This detection rule monitors for attempts to modify Windows registry settings that disable write protection on storage devices. Write protection is a critical feature that prevents unauthorized changes to storage media, often used to safeguard against data loss or malicious activities, such as ransomware attacks. The rule specifically looks for command line executions that involve the registry path \System\CurrentControlSet\Control and indications of disabling write protection, marked by the presence of 'Write Protection' set to '0' for storage devices. It has been employed frequently by malicious actors to bypass security measures, particularly in the context of ransomware attacks where unrestricted access to storage is crucial for data encryption. By detecting these modifications, system administrators can take preemptive action to investigate potential security breaches before widespread damage occurs. As a precaution, the rule's logging is configured to detect processes that match this behavior with a focus on Windows operating systems. The information derived from this rule can assist in auditing compliance with security policies regarding external storage devices.