Detects attempts to disable Windows EventLog autologger sessions by modifying the registry via command-line tools. AutoLogger is an ETW-based tracing session started early in boot to capture events before logon. Attackers may tamper with the Autologger configuration (registry path: \Control\WMI\Autologger\) to disable or alter Start/Enabled settings, evading security monitoring of early boot and system events. The rule flags registry write operations targeting the Autologger keys that use command-line actions such as add, Set-ItemProperty, New-ItemProperty, or short form (si), typically invoked by reg.exe or PowerShell (PowerShell.exe, pwsh.exe). It matches commands that reference the Autologger path, set the Start/Enabled values, and perform registry modification via the CLI. The detection leverages process creation events and registry modification context to raise a high-severity alert. Regression tests and Atomic Red Team simulations validate cmd and PowerShell variants for disabling the Autologger session.