Detects registry-based modification to disable System Restore via command line on Windows. The rule flags attempts to modify registry keys that control System Restore (HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore and HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore) by altering values such as DisableConfig or DisableSR. It matches command-line actions that add or set registry values (Set-ItemProperty, New-ItemProperty, or reg.exe) and that target a registry root containing the SystemRestore keys. Detection is based on a combination of: (Image|OriginalFileName) in {powershell.exe, pwsh.exe, reg.exe} and (CommandLine|contains) with actions (" add ", "Set-ItemProperty", "New-ItemProperty") and (CommandLine|contains) with the relevant registry roots and keys. The condition requires all of these to be true. This technique corresponds to MITRE ATT&CK T1490 (Inhibit System Recovery) and is classified as high severity due to its potential to blunt recovery options. False positives are marked as Unknown. The rule is accompanied by an Atomic Red Team simulation: Disable System Restore Through Registry (T1490).