The Avenger

Command Reference

Registry values to replace with dummy:

The "Registry values to replace with dummy:" command directive replaces the registry values listed with "dummy" values (null strings for string values and zeroes for numeric values) and backs up the originals.

How do I use it?

The registry value name should be separated from the parent key name by a pipe | symbol.

Just as with all other registry commands, The Avenger can only replace values under the HKEY_LOCAL_MACHINE hive, because the other hives are not constructed at the point in the boot process when The Avenger executes. To access other hives, use "Programs to launch on reboot:" as a workaround.

When do I use it?

When there are registry values under a subkey of HKEY_LOCAL_MACHINE that you want to clear, but not delete outright. Usually this is because malware has co-opted legitimate values that Windows accesses at boot, and outright deletion will cause a crash or an error in the boot process.

In general "Registry values to replace with dummy:" tends to be more useful than "Registry keys to replace with dummy:".

Anything else I should know?

Please see the caveats for "Registry keys to delete:" or any of the other registry commands.

Any special notes on syntax?

  • Valid registry key paths must begin with either HKEY_LOCAL_MACHINE\ or HKLM\ for short. Either prefix is accepted. No other hives are recognized by The Avenger.
    Note that this is a change from Version 1.0!

Example Usage

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\Software\SomeKey | BadValue
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | System
HKLM\System\CurrentControlSet\Control\Session Manager | BadValue

