• Mystery registry entry in win 8.1

    Home » Forums » AskWoody support » Windows » Windows 8.1 » Questions: Win 8.1 (and Win 8) » Mystery registry entry in win 8.1



    I discovered a service running in Windows 8.1.  It’s ninerealityfyp.exe and called PostWorks.  It’s in the registry and I can’t stop it as a service nor can I delete in from the registry even when running as administrator.  I can find no reference to it at all through search engines.  Does anyone know what it is or how to get rid of it?


    Viewing 4 reply threads
    • #2576721
    • #2576731

      First I suggest you check Control Panel > Programs and Features for a PostWorks entry to see if it exists and can be uninstalled. The reason for this is that Windows will use the highest privileged TrustedInstaller account to manage the removal, including the service.

      If not, whilst you may not be able to stop the service from within the Services console (services.msc), you may still be able to change its Status (i.e. to stop it) and its StartupType (i.e. to disable it) using an elevated PowerShell console.

      1. Right-click on Start and choose Windows PowerShell (Admin).

      2. When the PowerShell console opens, check the service’s Status and DisplayName using this command:


      3. When you’re sure of the service’s Name, use this command:

      Set-Service -Name "SERVICE-NAME" -Status stopped -StartupType disabled

      … substituting SERVICE-NAME for the service’s Name.

      For example:

      Set-Service -Name "PostWorks" -Status stopped -StartupType disabled

      This should both stop the service and set its DWORD Start value to 4, i.e. disabled.

      4. Reboot your device and use Get-Service again to check whether the service is now stopped.

      Note that Microsoft has for a while been adding additional protection within the registry by adding a Security sub-key to an increasing number of services (Windows Update – wuaserve – for example) to prevent amendment and/or deletion. There’s a way around this but try the PowerShell method above first and post the results back.

      Hope this helps…

    • #2576825

      Does anyone know what it is

      One hit I found using the search term “PostWorks” (without the quotes) revealed a game developers’ program by Nvidia that deals with anti-aliasing techniques to make game play look better on the screen.

      Here’s a link directly to that page:


      This begs the question: Was the computer ever used for game development back in the 2014-2017 time frame?

      Along those lines, if the computer was used for gaming (instead of developing games) during the same time frame, perhaps the code for Nvidia’s PostWorks was included with one of the games played on the machine to help the game run better, but was unable to be successfully uninstalled with the rest of the game for the reasons you’ve found recently.

      However, this entire theory is bunk if the machine in question doesn’t have a graphics solution that involves Nvidia in one way or another!  😉

      One thing you could try with the executable file in question is to copy it to a location on the computer where you have full privileges and then submit it to virustotal.com from that location for analysis by up to 60 or 70 different anti-crapware engines to see if one (or more) of them shows it to be a piece of crapware. If so, then promptly proceed with the suggestions put forth by @Rick-Corbett and/or @Alex5723 above.

    • #2576851

      Hi everyone,

      Thanks for your replies. I’m sure they all work and I really appreciate the excellent help. I finally discovered this was a root kit and I did get rid of it using the Kaspersky tsskiller.

      But I’m amased that there is no hint of its existence on the internet (until now). Once again thank you all and look forward to engaging with all of you again.

    • #2576852

      Now you need to run a full scan using a bootable AV provider (https://www.lifewire.com/free-bootable-antivirus-tools-2625785) and then MalwareBytes. Rootkits are powerful voodoo and you may still be infected.

      You also need to backup your data to a new backup location. Don’t use an existing backup location because any malware can affect that data.

      cheers, Paul

    Viewing 4 reply threads
    Reply To: Mystery registry entry in win 8.1

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: