This analytic rule detects malicious registry modifications that disable the shutdown button on Windows logon screens, a common tactic used by malware, including ransomware such as KillDisk. The primary focus is monitoring specific registry keys that control shutdown behavior, making this detection crucial for identifying and mitigating security threats. The rule utilizes the Endpoint.Registry data model in Splunk, particularly tracking changes to the registry paths (`shutdownwithoutlogon` and `NoClose`) that can prevent users from shutting down their systems and impede recovery efforts from malware infections. The search queries utilize Sysmon Event IDs 12 and 13 to capture relevant registry modifications and analyze them based on user and destination attributes. This detection plays a vital role in ensuring system usability and safety for endpoints by flagging potentially harmful activities related to system shutdown capabilities.