This detection rule identifies potential tampering of the Hypervisor-protected Code Integrity (HVCI) settings through the Windows command line tool reg.exe. HVCI leverages virtualization-based security to safeguard code integrity by ensuring that only verified and trusted code operates in kernel mode, thus preventing the execution of potentially harmful code. Malicious actors might target HVCI to install unauthorized drivers which can lead to escalated privileges, persistence, or circumvention of security protocols. The detection rule's logic assesses registry manipulation commands issued via the command line, specifically looking for indications that the HVCI configuration is being altered using reg.exe, PowerShell, or similar tools. The detection criteria focus primarily on entries in the command line that could signal dangerous modifications to the HVCI settings. False positives may arise from legitimate administrative tasks where HVCI is temporarily disabled for troubleshooting compatibility issues with specific software or drivers.