[LaDidi]

Are you sure that you don't have any call to CreateProcess ?
During the execution of the "original" proggy, some funny guys create a .exe in \TEMP (fo example) who do the the job so....
Maybe use FileMon to verify ?
To be sure of the win32 API used to check the registry, do you use RegMon ?
No, I do not work for SysInternals :-)

Maybe it will be a good idea to NOT BreakPoint at the begiginning of the Reg* API but at 3 or 4 ASM instructions after due to some stolen bytes by some proggy :-) YES, some proggy do not go at the beginning but step ahead. The begining is always the same boring : push ebp; mov ebp, esp; ....

Have fun !