This analytic rule detects suspicious modifications in the Windows registry that disable automatic reboot when a user is logged on. It monitors registry changes specifically at the path `SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers`, where a value of `0x00000001` indicates the functionality is disabled. This behavior is often associated with malicious software such as RedLine Stealer, which aims to evade detection and maintain persistence on compromised systems. By preventing automatic reboots, attackers can deploy additional malware or perform nefarious activities without interruptions. This analytic enables security teams to identify potential exploitation of this registry setting and respond accordingly, enhancing their capabilities to mitigate risks against malware-driven attacks targeting Windows environments.