This detection rule targets the execution of the Windows Support Diagnostic Tool (msdt.exe) when invoked using an answer file, simulating the legitimate invocation through pcwrun.exe, typically accessed via the compatibility settings tab. The rule specifically looks for process creation events where the Command Line contains references to the answer file options (-af or /af) and where msdt.exe is called by pcwrun.exe as the parent image. This behavior is noteworthy because adversaries may employ similar techniques to exploit msdt for malicious purposes, evading detection by mimicking legitimate operational behavior. The detection logic combines multiple selection criteria, ensuring strict adherence to the expected command line patterns while excluding events generated by other potential parents of msdt.exe that could produce false positives. The detection has been categorized under high severity due to the potential for abuse during attack scenarios involving process execution and defense evasion techniques.