A computing system configured to detect and/or remove a rootkit. For detection, a snapshot component takes a snapshot of a storage unit. A rootkit detection component accesses an enumeration of individual files stored on the storage unit using an alternative file system I/O to detect the presence of a rootkit. For removal, the location of a rootkit is identified and a computing system shutdown is initiated. A snapshot component pauses the shutdown operation prior to the completion of the shut down and takes a snapshot of a file storage unit. A rootkit repair component accesses the identified location of the portion of the file storage unit containing the rootkit and modifies the portion of the snapshot of the file storage unit so as remove the rootkit.