developer

 -v   Verbose. Show as much output as possible. NOTE: Significantly slower!

 -x   Self-destruct. Tron deletes itself after running and leaves logs intact

Misc switches (must be used alone):

 -h   Display help text

* There is probably no -upm switch

If the script is interrupted e.g. from a crash or a forced reboot (often encountered during stage_2_de-bloat), simply re-run tron.bat and Tron will resume from the last stage successfully started.

It will also re-use any previously-used command-line switches when it starts back up.

More details about this function can be found in the list of all actions Tron performs at the bottom of this document.

In older versions of Tron (v10.3.1 and back), Safe Mode was recommended vs. Normal/Regular mode (Windows boot mode). The current recommendation has changed starting in v10.4.0, and I recommend first running in Normal/Regular mode, and only attempting a run in Safe Mode if that fails.

To have Tron send an email report at completion, edit this file:

\tron\resources\stage_7_wrap-up\email_report\SwithMailSettings.xml

Specify your SMTP server, username, and password. After specifying your settings you can use the -er switch to have Tron send the email report. The summary logs (tron_removed_files.txt and tron_removed_programs.txt) will be attached as well.

Keep in mind the username and password for the email account will be stored in PLAIN TEXT so don’t leave it lying around on a system you don’t trust.

If you don’t want to use the command-line and don’t like Tron’s defaults, you can change the following default settings. Keep in mind command-line switches will always override their respective default option when used.

Edit this file: \tron\resources\functions\tron_settings.bat

• To change the master directory where all of Tron’s output goes, edit this line:

  set LOGPATH=%SystemDrive%\logs\tron
  

• To change the name of the master log file, edit this line:

  set LOGFILE=tron.log
  

• To change where Tron stores quarantined files, change this path (note: this is currently unused by Tron, setting it has no effect):

  set QUARANTINE_PATH=%LOGPATH%\quarantine
  

• To change the location of the backups Tron makes (Registry, Event Logs, power scheme, etc), edit this line:

  set BACKUPS=%LOGPATH%\backups
  

• To change where Tron saves raw unprocessed logs from the various sub-tools, edit this line:

  set RAW_LOGS=%LOGPATH%\raw_logs
  

• To change where Tron saves summary logs, edit this line:

  set SUMMARY_LOGS=%LOGPATH%\summary_logs
  

• To always run automatically (no welcome screen, implies acceptance of EULA), change this to yes:

  set AUTORUN=no
  

• To always reboot to Safe Mode for autorun (requires that AUTORUN also be set to yes), change this to yes:

  set AUTORUN_IN_SAFE_MODE=no
  

• To do a dry run (don’t actually execute jobs), change this to yes:

  set DRY_RUN=no
  

• To override OS detection (allow Tron to run on unsupported Windows versions), change this to yes:

  set DEV_MODE=no
  

• To permanently accept the End User License Agreement (suppress display of disclaimer warning screen), change this to yes:

  set EULA_ACCEPTED=no
  

• To have Tron send an email report when finished, change this to yes (requires you to configure SwithMailSettings.xml with your SMTP info):

  set EMAIL_REPORT=no
  

• To preserve default Metro apps (don’t remove them), change this to yes:

  set PRESERVE_METRO_APPS=no
  

• To shut down the computer when Tron is finished, change this to yes:

  set AUTO_SHUTDOWN=no
  

• To preserve the power scheme (instead of resetting to Windows defaults), change this to yes:

  set PRESERVE_POWER_SCHEME=no
  

• To preserve Malwarebytes installation (skip removal) at the end of Tron, change this to yes:

  set PRESERVE_MALWAREBYTES=no
  

• To configure post-run reboot, change this value (in seconds). 0 disables auto-reboot:

  set AUTO_REBOOT_DELAY=0
  

• To skip ALL anti-virus scan engines (AdwCleaner, MBAM, KVRT), change this to yes:

  set SKIP_ANTIVIRUS_SCANS=no
  

• To skip AdwCleaner scan, change this to yes:

  set SKIP_ADWCLEANER_SCAN=no
  

• To skip application patches (don’t patch 7-Zip) change this to yes:

  set SKIP_APP_PATCHES=no
  
  • To leave ALL cookies intact (not recommended, Tron auto-preserves most common login cookies such as Spotify, Gmail, etc), change this to yes:

  set SKIP_COOKIE_CLEANUP=no
  

• To skip custom scripts (stage 8) regardless whether or not .bat files are present in the stage_8_custom_scripts folder, change this to yes:

  set SKIP_CUSTOM_SCRIPTS=no
  

• To skip OEM debloat, change this to yes:

  set SKIP_DEBLOAT=no
  

• To always skip defrag (even on mechanical drives; Tron automatically skips SSD defragmentation), change this to yes:

  set SKIP_DEFRAG=no
  

• To skip DISM component (SxS store) cleanup, change this to yes:

  set SKIP_DISM_CLEANUP=no
  

• To prevent Tron from connecting to Github and automatically updating the Stage 2 debloat lists, set this to yes:

  set SKIP_DEBLOAT_UPDATE=no
  

• To skip Windows Event Log clearing, change this to yes:

  set SKIP_EVENT_LOG_CLEAR=no
  

• To skip scanning with Kaspersky Virus Rescue Tool (KVRT), change this to yes:

  set SKIP_KASPERSKY_SCAN=no
  

• To skip installation of Malwarebytes Anti-Malware (MBAM), change this to yes:

  set SKIP_MBAM_INSTALL=no
  

• To skip removal of OneDrive regardless whether it’s in use or not, change this to yes:

  set SKIP_ONEDRIVE_REMOVAL=no
  

• To prevent Tron from resetting the page file to Windows defaults, change this to yes:

  set SKIP_PAGEFILE_RESET=no
  

• To skip removal of the Windows “telemetry” (user tracking) updates, change this to yes:

  set SKIP_TELEMETRY_REMOVAL=no
  

• To skip only bundled WSUS Offline updates (online updates still attempted) change this to yes:

  set SKIP_WSUS_OFFLINE=no
  

• To skip Windows Updates entirely (ignore both WSUS Offline and online methods), change this to yes:

  set SKIP_WINDOWS_UPDATES=no
  

• To automatically upload debug logs to the Tron developer (vocatus), change this to yes:

set UPLOAD_DEBUG_LOGS=no

• To display as much output as possible (verbose), change this to yes:

  set VERBOSE=no
  

• To have Tron delete itself after running (self-destruct), change this to yes:

  set SELF_DESTRUCT=no
  

• There is probably no -UPM switch

Tron supports executing custom scripts just prior to the end-screen.

Place any batch files you want to execute just prior to Tron completion in this folder: \tron\resources\stage_8_custom_scripts

Custom scripts work like so:

• If any .bat files exist in \stage_8_custom_scripts, Tron will execute each one sequentially by name. When they’re finished, Tron will clean up and end the script as normal

• If no .bat files exist in \stage_8_custom_scripts folder, Stage 8 is silently skipped

• Supporting files may be placed in the folder but Tron itself will ignore anything that isn’t a .bat file

• If you want to use supporting batch files but don’t want Tron executing them, use the .cmd file extension instead of .bat and Tron will ignore them

• It is your responsibility what your scripts do. I provide no support for custom scripts other than having Tron attempt to run them

• Use the -scs switch or edit the file \tron\resources\functions\tron_settings.bat and set SKIP_CUSTOM_SCRIPTS to yes to direct Tron to ignore custom scripts even if they are present. Can be useful if you have a set of scripts you only want to execute on certain systems and don’t want to carry two copies of Tron around

Tron supports using bundled WSUS Offline update packages over the traditional online update method.

To add offline update packages to Tron:

1. Download WSUS Offline

2. Run it and have it download the updates you want

3. Copy the client folder (usually at \wsusoffline\client) to \tron\resources\stage_5_patch\wsus_offline\client\

4. Make sure that Update.cmd is present in this path: \tron\resources\stage_5_patch\wsus_offline\client\Update.cmd

5. Run Tron, it should automatically detect and use the offline updates

If for some reason you want to skip the bundled update package on a certain system, use the -swo switch or edit tron_settings.bat, set SKIP_WSUS_OFFLINE to yes and Tron will ignore any WSUS Offline files for that run.

When Tron exits, it will pass an exit code indicating the final status (success/warning/error/failure/etc).

The best way to see what Tron does is simply crack open tron.bat or one of the stage-specific subscripts with a text editor (preferably one with syntax highlighting) or on GitHub and just read the code. Every section has comments explaining exactly what it does, and you don’t need to be able to read code to understand it. Barring that, here’s a general description of every action Tron performs.

link to code

Master script that launches everything else. It performs many actions on its own, but for any task not performed directly, we call an external utility or script. Each stage (e.g. Stage 1: Tempclean) has its own master script that Tron calls in sequence. Sub-stage scripts can be found in each stages subdirectory under the \resources folder. e.g. \tron\resources\stage_1_tempclean\stage_1_tempclean.bat

(These are executed even if Tron is canceled before running)

0. Detect TEMP execution: Detect if we’re running from the TEMP directory and prevent Tron from executing if so. TEMP is one of the first places to get wiped when Tron starts so we cannot run from there

1. Make log directories: Create the master log directory and sub-directories if they don’t exist. By default this is %SystemDrive%\Logs\tron.log

2. Detect Windows & IE versions: Determines quite a few things in the script, such as which versions of various commands get executed

3. Unsupported OS blocker: Throw an alert message if running on an unsupported OS, then exit. Use the -dev switch to override this behavior and allow running on unsupported Windows versions. Currently only triggers on Windows Server 2016.

4. Disk configuration check: Check if the system drive is an SSD, Virtual Disk, or throws an unspecified error (couldn’t be read by smartctl.exe) and set the SKIP_DEFRAG variable to yes_ssd, yes_vm, or yes_error respectively. If any of these conditions are triggered, Tron skips Stage 5 defrag automatically

5. Detect free space: Detect and save available hard drive space to compare against later. Simply used to show how much space was reclaimed; does not affect any script functions

6. Detect resume: Detect whether or not we’re resuming after an interrupted run (e.g. from a reboot)

7. Enable F8 Safe Mode selection: Re-enable the ability to use the F8 key on bootup (Windows 8 and up only; enabled by default on Server 2012/2012 R2)

8. Check for network connection: Check for an active network connection, and skip the update checks if one isn’t found

9. Check for update: Compare the local copy of Tron to the version on the official repo (does this by reading latest version number from sha256sums.txt). If the local copy is out of date, Tron will ask to automatically download the latest copy (always recommended). If permitted, it will download a copy to the desktop, verify the SHA256 hash, then self-destruct (delete) the old version

10. Update debloat lists: Connect to Github and download the latest version of the Stage 2 debloat lists at initial launch. Use the -sdu (SKIP_DEBLOAT_UPDATE) switch to prevent this behavior. I recommend letting Tron update the lists unless you have a good, specific reason not to

11. Detect Administrator rights: Detect whether or not we’re running as Administrator and alert the user if we’re not

12. Create RunOnce entry: Create the following registry key to support resuming if there is an interruption: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v "*tron_resume" /t REG_SZ /d "%~dp0tron.bat %-resume". The * prefix on the key name forces Windows to execute it in Safe Mode.

Note: -resume is an internal switch not meant for human use at the command-line. If you use it, things will break and I will laugh at you.

13. SMART check: Dump the SMART status of all hard disks in the system, then display an alert if any drive reports one of the following status codes: Error,Degraded,Unknown,PredFail,Service,Stressed,NonRecover

link to Stage 0 code

1. Create System Restore point: Create a pre-run system restore point. Vista and up only, client OS’s only. Not supported on Server OS’s, and on Windows 10 does not work if the system is in any form of Safe Mode. This is a known bug, and I spent hours trying to find a workaround but was not able to find a solution, so if you absolutely require a system restore point, recommend running in normal mode

2. Rkill: Rkill is an anti-malware prep tool; it looks for and kills a number of known malware that interfere with removal tools. Rkill will NOT kill any process listed in \resources\stage_0_prep\rkill\rkill_process_whitelist.txt (link)

3. Create pre-run profile: Dump list of installed programs and list of all files on the system so we can compare later and see exactly what was removed

4. GUID dump: Dump list of all installed program GUIDs. These dumps are useful in helping the project bolster the blacklist of known-bad GUIDs

5. Metro app list dump: Dump list of all Metro apps on the system. This is useful for helping the project bolster the blacklist of Metro apps to remove

6. ProcessKiller: Utility provided by /u/cuddlychops06 which kills various userland processes. We use this to further kill anything that might interfere with Tron. ProcessKiller will kill everything in userland EXCEPT: ClassicShellService.exe, explorer.exe, dwm.exe, cmd.exe, mbam.exe, teamviewer.exe, TeamViewer_Service.exe, Taskmgr.exe, Teamviewer_Desktop.exe, MsMpEng.exe, tv_w32.exe, VTTimer.exe, Tron.bat, rkill.exe, rkill64.exe, rkill.com, rkill64.com, conhost.exe, dashost.exe, wget.exe . (link)

7. Safe mode: Set system to reboot into Safe Mode with Networking if a reboot occurs. Removes this and resets to normal bootup at the end of the script. Accomplished via this command:

   bcdedit /set {default} safeboot network
   

8. Set system time via NTP: Set the system clock to sync against the following NTP servers, in this order: 2.pool.ntp.org, time.windows.com, time.nist.gov

9. Check and repair WMI: Check WMI interface and attempt repair if broken. Tron uses WMI for a lot of stuff including ISO date format conversion, OEM bloatware removal, and various other things, so having it functioning is critical

10. McAfee Stinger: Anti-malware/rootkit/virus standalone scanner from McAfee. Does not support plain-text logs so we save HTML log to Tron’s %LOGPATH%. Tron executes Stinger as follows:

stinger32.exe --GO --SILENT --PROGRAM --REPORTPATH="%LOGPATH%" --RPTALL --DELETE

11. TDSS Killer: Anti-rootkit utility from Kaspersky Labs. Tron executes TDSSKiller as follows:

tdsskiller.exe -l %TEMP%\tdsskiller.log -silent -tdlfs -dcexact -accepteula -accepteulaksn

12. Backup registry:: Use erunt to backup the registry prior to commencing scans

13. VSS purge: Purge oldest set of Volume Shadow Service files (basically snapshot-in-time copies of files). Malware can often hide out here

14. Reduce system restore space: Restrict System Restore to only use 7% of available hard drive space

15. Disable sleep mode: Tron uses caffeine.exe to disable sleep mode when the script starts. At the end of the script it resets power settings to Windows defaults. Use the -p switch to prevent resetting power settings to Windows default.

link to Stage 1 code

1. Internet Explorer cleanup: Executes only on Internet Explorer v7 and up. Runs the following built-in Windows tool to clean and reset Internet Explorer:

rundll32.exe inetcpl.cpl,ClearMyTracksByProcess 4351

2. CCLeaner: CCLeaner utility by Piriform. Used to clean temp files before running AV scanners. Note that CCleaner wipes %AppData% Local Storage. Edit ccleaner.ini and change (App)Local Storage*=True to (App)Local Storage*=False if you don’t want this behavior. Also note that Tron automatically preserves most common login cookies (Chase.com, gmail.com, etc). Use the -scc switch to leave ALL cookies intact (not recommended)

3. TempFileCleanup.bat: Script I wrote to clean some areas that other tools seem to miss

4. USB Device Cleanup: Uninstalls unused or not present USB devices from the system (non-existent thumb drives, etc etc). Uses drivecleanup.exe from Uwe Sieber

5. Cleanup duplicate downloads: Searches for and delete duplicate files found in the Downloads folders of each user profile (ChromeInstaller(1).exe, ChromeInstaller(2)exe, etc). Does not touch any other folders. Uses a UTF-8-friendly port Sentex’s original Find Dupe utility

6. Clear Windows event logs: Back up Windows event logs to %LOGPATH% directory, then clear all entries

7. Clear Windows Update cache: Purge uninstaller files for already-installed Windows Updates. Typically frees up quite a bit of space. Accomplished via this command:

   rmdir /s /q %windir%\softwaredistribution\download
   

8. Flush BranchCache cache: Tron executes the command netsh branchcache flush to flush any cached data in the BranchCache (win7 and up only)

link to Stage 2 code

1. OEM de-bloat (by name): Use WMI to attempt to uninstall any program listed in this file:

\tron\resources\stage_2_de-bloat\oem\programs_to_target_by_name.txt

2. OEM de-bloat (by GUID): Use WMI to attempt to remove specific list of GUIDs listed in this file:

\tron\resources\stage_2_de-bloat\oem\programs_to_target_by_GUID.txt

3. Toolbar & BHOs (by GUID): Use WMI to attempt to remove specific list of GUIDs listed in this file:

\tron\resources\stage_2_de-bloat\oem\toolbars_BHOs_to_target_by_GUID.txt

4. Metro de-bloat: Remove many built-in Metro apps that aren’t commonly used (does NOT remove things like Calculator, Paint, etc) then purges them from the cache (can always fetch later from Windows Update). On Windows 8/8.1, removes all stock “Modern” apps. On Windows 10 and up, only removes a certain specific Modern apps. You can see the full list of Metro apps removed here (Microsoft) and here (OEM/3rd party). Use the -sdb switch (skip all de-bloat) or -m switch (skip only Metro de-bloat) to skip this action. Like the GUID lists above, you can also customize these files to add or remove apps from the target list. Note that the Metro de-bloat PowerShell scripts also support standalone execution, if for example you JUST want to remove Metro bloat from a machine.

5. Remove OneDrive integration: Remove forced OneDrive integration (Windows 10 only). Tron first checks if any files exist in the default OneDrive folder (%USERPROFILE%\OneDrive\) and skips removal if any are found. As a additional safety precaution, Tron leaves the OneDrive folder intact regardless whether OneDrive is removed or not. Use the -sor switch to skip OneDrive removal entirely.

link to Stage 3 code

1. Clear CryptNet SSL cache: Wipe the Windows CryptNet SSL certificate cache by executing this command: certutil -URLcache * delete

2. Malwarebytes Anti-Malware: Anti-malware scanner. Because there is no command-line support for MBAM, we simply install it and continue with the rest of the script. This way a tech can click Scan whenever they’re around, but the script doesn’t stall waiting for user input. Use the -sa or -sm switches to skip this component. Use the -pmb switch to NOT uninstall it at the end of the script

3. Malwarebytes AdwCleaner: Command-line anti-virus scanner. Use the -sa or -sac switches to skip this component

4. KVRT: Kaspersky Virus Removal Tool. Use the -sa or -sk switches to skip this component

link to Stage 4 code

0. MSI installer cleanup: Use the Microsoft msizap.exe utility to remove orphaned MSI installer files from the installer cache

1. System File Checker: Microsoft utility for checking the filesystem for errors and attempting to repair if found. Tron runs this on Windows Vista and up only (XP and below require a reboot)

2. DISM image check & repair: Microsoft utility for checking the Windows Image Store (sort of a more powerful System File Checker). Windows 8 and up only

3. chkdsk: Checks disk for errors and schedules a chkdsk with repair at next reboot (marks volume dirty) if errors are found

4. Disable Windows “telemetry“: Disable Windows “telemetry” (user tracking), Windows 7 and up only. Tron removes the “bad” updates Microsoft pushed to Windows 7/8/8.1 systems after the Windows 10 release. These updates backport the surveillance/spyware functions that are by default present in Windows 10. See the code (Win7/8/8.1, Win10) to see exactly which KB’s are removed. Tron also stops and deletes the DiagTrack (“Diagnostics Tracking Service”) service. If the system is running Windows 10, Tron does a more in-depth disabling of the Windows telemetry features, including automatically applying all the immunizations from the Spybot Anti-Beacon and O&O ShutUp10 tools. Go over the code in \tron\resources\stage_4_repair\disable_windows_telemetry\ to see exactly what is removed and disabled. NOTE: This section can take a while to run, DO NOT CANCEL IT. Use the -str switch to just turn telemetry off instead of removing it

5. Disable Windows 10 upgrade nagger: Disables the Windows 10 upgrade nagger on Windows 7/8/8.1 by flipping the appropriate registry switches. Users can still manually upgrade the machine if they desire, but it will no longer nag via the system tray, auto-download, or auto-install Windows 10 without their permission

6. Network repair: Tron performs minor network repair. Specifically it runs these commands: ipconfig /flushdns, netsh interface ip delete arpcache, netsh winsock reset catalog

7. File extension repair: Tron repairs most default file extensions with a batch file that loops through a series of registry files stored in \tron\resources\stage_4_repair\repair_file_extensions\

link to Stage 5 code

Tron updates these programs if they exist on the system. If a program does not already exist on the system, it is not installed:

1. 7-Zip: Open-source compression and extraction tool. Use the -sap switch to skip this action

2. Windows updates: Runs Windows update via this command: wuauclt /detectnow /updatenow. Use the -swu switch to skip this action. If bundled WSUS Offline updates are detected, Tron executes those instead. Use the -swo switch to force skipping WSUS Offline updates even if they’re present in the relevant directory. See Executing bundled WSUS Offline updates above for more information on using offline update packages with Tron

3. DISM base reset: Recompile the “Windows Image Store” (SxS store). This typically results in multiple GB’s of space freed up. Windows 8 and up only. Any Windows Updates installed prior to this point will become “baked in” (uninstallable). Use the -sdc switch to skip this action

link to Stage 6 code

1. Page file reset: Reset the system page file settings to “let Windows manage the page file.” Accomplished via this command:

   %WMIC% computersystem where name="%computername%" set AutomaticManagedPagefile=True

   Use the -spr switch to skip this action

2. Defraggler: Command-line defrag tool from Piriform that’s a little faster than the built-in Windows defragmenter. Defrag is automatically skipped if the system drive is an SSD, or if any SMART errors are detected. Use the -sd switch to force Tron to ALWAYS skip defrag

stage-specific code is in tron.bat

1. generate summary logs: Generate before and after logs detailing which files were deleted and which programs were removed. These are placed in <LOGPATH>\tron_summary_logs. Additionally, if -er switch was used or EMAIL_REPORT variable was set, these logs will be attached to the email that is sent out

2. email_report: Send an email report with the log file attached when Tron is finished. Requires you to specify your SMTP settings in \resources\stage_7_wrap-up\email_report\SwithMailSettings.xml

3. upload debug logs: Upload ‘tron.log’ and the system GUID dump (list of all installed program GUIDs) and Metro app list dump to the Tron developer (vocatus). Please use this option if possible, log files are extremely helpful in developing Tron! NOTE: tron.log can contain personal information like names of files on the system, the computer name, user name, etc, so if you’re concerned about this please look through a Tron log first to understand what will be sent. I don’t care what files are on random systems on the Internet, but just something to be aware of

4. Remove Malwarebytes: Automatically remove the Malwarebytes installation. Use the -pmb switch to skip this and leave it on the system

stage-specific code is in tron.bat

1. Execute custom scripts: Tron will execute any .bat files placed in the \tron\resources\stage_8_custom_scripts directory. See Executing Custom/3rd-party Scripts above for more information

Tron does not run these automatically because most do not support command-line use, or are only useful in special cases.

1. ADSSpy: Scans for hidden NTFS Alternate Data Streams

2. aswMBR: Rootkit scanner

3. autoruns: Examine and remove programs that run at startup

4. ComboFix: The “scorched-earth policy” of malware removal. Only works on Windows XP through Windows 8 (no Windows 8.1 or above)

5. Junkware Removal Tool: Temp file and random junkware remover

6. Net Adapter Repair: Utility to repair most aspects of Windows network connections

7. Remote Support Reboot Config: Tool to quickly configure auto-login and other parameters for running Tron via a remote connection. Thanks to reddit.com/user/cuddlychops06

8. Safe Mode Boot Selector.bat: Batch file to quickly select bootup method to use (Safe Mode, Network, etc). Thanks to reddit.com/user/cuddlychops06

9. ServicesRepair.exe: ESET utility for fixing broken Windows services

10. Tron Reset Tool: Tool to quickly reset Tron if it gets interrupted or breaks while running

A Note About Tron “Freezing”

One of the most common questions we see is about Tron seemingly freezing in the middle of its run. In most cases this is caused by the user clicking somewhere inside the command window while Tron is running. This has the unfortunate side effect of “freezing” Tron; it will complete the step that it was on when the window was clicked on, but it won’t proceed to the next step.

Look at the title bar of the Command Prompt window. If it says “Administrator” then the process has not frozen, but if it says “Select Administrator” then you’ve clicked inside the Command Prompt window and Tron has frozen (example). If “Select Administrator” is seen then press RETURN; “Select” should disappear from the title bar and Tron should resume its progress.

If you don’t see “Select” in the title bar and Tron is seemingly frozen, then it’s most likely that Tron is working on one of the functions that takes more time than others. These longer functions include the de-bloat process in Stage 2, the virus removal in Stage 3 (which includes several different antivirus engines), the SFC (System File Checker) and/or DISM (Deployment Image Servicing and Management) check in Stage 4, or the defragmentation in Stage 6 (for spinning disks only; SSD’s are automatically exempt from defragmentation). All of these actions take time to complete and are primarily disk-bound. meaning that systems with slower hard drives and/or lots of files will take longer, potentially several hours to complete just that particular stage.

CQ (Common Questions)

1. Why doesn’t Malwarebyte’s auto-scan?

Part of the reason is that MBAM has anti-automation measures built into the GUI, so the next-best solution is to just install it and continue on so the script doesn’t hang waiting for user input. The main reason however is that I (u/vocatus) have spoken with Malwarebytes on the phone a few times, and they’ve agreed to let us use MBAM free in the manner we currently do (install, but leave scanning and updating up to the tech to manually execute). They’re being generous allowing us to use it at all, so to honor their wishes MBAM will remain a manually-executed function.

2. Why is Tron so big?

My military and traveling experience led me to develop Tron to be completely portable, so it includes every single utility it needs to run out of the box. I’ve spent (and still spend) a lot of time in places where the Internet is

• not available
• is available infrequently
• can’t be used for large transfers (slow network (Edge/2g/etc) or heavy-handed data caps (tethered cell phone), etc)

A fast Internet connection is great and all, but the reality is that fast Internet connections don’t exist in large parts of the world (especially parts where Tron is used a lot). So the strategy of building Tron to be as standalone as possible is born out of that experience.

3. Tron is slow

Yes it is. The current record for longest run-time was set by u/MCGamer20000 at 89 hours (!), although 4-7 hours is more normal. There is an explanation though it doesn’t make it less annoying. Tron runs three anti-virus engines (Kaspersky VRT, Sophos, MBAM), a number of other scanners, and (on mechanical drives) a defrag on C:. Lastly, it also runs SFC and DISM image repair (Vista and up). All of these actions take time and are primarily disk-bound. On top of all this, the average infected system is already running slowly, and of course cmd.exe isn’t known for its blazing speed.

My personal philosophy towards system cleanup is to use more time to “do it right” rather than take shortcuts to “do it quick.” With Tron, it’s almost always worth letting it run through the full gamut of stages, because 99 times out of a 100 the system runs better when it’s done. Of course there are times where expediency is called for, and in those cases you can use the command-line switches to skip certain portions at the expense of quality/depth of cleaning.

4. During Stage 2: De-Bloat there’s a message along the lines of “ERROR: Shutting down”

Safe to ignore. This is a known bug which I have yet to find a workaround for. It means that when some program was removed, it triggered the “Computer needs to reboot in order to finish removal” flag. It means Windows will not remove any other programs until the system reboots.

This doesn’t affect anything else in Tron, so the recommendation is to just to ignore it and let Tron finish, then manually remove whatever is left over when it’s done.

5. The computer reboots in the middle of Stage 2: De-Bloat

This is another known bug which I’m working on developing a solution for. Some programs hard-force a reboot when uninstalled via command line (e.g. via WMI), and there’s no way to cancel, disable or prevent it. There’s also no way to know beforehand which programs cause this to happen (Toshiba OEM apps seem to cause it more frequently). As a workaround, you can skip the debloat stage or just let Tron pick up where it left off (re-launch it) when the computer reboots.

6. Why not just use Ninite or Ketarin to auto-download tools at runtime?

A lot of people suggest Ninite or Ketarin (or some other tool/script) as a way to reduce Tron’s size and ensure we’re always on the latest versions of subtools. I’m actually a Ninite fan and have thought about it on and off for a while, but always felt the usefulness of a fully stand-alone package outweighs the small extra effort it takes to keep everything updated. I also like the more granular control over what exactly gets installed that a batch file affords, vs with Ninite it’s just blind trust that their maintainers configured it the way I want.

As far as using something like Ketarin to make a custom update script, it’s mainly because I could not for the life of me figure out Ketarin’s interface and don’t have time to learn another language, and besides that download URL’s change frequently and Tron uses so many sub-tools it’d be a separate project just to build and maintain an update script. All that said, if you want to build an update script for me, I’d be happy to integrate it into the project.

7. Why don’t you bundle WSUS Offline updates with Tron?

As of v10.0.0, Tron supports using bundled WSUS Offline updates. See the instructions for information on how to supply the update packages.

8. Can I run Tron from a boot disk or PE environment?

Short answer: no.

Long answer: Tron runs a lot of tools that automatically target %SystemDrive% (typcially C:\), and nearly all of them don’t have any option for specifying a different drive to work on, which is what you’d need to run it from a PE environment. Additionally, Tron depends on a lot of system variables that are only present on a live system and wouldn’t exist or would be incorrect in a PE environment. So the long answer is that it’s not really possible with the way Tron is built. Of course I’m a hacky batch scripter and not a real programmer, so I’m sure there’s some enterprising individual somewhere that could probably figure out how to do it.

9. ComboFix // MBAMSERVICE.exe // etc get flagged as a virus

Some antivirus products (Symantec and McAfee in particular) are overly aggressive with their heuristic engine and frequently target legitimate programs from a PUP list (“potentially unwanted program”). You can safely ignore warnings about the files and programs included in Tron, though if you’re still concerned you can check the MD5 or SHA256 hashes of the supposedly infected binary and see how they compare to the official files. The simplest fix for this is to just disable any local anti-virus on the machine before running Tron.

10. Why is Tron written in batch? Why not PowerShell?

A lot of people seem to get hung up on this for some reason. Ultimately it doesn’t matter what language Tron’s written in. What matters is that it works for its intended purpose, which it does. It could be written in Perl/C++/Go/etc and as long as it accomplishes the job it’s A-OK with me.

If you’re unsatisfied with that answer, here’s the rationale behind why batch was chosen (yes, chosen). On an infected or broken system, the Windows cmd engine is the lowest common denominator and always seems to just work. In contrast, there are many cases where PowerShell won’t run (broken), isn’t installed (XP/2003), scripting is disabled by default (Vista and up), or one of its very, very many dependencies are broken. So it’s more work to write in batch, but because it has a much higher chance of “just working” I think it’s worth it. For Tron, consistent reliability across diverse environments is more important than extra features.

All that being said, we’ll likely move to a pure PowerShell implementation at some point in the future when XP support is deprecated. I’m a big fan of it (Tron’s deployment script is in PowerShell) and would like to take advantage of the extra power and flexibility if offers.

11. Why not just re-image/format+reinstall?

Most people in Enterprise shops have the mentality that the only solution to an infection is to blow the box away and start from scratch or the latest master image. I agree with this. However, while that’s great in places where a master image is available, the reality is that there are a lot of scenarios where:

a) There is no master image (small business, personal machine, etc)

b) The machine is too specialized

c) It would take significantly more effort to back up user data, blow the machine away, re-install Windows, hunt down drivers, restore user data, sit down with them and get the system customized back the way they want it, etc than it would to just run Tron and send them on their way

TL;DR: Tron is intended for situations where it makes more sense to try for recovery vs. re-build from scratch.

12. When I launch Tron the window appears for a second or two and then closes

There is some weird bug in Windows where sometimes (not consistently) command-line programs or scripts will just randomly appear and then close. I don’t know if it’s UAC or what. The workaround is this:

Open an command-prompt with Administrator privileges (you can also use an admin PowerShell window; doesn’t matter). cd to wherever tron.bat is (usually c:\users\username\Desktop\tron\tron.bat; so type cd c:\users\MYUSERNAME\Desktop\tron\), then type tron.bat and hit Enter. I still haven’t been able to figure out why this happens, but this workaround seems to work.

13. Why not build a Chocolatey package?

Too much work and I don’t have enough time. A few people have built Chocolatey packages though; do a search of /r/TronScript and you should find some floating around.

14. Tron ‘stalls’ with an error saying it can’t access pagefile.sys (or similar)

Tron is not stalled, do not cancel it. By default Tron hides most scanner output to increase scanning speed, and only reports locked system files it can’t access. pagefile.sys, hiberfile.sys, and many other files of this nature will not be accessible to Tron. This is normal and it’s safe to ignore these errors.

If you want to see the FULL output while scanning you can use the -v (verbose) switch. Note that this will greatly increase the run time.

15. How can I know Tron won’t do something sketchy to my system?

You can’t. Caveat emptor applies when running software written by strangers on the Internet.

However I think you can have reasonable trust that it’s built in good faith and does only what it claims to, for a few reasons:

1. All code is open-source and available on Github under the MIT license. Everything is heavily commented, so if you want to see exactly what it’s doing you can go to Github (or crack open the various .bat files with a text editor) and look through it yourself
2. Code is viewed constantly by the community and it would be difficult to hide something malicious in it
3. If anything malicious was found, the project reputation would be ruined and someone would just fork Tron to a new “clean” version

Tron does rely on some third-party tools for heavy lifting, so those must be trusted as well, but they’re pretty well-known in the PC tech/IT space, so there shouldn’t be any surprises.

Bottom line, you can never fully trust any software you didn’t write yourself, but I think you can run Tron with reasonable certainty it is what it says it is and doesn’t try any funny business. If you’re interested, you can read my personal philosophy on how I approach Tron specifically and projects in general.

16. After running Tron, my antivirus is reporting that malware has affected SettingsModifier:Win32/HostsFileHijack. Did Tron infect my system?

Assuming your copy of Tron was downloaded from an official source, the short answer is no. More recent versions of Windows 10 treats ANY modification of the hosts file as malicious. Part of Tron’s task list is to maintain privacy by disabling Microsoft’s telemetry via an otherwise-harmless modification to the hosts file, but Microsoft has decided that blocking their ability to spy on users is “malicious” so you get this warning.

17. After running Tron, there are control panel settings which I cannot change; there’s a message that says “This setting is managed by your administrator”. Did Tron break my system?

One of Tron’s tools, O&OShutUp10, is an antispy tool for Windows. By default Tron uses this tool to disable a lot of things that Microsoft would prefer to have access to. The process of using O&OShutUp10 is what brings the “managed by your administrator” message up. If you want to get rid of that message you need only relaunch the tool and re-enable Microsoft’s telemetry settings. The tool is located in tron\resources\stage_4_repair\disable_windows_telemetry.