Uses

Modern rootkits do not elevate access, but rather are used to make another software payload undetectable by adding stealth capabilities. Most rootkits are classified as malware, because the payloads they are bundled with are malicious. For example, a payload might covertly steal user passwords, credit card information, computing resources, or conduct other unauthorized activities. A small number of rootkits may be considered utility applications by their users: for example, a rootkit might cloak a CD-ROM-emulation driver, allowing video game users to defeat anti-piracy measures that require insertion of the original installation media into a physical optical drive to verify that the software was legitimately purchased.


Rootkits and their payloads have many uses:
- Provide an attacker with full access via a backdoor, permitting unauthorized access to, for example, steal or falsify documents. One of the ways to carry this out is to subvert the login mechanism, such as the /bin/login program on Unix-like systems or GINA on Windows. The replacement appears to function normally, but also accepts a secret login combination that allows an attacker direct access to the system with administrative privileges, bypassing standard authentication and authorization mechanisms.
- Conceal other malware, notably password-stealing key loggers and computer viruses.
- Appropriate the compromised machine as a zombie computer for attacks on other computers. (The attack originates from the compromised system or network, instead of the attacker's system.) "Zombie" computers are typically members of large botnets that can launch denial-of-service attacks and distribute e-mail spam.
- Enforcement of digital rights management (DRM).


In some instances, rootkits provide beneficial functionality, and may be installed intentionally by the computer owner:

- Conceal cheating in online games from software like Warden.
- Detect attacks, for example, in a honeypot.
- Enhance emulation software and security software. Alcohol 120% and Daemon Tools are commercial examples of non-hostile rootkits used to defeat copy-protection mechanisms such as SafeDisc and SecuROM. Kaspersky antivirus software also uses techniques resembling rootkits to protect itself from malicious actions. It loads its own drivers to intercept system activity, and then prevents other processes from doing harm to itself. Its processes are not hidden, but cannot be terminated by standard methods (It can be terminated with Process Hacker).
- Anti-theft protection: Laptops may have BIOS-based rootkit software that will periodically report to a central authority, allowing the laptop to be monitored, disabled or wiped of information in the event that it is stolen.

- Bypassing Microsoft Product Activation.

Defences

System hardening represents one of the first layers of defence against a rootkit, to prevent it from being able to install. Applying security patches(Patch Tuesday), implementing the principle of least privilege, reducing the attack surface and installing antivirus software are some standard security best practices that are effective against all classes of malware. Once these measures are in place, routine monitoring is required. In most cases however, the only defense against a rootkit is to reformat your hard drive to completely delete all files.

New secure boot specifications like Unified Extensible Firmware Interface are currently being designed to address the threat of bootkits.