Detects the use of PowerShell to query the Windows Registry for installed software information by targeting the Uninstall key (Get-ItemProperty on Windows\\CurrentVersion\\Uninstall) via Script Block Logging. The rule watches PowerShell ScriptBlockText patterns and Event ID 4104 to identify attempts to enumerate installed software, which attackers commonly do to identify vulnerable or targetable products. It aggregates results by computer, event identifiers, and the exact script block, then renames fields to dest and applies time-based annotations for ctime. This is an anomaly-based detection intended to surface unusual software inventory activity that could precede exploitation. Although legitimate inventory scripts may perform similar checks, the specific combination of PowerShell, registry access, and the Uninstall path is uncommon in typical admin workflows, reducing false positives. The rule is designed to be implemented on endpoints via EDR logs with CIM normalization to enable cross-host correlation, risk scoring, and drill-down investigations.