The detection rule identifies suspicious modifications to the Windows registry that disable the Lock Workstation feature, which can signify malicious intent. Specifically, it monitors changes to the registry key located at "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableLockWorkstation" with a value set to "0x00000001". This alteration can prevent users from locking their screens, creating opportunities for attackers, especially in scenarios involving malware such as ransomware. These types of modifications are often associated with attempts by malware to maintain control over a compromised system without user awareness, thereby facilitating further exploitation or malicious actions. Using the Endpoint.Registry data model, it analyzes events recorded by Sysmon, ensuring a comprehensive view of potentially harmful activities that undermine Windows security protocols by blocking user initiated session locks.