This detection rule identifies modifications to the Windows registry, specifically targeting the disabling of Windows Error Reporting (WER) settings. Adversaries often manipulate WER to prevent error messages that could indicate the presence of malicious activity. By focusing on the Endpoint.Registry data model, the rule looks for registry changes that set the corresponding WER values to '0x00000001'. The monitoring of such changes is crucial since disabling WER may allow intruders to conduct their activities without triggering alerts, potentially leading to undetected persistence. The detection is particularly relevant to sysadmins who need to ensure the integrity of error reporting configurations. Effective implementation requires proper ingestion of relevant system events, especially from Sysmon, which tracks registry changes. Administrators are warned of possible false positives due to legitimate configuration changes by users. Overall, this detection serves as a critical point for identifying potential tampering with system stability settings by malicious actors.