Native API, Regustry, System restart

Hi, people Razz

I got some troble: I wanna create auto-deletion of my native-mode application. I need to force save registry keys onto disk.

Program does next (1st stage):
1. Open registry key with NtOpenKey \Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager ... success!
2. Read autorun member in registry with NtQueryValueKey. Here I can get full path to my executable (saved previusly by installer); ... success, I got wanted string!!!.
3. Clear autorun member in registry with NtSetValueKey. It works, member clears (I saw it when decomment NtInitiatePowerAction function). But after system has restarted my application starts again!!! It mustn't to be. ... But member realy clears, then success.
4. I found the NtFlushKey function, it forcely saves registry data onto disk. Here I use it. But it doesn' work. Why??? I wanna know ... but function alsoreturns success.
5. Create PendingFileRenameOperations member in registry with NtSetValueKey function. It works, this member is also creates. ... success!
6. Using NtFlushKey function again. All the same as at 4th.
7. Close the registry handle with NtClose ... success!
8. Get Se_Shutdown_Name privilege with RtlAdjustPrivilege It's all right. ... success!
9. Get the system restarted with NtInitiatePowerAction. It works too. ... success!

All looks like all right, but...
Second stage:
1. By the idea, system after restarted must delete my application by following PendingFileRenameOperations member. This member writes correctly, I tested it created by hand. But as I see, it doen' work be cause my application starts!!! WTH? As I propose, registry doesn't save onto disk its files and all my previus changes are undo. My question is: how can I save registry forcely?? As I see, NtFlushKey doesn' help.... Can you help me to resolve it?
2. Windows must show user logon screen... At here, my program must be deleted But, no.

This part of code:

Code:

invoke  RtlInitUnicodeString, string, RegSessionManager
     xor     ebx, ebx
     push    ebx
     push    ebx
     push    OBJ_CASE_INSENSITIVE
     push    string
     push    ObjectAttributes
     call    InitializeObjectAttributes
     invoke  NtOpenKey, tmp, KEY_ALL_ACCESS, ObjectAttributes
     
     invoke  RtlInitUnicodeString, string, BootExecute

     ; Get module file name
     mov     dword [BufferA], 512
     invoke  NtQueryValueKey, [tmp], string, KeyValuePartialInformation, BufferA + 512 - (4 * 3), 512 - (4 * 3), BufferA
     
     ; Delete autorun member in registry
     invoke  NtSetValueKey, [tmp], string, 0, REG_MULTI_SZ, dwZero, 1
     invoke  NtFlushKey, [tmp] ; Write registry force
     
     ; Delete itself (name find in reg boot key)
     invoke  RtlDosPathNameToNtPathName_U, BufferA + 512, BufferA, 0, 0

     invoke  RtlInitUnicodeString, tmpstring, PendingFileRenameOperations

     mov     ecx, dword [BufferA + 4]
     .GettingStrSize:
             inc     ecx
             inc     ecx
             cmp     word [ecx], 0
     jne     .GettingStrSize
     mov     edx, dword [BufferA + 4]
     sub     ecx, edx
     add     ecx, 6
     mov     word  [edx + ecx - 6], 00h
     mov     word  [edx + ecx - 4], 00h
     mov     word  [edx + ecx - 2], 00h
     

     invoke  NtSetValueKey, [tmp], tmpstring, 0, REG_MULTI_SZ, edx, ecx
     invoke  NtFlushKey, [tmp] ; Write registry force
     invoke  NtClose, [tmp]

     ; Restart the computer
     invoke  RtlAdjustPrivilege, 19, 1, 0, tmp
     invoke  NtInitiatePowerAction, 5, 1, 0, 0

Data sections:

Code:

OBJ_CASE_INSENSITIVE          =  64
KeyValuePartialInformation    =  00000002h


RegSessionManager             du '\Registry\Machine\SYSTEM\CurrentControlSet\Control\Session Manager',  0
BootExecute                   du 'BootExecute',            0
PendingFileRenameOperations   du 'PendingFileRenameOperations',                                         0



section '.data' data readable writeable
     struct OBJECT_ATTRIBUTES
          Length                        dd ? ;ULONG           Length;
          RootDirectory                 dd ? ;HANDLE          RootDirectory;
          ObjectName                    dd ? ;PUNICODE_STRING ObjectName;
          Attributes                    dd ? ;ULONG           Attributes;
          SecurityDescriptor            dd ? ;PVOID           SecurityDescriptor;
          SecurityQualityOfService      dd ? ;PVOID           SecurityQualityOfService;
     ends
     ObjectAttributes  OBJECT_ATTRIBUTES


     BufferA           db 1024 dup (?)
     tmp               dd ?
     string            dd 4    dup (?)
     tmpstring         dd 4    dup (?)
     dwZero            dd 6    dup (?)

Showed the code above I tested, the native FASM directive I exchange by GUI and debugged it by OllyDbg. Here I made that the code is working. The troble in registry. As I say above, Registry doesn' save itself onto disk, I restart the System, and I got that troble... Can u me?