A look at HiJackThis Fork

Martin Brinkmann
Nov 13, 2018

Remember HiJackThis? The program was designed to scan a Windows PC thoroughly for any signs of malicious software, spyware, and other unwanted bits.

Trend Micro acquired the software program in 2007 and turned it into an open source program in 2012.

The last version of the application was released in 2013; it was a beta version and the project was abandoned shortly thereafter. HiJackThis is still downloaded more than 4000 times per week from Sourceforge alone and that is not counting other download repositories the program is offered on.

The lack of updates reduced the effectiveness of the program. Developer Polshyn Stanislav from the Ukraine created a fork of HiJackThis that brings the application to the modern age. The fork is compatible with all modern versions of the Windows operating system -- the last version of HiJackThis was published two years before the release of Windows 10 -- and introduces new functionality.

HiJackThis Fork

HiJackThis Fork is offered as a portable program for Windows; just download the latest version from the project's GitHub page and run it after the download completes. A test on the virus scanning site Virustotal returned zero hits.

You need to accept the terms on the first run. The main window displays all available options right away. You can change the interface language -- default is English -- and run a system scan with or without the generation of a log file on the local system.

New users may click on online guide to access a short English tutorial that explains some of the basics.

HiJackThis Fork analyzes different areas of the operating system and displays its findings in the program interface and if you selected the log option as a log file as well. The option to save a log is available on the scan results page as well.

HiJackThis Fork detects potential hijacking issues primarily. It is necessary to go through the list of items one by one to determine whether an item is dangerous or harmless.

The button "info on selected item" provides a basic explanation of the general nature of an item but it won't help you make a decision in regards to the malicious or problematic nature of the item.

The program does not rate items that it finds and removing any may have unforeseen consequences on system functionality or stability.

Check any items that you want removed and select "fix checked" to delete them on the system. Inexperienced users may select "analyze this" to find out how they can have someone else look at the results to provide advice.

HiJackThis Fork includes numerous improvements over its discontinued predecessor. The developer added detection support for new hijacking methods and new tools to the program's arsenal.

You may run tools to generate an extensive list of startup items, check the digital signature of files, unlock locked Registry keys, or check LNK elements.

Closing words

HiJackThis is certainly not as important as the program was ten years ago but it is still a good tool to analyze certain areas of the operating system. The fork of the original application ensures that it can be run on modern versions of Windows and that items that the program detects are updated to reflect these changes as well.

Now You: What is your take on HiJackThis (Fork)?

software image
Author Rating
4.5 based on 5 votes
Software Name
HiJackThis Fork
Operating System
Software Category
Landing Page

Tutorials & Tips

Previous Post: «
Next Post: «


  1. zarky said on September 13, 2019 at 1:07 am

    I used to really like HJT. But I always needed an analyser tool to help me sort through it all. I’m IT savvy but it is just too much info to sort through without that assistance. But all the best HJT analyser databases have shut down, so I’m afraid I will surely have to move on to other tools.
    The possibility that *maybe* the analyser database can be messed with is not a good enough reason not to have them.

  2. Polshyn Stanislav said on November 18, 2018 at 4:02 pm

    @Martin Brinkmann, thank you for overview.
    I like it :) I found it by chance through Google.
    The only misunderstanding that “The last version of HiJackThis was published two years before the release of Windows 10”.
    All my versions are published in devel branch: https://github.com/dragokas/hijackthis
    and can be downloaded via binary folder https://github.com/dragokas/hijackthis/tree/devel/binary
    or via link in description.
    Only the final v3.0 will be included in the release.
    Although, the current version is absolutely stable.

  3. K@ said on November 13, 2018 at 10:00 pm

    The version I just got (, which was committed four days ago) seems not to work on X64 systems. :(

    1. Polshyn Stanislav said on November 18, 2018 at 3:43 pm

      HJT Fork v2.9.0.6 (in general, all versions) work on x64.
      Your problem can be due to:
      1. Malware infection.
      2. System problems
      3. Antivirus block
      4. Some pre-installed restrictions, like policies, AppLocker etc.
      You can register on GitHub and create issue about your case if you want to find out what’s happen: https://github.com/dragokas/hijackthis/issues

  4. Anonymous said on November 13, 2018 at 9:51 pm

    Has anyone done a security audit on the fork?

    Is the author from the western or eastern Ukraine? Can anyone tell me if his name is more likely to indicate a western Ukrainian heritage or an eastern Ukrainian heritage?

    How about the code itself? Is he just using English (Where regular languages are called for) because that’s what the language of the original coding may have been in? If not, which language is it in, Ukrainian or Russian?

    I hate to give this added scrutiny just because of the country of origin, especially since western Ukraine is our ally, but since a great deal of the east is under the control of a Russian puppet government, not even counting Crimea, which Russia has officially annexed (Although the annexation is not recognized by international bodies), I doubt I’d consider using it without additional data.

    Russia launches cyberattacks against the United States and other western governments, including the legitimate Ukraine government in the west, on a regular basis. I wouldn’t trust a program coming out of the eastern portion of the Ukraine for that reason. From the western part by someone not speaking Russian? Maybe I would.

    To be clear, it’s the current Russian government and it’s puppet governments that I don’t trust. It’s nothing personal against Russians in general. I know people of Russian descent who I like very much- but I don’t trust Putin’s regime (In the same way that many Russians probably don’t- they just can’t say so because they live under a repression regime).

    1. Polshyn Stanislav said on November 18, 2018 at 3:55 pm

      None done security audit, as far as I know. But I will not refuse if someone offers such help.
      Yes, I’m using mostly English in code (as every normal developer), because it is a standard in programming. Although, several comments I made in Russian, and some in Netherlandish (by Merijn Bellecom).
      I hate people make findings based on code language, spell language and origin. I call such people – racists and paranoid. If you are not, you should not care where I come from.
      But if you interested I’m speaking Russian and Ukraining both good as well as most people in Ukraine. And I’m from the city near the region where fighting takes place.
      If you want to see my extended opinion, look in my commentary at mg: https://www.majorgeeks.com/files/details/hijackthis_fork.html#comment-3453521586

    2. Anonymous said on November 15, 2018 at 4:00 am


      Wikileaks released CIA’s Vault 7 showing that everything including your Samsung Smart TV is bugged and you are worried about Russa.



    3. asd said on November 14, 2018 at 12:18 pm

      LOL that was the funniest comment I have ever seen on this site. don’t worry, this app is pretty useless since it is superseded by Autoruns and the whole toolbox of Sysinternals and NirSoft, etc …

      @Martin Brinkmann idea for a post: useful tools for troubleshooting malware infections.

      1. Polshyn Stanislav said on November 18, 2018 at 3:39 pm

        HJT has some common detection areas with Autoruns. And HJT has areas that none of Sysinternals or NirSoft tools can see.
        HJT is used every day by our specialists on several forums (e.g. KasperskyClub forum) as part of set of tools to cure PC infection. You can see details on GutHub main page of HJT Fork.

  5. Steve said on November 13, 2018 at 9:41 pm
    1. Polshyn Stanislav said on November 18, 2018 at 3:33 pm

      Thank you Steve. I will see what cause VT reaction in src files. I bet on IC.exe, the program used to patch icon resource. Anyway, it has source code, supported by me and not included in program.
      Fork release version is fine.

    2. Martin Brinkmann said on November 13, 2018 at 10:10 pm
      1. Steve said on November 14, 2018 at 11:38 pm

        Thank you.
        Presumably the github main page download link version was (is) yet to be updated.

  6. Bruno said on November 13, 2018 at 6:44 pm

    Autoruns is a modern and more user friendly alternative.

    1. Polshyn Stanislav said on November 18, 2018 at 3:30 pm

      The same as HJT. Users should not delete anything in Autoruns if they not absolutely sure what is it. It can cause system malfunction.
      And you cannot rely only on digital signature or VT result when you are decide whether item is malicious. Both can be hijacked. Signature stolen. VT detection decreased by special methods.

      As about HJT, it has common areas with Autoruns. It has areas that Autoruns see, and HJT do not, and vise versa.

  7. BillBlagger said on November 13, 2018 at 2:24 pm

    Presumably same as before: dangerous if you don’t know how to use it.

    1. Rush said on November 13, 2018 at 7:14 pm

      @Bill Blagger

      Agree Bill.

      If one is not familiar with how to create restore points, then one probably should not use this program.

      1. Polshyn Stanislav said on November 18, 2018 at 3:22 pm

        It not require RP. HJT creates full registry backup using ABR (from UVs author). It’s analogue of ERUNT. Registry can be restored by executing c:\windows\ABR\\restore.exe
        Also, fork has powerful backups system. Each item you fixed can be restored (registry, files, access, date stamps etc.).
        However, users should fix items if only absolutely sure what they mean.

  8. asd said on November 13, 2018 at 1:54 pm

    last update 2016. yeah it is still dead.

    1. Aris said on November 13, 2018 at 3:27 pm

      Look into /binary/ folder: https://github.com/dragokas/hijackthis/tree/devel/binary
      v2.9.0.6 updated 4 days ago, but this belongs into releases area imo.

      1. Polshyn Stanislav. said on November 18, 2018 at 3:13 pm

        @asd, that is not correct. Even if it were true, it doesn’t matter, because HJT doesn’t need constant updates to databases since his detection core based mostly on hajacker methods, not a database.

        Also, don’t download it, please, using “release” tab (it is old original HJT). I don’t want to public release until I finish v3.0.
        Meanwhile, you can use devel version, that is fully stable: https://github.com/dragokas/hijackthis/tree/devel/binary or build project yourself.

    2. Scott said on November 13, 2018 at 2:48 pm

      Did you look at the GitHub page, It looks to me like he updates often.

      1. Vignesh said on November 13, 2018 at 4:12 pm

        Looks like the last release is 2.0.6 published two years ago. But the program was updated 4 days ago at version Get the file at hijackthis/binary/hijackthis.exe

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.