Detects when a process attempts to access the Windows Registry path used for Windows product key recovery. The analytic targets Windows Security Event Log (Event ID 4663: Object Access) and monitors access to SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform. The query groups results by object_file_name, object_file_path, process_name, process_path, process_id and EventCode to produce first and last access times, enabling correlation with suspicious activity. The detection relies on the existing windows_product_key_registry_query_filter to flag likely attempts to retrieve or exfiltrate product keys and may indicate malware behavior or attempts to bypass security controls. A known false positive is legitimate administrator/product key recovery activity. The rule maps to MITRE ATT&CK T1012 (Query Registry) and is implemented on Windows endpoints with Audit Object Access enabled (Success and Failure) via Group Policy.