The Avenger

Command Reference

Registry keys to delete:

The "Registry keys to delete:" command directive deletes and backs up the registry keys listed.

How do I use it?

The Avenger can only delete keys under the HKEY_LOCAL_MACHINE hive, because the other hives are not constructed at the point in the boot process when The Avenger executes. To access other hives, use "Programs to launch on reboot:" as a workaround.

When do I use it?

When there are malicious registry keys under HKEY_LOCAL_MACHINE that you want to delete. This is another of the most common applications of The Avenger.

Anything else I should know?

  • Be careful which registry keys you delete! The Avenger will happily delete keys that are critical to Windows, and without which Windows will not boot. Although these keys are backed up, if Windows won't boot, it's a little hard to restore the backups.

  • Do NOT use this command to delete driver keys! (subkeys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services). If a malicious driver is active, this could cause system deadlock. Use "Drivers to delete:" or "Drivers to disable:" instead.

Any special notes on syntax?

  • Valid registry key paths must begin with either HKEY_LOCAL_MACHINE\ or HKLM\ for short. Either prefix is accepted. No other hives are recognized by The Avenger.
    Note that this is a change from Version 1.0!

Example Usage

Registry keys to delete:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BadKey

FarCry - Mollio