Anti-Virus Annulment

Spear those dead, useless registry keys and values with Reg.exe after a Norton Antivirus failure.

Bill: Occasionally, Norton Antivirus will get corrupted and we have to uninstall it. It usually fails to uninstall, so we have to spend 30-40 minutes (per computer) running through the registry searching and deleting entries, per Symantec Doc ID 2002081213583048.

Can we script this procedure somehow? If so, how hard would it be?
—Mike

Mike: The Symantec document you refer to specifies the Registry keys that must be deleted to remove the Norton Antivirus entries. Armed with this detailed information, automating the changes is not too difficult.

In the Windows 2000 Support Tools is a command-line utility, Reg.exe, that simplifies adding, changing, or removing keys and values from the Registry of a local or remote machine as long as you have sufficient admin privileges. (Windows XP and Windows Server 2003 include Reg.exe in the standard OS installation.)

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

The syntax for using Reg to remove one of the keys in the Symantec document is:

reg delete hklm\System\
CurrentControlSet\Services\
NAVENG /f

The /f switch forces the deletion to proceed without a yes/no prompt; all subkeys and values are deleted as well.

If you want to perform this operation across the network, all you need to do is preface the key name with the UNC name of the desktop:

reg delete \\xp-pro1\hklm\
System\CurrentControlSet\
Services\NAVENG /f

You can create a batch file with a series of Reg commands to clean out all the Registry entries in the Symantec document. Replace the computer name with a %1 placeholder in each Reg entry so you can specify the target machine on the command line of the batch file:

reg delete \\%1\hklm\System\CurrentControlSet\Services\
NAVENG /f

If you're not fortunate enough to have a document that lists the Registry entries, you can use a tool call Regmon from Sysinternal (http://www.sysinternals.com) to identify the Registry entries added during installation and initial configuration. Using Regmon effectively takes a little practice; it gives you more information than you need unless you set the filters correctly.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Sun, May 21, 2006 Anonymous Anonymous

i just install pc-cillin on the machine and then uninstall it. it removes all the 'unremovable' symantec antivirus stuff. if you want you don't have to uninstall pc-cillin after it removes symantec. it prompts you during the install once it detects installation and or remnants of the norton/symantec. i've been removing both norton and mcaffee (not pronounced macaffey) for over 20 years. it's the first thing i do when i find them on troubled machines. to me they are both viruses in their own right.

Sun, Aug 7, 2005 JAPHspam hacker

I just like spam! I'm collocting junk email...

Wed, Jan 21, 2004 Anonymous Anonymous

Why not use a GPO? You can customize registry keys and define the permissions for each key. Your 1000 machines could be done at the next logon!!

Tue, Jan 13, 2004 Anonymous Anonymous

Very formal and precise

Wed, Jan 7, 2004 Lonnie Anonymous

I've used the RNAV2003.exe from Symantec to successfully remove the 2003 version. I think it prompted me for various versions that you could probably script but it removed it cleanly.

Wed, Jan 7, 2004 Kevin Anonymous

The real challenge with automating the NAV removal is to "search and destroy" all occurances of two different strings. Does reg.exe support wild cards or would this task be better suited to the regini.exe tool located on the 2000 server resource kit?

Wed, Jan 7, 2004 Henry Anonymous

Don't buy Norton Anti-Virus. They, like others in the computer business have gotten money hungry with Ghost and PC Anywhere and other programs and do not dedicate the needed resources to Anti-Virus. Buy from a company that only does Anti-Virus like Panda and you will not have that problem. The only problem I have had with Panda was with Tape Backups and their support told me how to solve that and it has been troublefree for 5 years. Even when NIMDA killed systems running Norton, I just smiled because Panda's research department is in Spain a few hours ahead of us and their automatic updates protected our systems while myself and the people at Norton were at home asleep.

Wed, Jan 7, 2004 Ken Anonymous

Don't uninstall next time, just do a PUSH install from the SAV server and it will solve your problem

Tue, Jan 6, 2004 mailpete405 Anonymous

While Bill's column was very accurate, I would suggest trying to discover why the Symantec software "gets corrupted" and why it "usually failes to uninstall". Symantec is a high quality product which I have run on hundreds of systems for years with almost no problems at all. My expectation is that if this is happening often enough to require scripting, there is some root cause which you can identify. I'd research this one in depth to make sure nothing nefarious is going on and contact Symantec if I was unable to determine what is going on. I've come to expect my buggy software from MS, not Symantec.

Tue, Jan 6, 2004 Bob Fuller Anonymous

REG.EXE is an invaluable tool for editing via batch files. The restriction to HKU and HKLM when running REG.EXE against a remote registry, even with Local Admin credentials, is annoying. Any ways around this?

Tue, Jan 6, 2004 Darrin Eaton San Diego, CA

Does anyone know of a way to set NTFS permissions to registry keys from the comnmand line? I have a few evil legacy apps that assume users have admin rights and will not run until you grant them permissions to their registry keys. With 1000 machines, that becomes a bit tedious.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.