This detection rule aims to identify the unauthorized removal of the Windows Defender context menu option utilizing `reg.exe` or PowerShell commands. Specifically, it targets the deletion of registry keys that manage the "Scan with Microsoft Defender" functionality, which appears in the right-click context menu for files, folders, and drives on Windows-based systems. Attackers may deploy this tactic as a defense evasion mechanism to obstruct the manual and on-demand scanning capabilities of Windows Defender, thus diminishing the protective visibility of the antivirus software. The detection leverages process creation logs to capture instances where specific executables such as `powershell.exe`, `pwsh.exe`, and `reg.exe` are invoked with commands that suggest context menu deletion, including the removal of registry paths associated with Windows Defender's context menu handler. The rule is classified as experimental, and its usage may produce false positives, especially within environments where system customization or removal scripts are standard practices.