• Mystery registry entry in win 8.1

    Home » Forums » AskWoody support » Windows » Windows 8.1 » Questions: Win 8.1 (and Win 8) » Mystery registry entry in win 8.1

    Author
    Topic
    Jtg1231
    AskWoody Lounger
    July 30, 2023 at 8:17 am #2576701
    Options

    Hi,

    I discovered a service running in Windows 8.1.  It’s ninerealityfyp.exe and called PostWorks.  It’s in the registry and I can’t stop it as a service nor can I delete in from the registry even when running as administrator.  I can find no reference to it at all through search engines.  Does anyone know what it is or how to get rid of it?

    Thanks

    Reply | Quote
    Viewing 4 reply threads
    Author
    Replies
    • Alex5723
      AskWoody Plus
      July 30, 2023 at 9:55 am #2576721
      Options
      Reply | Quote
    • Rick Corbett
      AskWoody MVP
      July 30, 2023 at 10:43 am #2576731
      Options

      First I suggest you check Control Panel > Programs and Features for a PostWorks entry to see if it exists and can be uninstalled. The reason for this is that Windows will use the highest privileged TrustedInstaller account to manage the removal, including the service.

      If not, whilst you may not be able to stop the service from within the Services console (services.msc), you may still be able to change its Status (i.e. to stop it) and its StartupType (i.e. to disable it) using an elevated PowerShell console.

      1. Right-click on Start and choose Windows PowerShell (Admin).

      2. When the PowerShell console opens, check the service’s Status and DisplayName using this command:

      Get-Service

      3. When you’re sure of the service’s Name, use this command:

      Set-Service -Name "SERVICE-NAME" -Status stopped -StartupType disabled

      … substituting SERVICE-NAME for the service’s Name.

      For example:

      Set-Service -Name "PostWorks" -Status stopped -StartupType disabled

      This should both stop the service and set its DWORD Start value to 4, i.e. disabled.

      4. Reboot your device and use Get-Service again to check whether the service is now stopped.

      Note that Microsoft has for a while been adding additional protection within the registry by adding a Security sub-key to an increasing number of services (Windows Update – wuaserve – for example) to prevent amendment and/or deletion. There’s a way around this but try the PowerShell method above first and post the results back.

      Hope this helps…

      Reply | Quote
    • Bob99
      AskWoody Plus
      July 30, 2023 at 7:02 pm #2576825
      Options
      Jtg1231 wrote:

      Does anyone know what it is

      One hit I found using the search term “PostWorks” (without the quotes) revealed a game developers’ program by Nvidia that deals with anti-aliasing techniques to make game play look better on the screen.

      Here’s a link directly to that page:

      https://developer.nvidia.com/postworks

      This begs the question: Was the computer ever used for game development back in the 2014-2017 time frame?

      Along those lines, if the computer was used for gaming (instead of developing games) during the same time frame, perhaps the code for Nvidia’s PostWorks was included with one of the games played on the machine to help the game run better, but was unable to be successfully uninstalled with the rest of the game for the reasons you’ve found recently.

      However, this entire theory is bunk if the machine in question doesn’t have a graphics solution that involves Nvidia in one way or another!  😉

      One thing you could try with the executable file in question is to copy it to a location on the computer where you have full privileges and then submit it to virustotal.com from that location for analysis by up to 60 or 70 different anti-crapware engines to see if one (or more) of them shows it to be a piece of crapware. If so, then promptly proceed with the suggestions put forth by @Rick-Corbett and/or @Alex5723 above.

      Reply | Quote
    • Jtg1231
      AskWoody Lounger
      July 31, 2023 at 1:18 am #2576851
      Options

      Hi everyone,

      Thanks for your replies. I’m sure they all work and I really appreciate the excellent help. I finally discovered this was a root kit and I did get rid of it using the Kaspersky tsskiller.

      But I’m amased that there is no hint of its existence on the internet (until now). Once again thank you all and look forward to engaging with all of you again.

      Reply | Quote
    • Paul T
      AskWoody MVP
      July 31, 2023 at 1:28 am #2576852
      Options

      Now you need to run a full scan using a bootable AV provider (https://www.lifewire.com/free-bootable-antivirus-tools-2625785) and then MalwareBytes. Rootkits are powerful voodoo and you may still be infected.

      You also need to backup your data to a new backup location. Don’t use an existing backup location because any malware can affect that data.

      cheers, Paul

      Reply | Quote
    Viewing 4 reply threads
    Reply To: Mystery registry entry in win 8.1

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information:




DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • How to use the Forums
  • All Forums

    • Recent Topics

    September 2023
    S M T W T F S
     12
    3456789
    10111213141516
    17181920212223
    24252627282930

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.