Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Hijackthis - some Tips & Tricks

There are many HijackThis tutorials on the web already, so this article is about tips that help utilize HijackThis' full potential as a diagnostic tool.

Download HijackThis from a TrendMicro link or from known reliable sources only.

Never run HijackThis from a Temporary Folder:
You need to save HijackThis.exe into its own permanent folder e.g. C:\HijackThis, not in any temp locations where it can be accidentally deleted when you run temp files cleaner. This is very important because by default hijackthis saves a backup of all 'Fixed' entries and you don't want those backups to be deleted when you change your mind and decide to restore some of the entries.

Restoring from the Backup:

At any time when you want to restore items that were previously Fixed just start HijackThis again and go to Config > Backups or Misc Tools > Backups  and click on the Restore button, click Yes on the prompt and that particular entry/entries will be restored instantly.
Be aware also that running it from your desktop if you're using your real name as your user account may not be a good idea if posting your log online with that info for the world to see (example below). If that's the case, remove your name before posting the log.
Same thing goes when running other scanners from a desktop.
C:\Documents and Settings\Edward Cullen\Desktop\HiJackThis.exe
C:\Documents and Settings\Leroy Jethro Gibbs\Desktop\ComboFix.exe

So it's a good idea to install it so it will be running from the default location of Program Files folder, then your account name will not show up in the log like the below example.
C:\Program Files\Trend Micro\HijackThis\Hijackthis.exe

HijackThis scan must be done in Normal Mode:
DO NOT run HijackThis in safe mode unless that's the only mode the pc boots into. Normal mode is the mode it should be run when all nasties lurking in the system are active and running. You would want to know everything that are running(bad or good) in order to know what infection is present and what method to use for removal.

MSConfig and HijackThis:
DO NOT uncheck any entries in MSConfig > Startup prior to running Hijackthis. It is important that you do not disable any startup entries because Hijackthis will not scan them and the log will not show all the programs or nasties running in the system.

I have seen suggestions on threads where Experts advised users to disable startup entries in msconfig and then suggested a HijackThis scan after.
This is not a good method(if you haven't seen the log yet) because we want to know all the programs that are running at startup and if you disable those then they are not being scanned therefore won’t be listed in the log. You can disable them after the scan or alternatively just disable them using HijackThis by fixing the relevant entries.
Fixing the 04 entries in HijackThis is equivalent to unchecking entries in MSConfig > Startup.
If it's a work PC or if it's part of the company's network, be aware that your company’s Domain name or IP address can also show up in the log and you may not want to post a log online with that info for the hackers to see.
There is an automated analyzer at that basically tells you whether the entries are legit or not but you mustn't rely on its findings as any automated analyzer is only as good as its database. So use it only as a guidance.

A clean HijackThis log doesn't necessarily mean a clean system because a lot of nasties can now hide from the HijackThis scan. So other scanners are needed or other diagnostic tools need to be used if the system is infected. HijackThis is not a standalone removal tool, it can't remove infections on its own so it often needs other tools to complete the removal.
If you want someone to analyze your log, ask a Question in the HijackThis Zone and attach your log.

Supported Operating Systems:

HijackThis supports Windows 98, Windows 2000, Windows ME, Windows XP, Windows Vista
and Windows 7.

Though it will run on non-supported systems(the diagnostic scan side of it) it may not function as well as expected when you start fixing entries or deleting files etc. The report can be misleading as may show legit entries that look suspicious, and shows "file missing" when in fact they are not missing, e.g. below. So be aware before you start fixing entries or using HijackThis' other functions on these systems.

C:\Documents and Settings\Alice Cullen\WINDOWS\System32\smss.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

For info on HijackThis entries, check out this tutorial:

Comments (5)

Author of the Year 2011
Top Expert 2006

rpggamergirl -
Some great (and really timely) advice for anyone using HJT.
Thank you for putting it together.

"Yes" vote up above.
Most Valuable Expert 2023
Most Valuable Expert 2013

Thanks - Thumbs up vote from here!
Top Expert 2007


younghv, MASQUERAID,

Thanks for the Yes vote! :)
b0lsc0ttIT Manager

How useful is HJT now?  I may not be up to date (or confusing it with another) but I thought I read the program was purchased by a big company who hadn't updated it.  Great points and info and I am a huge fan of the program.  Even out of date it would still be useful I would think for certain things but I was just curious, especially when I noticed support for Windows 7, if it is now being updated and actively developed.

Thanks for the article and your time to create it!

Top Expert 2007


"How useful is HJT now?"

Good question. HJT is still a useful tool, it depends what you want it has lots of features and functions.
You can disable startup programs, disable/delete services, delete file on reboot, kill process etc.... but as a malware diagnostic tool it is NOT that useful anymore because a lot of nasties can now hide from its scan. A clean Hijackthis log doesn't mean that the system is clean.

"I may not be up to date (or confusing it with another) but I thought I read the program was purchased by a big company who hadn't updated it."

Yes, TrendMicro bought Hijackthis, but unfortunately Trend doesn't have a good history of maintaining their acquired tools. If you remember CWShredder which they also acquired, it become obsolete.
Yes, HJT is still being updated, but nothing dramatic is happening there. I only hope that what happened to CWShredder will not happen with HijackThis.

Thanks for the Yes vote, :)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.