in regedt32.exe,I delete a key ,then the deleted key recovery automatic,i
delete it repeat ,it revovery automatic ...
how can this happen ? how can i delete it ?

longying wrote:
> in regedt32.exe,I delete a key ,then the deleted key recovery automatic,i
> delete it repeat ,it revovery automatic ...
> how can this happen ? how can i delete it ?

What is the name of the key? How does it "automatically recover"?
Immediately when you delete it, while still in Regedt32? When you
restart Regedt32? When you reboot the computer? What, if any, message
do you get when you delete the key? My guess is that the key reappers
because of something in your run keys, or something that runs and
recreates the key when the pc reboots.

John

I export the key from regedit:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gqtilo67]
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,
00,\

52,00,49,00,56,00,45,00,52,00,53,00,5c,00,67,00,71,00,74,00,69,00,6c,00,6f,\
00,36,00,37,00,2e,00,73,00,79,00,73,00,00,00
"Type"=dword:00000001
"ErrorControl"=dword:00000001
"DisplayName"="gqtilo67"
"Group"="System Bus Extender"
"Start"=dword:00000000

the "automatically recover " means when I delete it, it recover Immediately
it seems that the key can not be deleted.
is there any tip can set some key in registry can not be changed?

longying wrote:

> I export the key from regedit:
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gqtilo67]
> "ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,
> 00,\
>
> 52,00,49,00,56,00,45,00,52,00,53,00,5c,00,67,00,71,00,74,00,69,00,6c,00,6f,\
> 00,36,00,37,00,2e,00,73,00,79,00,73,00,00,00
> "Type"=dword:00000001
> "ErrorControl"=dword:00000001
> "DisplayName"="gqtilo67"
> "Group"="System Bus Extender"
> "Start"=dword:00000000
>
> the "automatically recover " means when I delete it, it recover Immediately
> it seems that the key can not be deleted.
> is there any tip can set some key in registry can not be changed?

Hmmmm...... Whatever gqtilo67 is it seems to be a well garded secret!
That it's in the "System Bus Extender" group makes me wonder if it
should be removed or disabled. Did you try removing the key in Safe
Mode? There is a driver associated with it that is started, try finding
it and see if it can be shut down before you try to delete the key.

Or you can set the "Start"=dword:00000000 value to 4 (disabled) and
reboot the computer and see if it can then be deleted. Be careful! Not
really knowing what this thing is, disabling the service may prevent the
computer from booting! As it is now it's started as a boot startup type
device/service. If the computer refuses to boot remember to try Last
Known Good Configuration and keep your Windows 2000 cd handy, you might
need to use the Recovery Console if it needs to be restarted again.

John

I can not set the "Start"=dword:00000000 value to 4 (disabled),
after i set the value, it recover Immediately

"There is a driver associated with it that is started,try finding it and
see if it can be shut down "
I can not find the driver,how can i find it ?

This tool may help.

http://www.microsoft.com/technet/sys...yActivity.mspx

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"longying" wrote:
>I can not set the "Start"=dword:00000000 value to 4 (disabled),
> after i set the value, it recover Immediately
>
> "There is a driver associated with it that is started,try finding it and
> see if it can be shut down "
> I can not find the driver,how can i find it ?
>
>
>

In addition to Dave's suggestion you can also try using the Recovery
Console's DISABLE command.

Description of the Windows 2000 Recovery Console
http://support.microsoft.com/kb/229716/

Did you run a complete virus and spyware/malware scan on the computer?
Services with names that yeild no results on internet searches are often
associated with virus or malware.

John

longying wrote:
> I can not set the "Start"=dword:00000000 value to 4 (disabled),
> after i set the value, it recover Immediately
>
> "There is a driver associated with it that is started,try finding it and
> see if it can be shut down "
> I can not find the driver,how can i find it ?
>
>
>

I have run into spyware that causes this problem. I usually change the
permission on the key so that no-one has access to the data in the key.

I had a case where no program could get rid of this type of spyware and it
would always rewrite itself into the "Run" key and spawn 3 versions of
itself to continually monitor the registry and memory. I denied all access
to the Run key, rebooted, deleted the virus files, and then restored the Run
key security by taking ownership of the key.


"Dave Patrick" <(E-Mail Removed)> wrote in message
news:0EE62939-A73F-467F-9266-(E-Mail Removed)...
> This tool may help.
>
> http://www.microsoft.com/technet/sys...yActivity.mspx
>
> --
>
> Regards,
>
> Dave Patrick ....Please no email replies - reply in newsgroup.
> Microsoft Certified Professional
> Microsoft MVP [Windows]
> http://www.microsoft.com/protect
>
> "longying" wrote:
>>I can not set the "Start"=dword:00000000 value to 4 (disabled),
>> after i set the value, it recover Immediately
>>
>> "There is a driver associated with it that is started,try finding it and
>> see if it can be shut down "
>> I can not find the driver,how can i find it ?
>>
>>
>>
>