Doing a "clean boot" is kinda hard without reflashing the whole firmware. tripwire requires a known-good configuration to check against and I'm fairly sure a proper rootkit can fool it pretty easily (it's been a while but AFAIRecall tripwire only checks against file hashes and proper rootkit can hide all modifications [see below]).

As for windows not having root user, it does have admin user and privilege separation etc so getting stuck with what the superuser happens to be called is kinda pointless.

Besides rootkit these days refers to a program that hides it's presence in the system (by patching itself to filter things like process list and disk access and simply serving "clean" versions to any other process that asks). Rhus a clean boot (from known-good CD for example) is needed so that the unpatched view of system can be gained, this can then be compared to what the normally booted system looks like (explanation simplified, see "lies to children").

F-Secure (I used to work for them about 9yrs ago) has a tool called Blacklight for detecting rootkits, read the white papers if you want to know more.