This detection rule targets the potential misuse of the 'register_app.vbs' script, an integral component of the Windows SDK designed for registering new Volume Shadow Copy Service (VSS) and Virtual Disk Service (VDS) Providers as COM+ applications. Attackers can exploit this script to install malicious Dynamic Link Libraries (DLLs) for persistence and execution on a compromised system. The detection mechanism is based on identifying the launching processes associated with the execution of the script, specifically focusing on instances where 'cscript.exe' or 'wscript.exe' are invoked. Additionally, it looks for command line arguments that specifically trigger the registration process of the script with '.vbs -register'. Due to its nature, there is a moderate risk of false positives, particularly in environments that utilize other legitimate Visual Basic scripts that employ similar command line flags. The identification of these processes can provide early warning signs to administrators about potential malware activity attempting to persist on Windows systems via the manipulation of VSS/VDS, thus allowing for timely remediation actions.