Boswell's Q&A

Anti-Virus Annulment

Spear those dead, useless registry keys and values with Reg.exe after a Norton Antivirus failure.

• By Bill Boswell
• 01/06/2003

Bill: Occasionally, Norton Antivirus will get corrupted and we have to uninstall it. It usually fails to uninstall, so we have to spend 30-40 minutes (per computer) running through the registry searching and deleting entries, per Symantec Doc ID 2002081213583048.

Can we script this procedure somehow? If so, how hard would it be?
—Mike

Mike: The Symantec document you refer to specifies the Registry keys that must be deleted to remove the Norton Antivirus entries. Armed with this detailed information, automating the changes is not too difficult.

In the Windows 2000 Support Tools is a command-line utility, Reg.exe, that simplifies adding, changing, or removing keys and values from the Registry of a local or remote machine as long as you have sufficient admin privileges. (Windows XP and Windows Server 2003 include Reg.exe in the standard OS installation.)

Get Help from Bill Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The syntax for using Reg to remove one of the keys in the Symantec document is:

reg delete hklm\System\
CurrentControlSet\Services\
NAVENG /f

The /f switch forces the deletion to proceed without a yes/no prompt; all subkeys and values are deleted as well.

If you want to perform this operation across the network, all you need to do is preface the key name with the UNC name of the desktop:

reg delete \\xp-pro1\hklm\
System\CurrentControlSet\
Services\NAVENG /f

You can create a batch file with a series of Reg commands to clean out all the Registry entries in the Symantec document. Replace the computer name with a %1 placeholder in each Reg entry so you can specify the target machine on the command line of the batch file:

reg delete \\%1\hklm\System\CurrentControlSet\Services\
NAVENG /f

If you're not fortunate enough to have a document that lists the Registry entries, you can use a tool call Regmon from Sysinternal (http://www.sysinternals.com) to identify the Registry entries added during installation and initial configuration. Using Regmon effectively takes a little practice; it gives you more information than you need unless you set the filters correctly.