The Avenger

Command Reference

Registry keys to replace with dummy:

The "Registry keys to replace with dummy:" command directive replaces all values under the registry keys listed, recursively, with "dummy" values (null strings for string values and zeroes for numeric values), and backs up the originals.

How do I use it?

The Avenger can only replace keys under the HKEY_LOCAL_MACHINE hive, because the other hives are not constructed at the point in the boot process when The Avenger executes. To access other hives, use "Programs to launch on reboot:" as a workaround.

When do I use it?

When there are malicious registry keys under HKEY_LOCAL_MACHINE that you want to remove, but that you do not want to delete outright. Usually this is because the operating system is accessing the malware keys at boot, and outright deletion will cause a crash or an error in the boot process.

Anything else I should know?

Yes, the same caveats as for "Registry keys to delete:".

Any special notes on syntax?

  • Valid registry key paths must begin with either HKEY_LOCAL_MACHINE\ or HKLM\ for short. Either prefix is accepted. No other hives are recognized by The Avenger.
    Note that this is a change from Version 1.0!

Example Usage

Registry keys to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\BadKey

FarCry - Mollio