Free Microsoft Security Tools

I often get asked where someone can find a comprehensive list of Security tools from Microsoft.  Many tools which may be used by an administrator are not the same set of tools used by a developer or a consumer, but its nice to have a comprehensive list.

There are four sites that a good landing points:

All of these are good starting points to learn about these tools and how to use them to tackle IT security.  I have compiled a summary of some of the most useful security tools below.

Virus and Malware Protection and Removal

Microsoft Security Essentials

Real-time protection for your home PC that guards against viruses, spyware, and other malicious software.  (For Commercial Antimalware see:

Malicious Software Removal Tool

This tool checks your computer for infection by specific, prevalent malicious software and helps to remove the infection if it is found. Microsoft will release an updated version of this tool on the second Tuesday of each month, and as needed to respond to security incidents.

Windows Defender

This free program helps protect PCs from pop-ups, slow performance, and security threats caused by spyware and other unwanted software.

Windows Live OneCare Safety Scanner

This free service scans PCs for viruses, spyware, and potentially unwanted software.

Microsoft Security Intelligence Report (SIR)

Provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software

System & Network Utilities that can be used to troubleshoot security & malware

Process Explorer

Shows you information about which handles and DLLs processes have opened or loaded.  See: Advanced Malware Cleaning -  Mark Russinovich


This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them

Process Monitor

Advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity


A number of command-line tools that allow you to manage remote systems as well as the local one


RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit


A Windows program that will show you detailed listings of all TCP and UDP endpoints on your system

Network Monitor 3.3

A protocol analyzer. It enables you to capture, to view, and to analyze network data. You can use it to help troubleshoot problems with applications on the network.   See: for release notes and information.

Developer Tools & Threat Modeling:

Microsoft Application Verifier

Runtime Verification tool for unmanaged code

Microsoft FxCOP

Checks .NET managed code assemblies

Microsoft Code Analysis Tool

Code analysis tool that helps identify common variants of certain prevailing vulnerabilities

Microsoft Threat Analysis & Modeling

Threat modeling to empower application risk management

Microsoft SDL Threat Modeling Tool 3.1

Helps engineers analyze security & address design issues early in the software lifecycle

Microsoft PREfast Analysis Tool

Identifies defects in C/C++ Programs

Security Update Management

Microsoft Update

Microsoft Update consolidates updates provided by Windows Update and Office Update into one location and enables you to choose automatic delivery and installation of high-priority updates.  See: The Microsoft Security Update Guide

Windows Server Update Services (WSUS)

WSUS simplifies the process of keeping Windows-based systems current with the latest updates, with minimal administrative intervention.

System Center Configuration Manager

System Center Configuration Manager 2007 enables operating system and application deployment and configuration management, enhancing system security and providing comprehensive asset management of servers, desktops, and mobile devices.

Systems Management Server 2003 Inventory Tool for Microsoft Updates

Systems Management Server administrators can use the Inventory Tool for Microsoft Updates (ITMU) to determine the update compliance of managed systems.

Security Update Detection

Microsoft Baseline Security Analyzer (MBSA)

MBSA scans for missing security updates and common security misconfigurations. It can be used in conjunction with Microsoft Update and Windows Server Update Services.

Microsoft Office Visio 2007 Connector for the Microsoft Baseline Security Analyzer

This connector lets you view the results of an MBSA scan in a clear, comprehensive Microsoft Office Visio 2007 network diagram.

Extended Security Update Inventory Tool

The Extended Security Update Inventory Tool is used to detect security bulletins not covered by MBSA including MS04-028, February 2005 bulletins, and future security bulletins that are exceptions to MBSA.

Security Assessment

Microsoft Assessment and Planning (MAP) Toolkit for PC Security Assessment

This free toolkit assesses your entire IT environment for desktop and laptop vulnerabilities to viruses and malware, to determine your PC readiness for Forefront Client Security.

Microsoft Security Assessment Tool (MSAT)

MSAT provides information and recommendations to help enhance security within your information technology infrastructure.

Lockdown, Auditing, and Intrusion Detection and Remediation

Account Lockout and Management Tools

These tools can help you manage accounts and troubleshoot account lockouts.

BitLocker Active Directory Recovery Password Viewer

This tool helps to locate BitLocker Drive Encryption recovery passwords for Windows Vista- or Windows Server 2008- based computers in Active Directory Domain Services.

BitLocker Drive Preparation Tool

This tool configures the hard disk drives in your computer properly to support enabling BitLocker.

Bitlocker Repair Tool

This tool can help recover data from a corrupted or damaged disk volume that was encrypted with BitLocker.


Available as part of the Security Guide Scripts Download, this is a multi-threaded tool that will parse event logs from many servers at the same time.

File Checksum Integrity Verifier

This command-line tool computes and verifies MD5 or SHA-1 cryptographic hash values of files. These values can be displayed on the screen or saved in an XML file database for later use and verification.

IIS Lockdown Tool

This tool reduces the attack surface of earlier versions of Internet Information Services (IIS) and includes URLScan to provide multiple layers of protection against attackers. (All of the default security-related configuration settings in IIS versions 6.0 and 7.0 meet or exceed the security configuration settings made by the IIS Lockdown tool.)

Port Reporter

This tool runs as a service on computers running Windows Server 2003, Windows XP, or Windows 2000, and logs TCP and UDP port activity.

Port Reporter Parser (PR-Parser)

This tool that parses the logs that the Port Reporter service generates. The PR-Parser tool has many advanced features that can help you analyze the Port Reporter service log files. You can use the PR-Parser with the Port Reporter tool in a number of scenarios, including troubleshooting and security-related scenarios.


This command-line utility helps you troubleshoot TCP/IP connectivity issues on Windows Server 2003, Windows XP, or Windows 2000.


Promqry and PromqryUI allow you to detect network sniffers on computers that are running Windows Server 2003, Windows XP, and Windows 2000.


This command-line tool enables you to obtain security information about files, registry keys, and services. It also lets you transfer this information from user to user, from local or global group to group, and from domain to domain.

UrlScan Security Tool 3.0

This tool helps prevent potentially harmful HTTP requests from reaching IIS Web servers. UrlScan 3.0 includes new features to help protect against SQL injection attacks, and can be used with IIS 5.1 and later.

UrlScan Security Tool 2.5

This tool helps prevent potentially harmful HTTP requests from reaching IIS Web servers. UrlScan 2.5 can be used with IIS 4.0 and later. (Users running IIS 6.0 and later will most likely want to use UrlScan 3.0.)

Windows SteadyState

Whether you manage computers in a school computer lab or an Internet cafe, a library, or even in your home, Windows SteadyState helps make it easy for you to keep your computers running the way you want them to.

There are many more useful tools on Microsoft's TechNet Security Center and Codeplex.