This detection rule identifies unauthorized modifications to the Windows registry that disable the system restore functionality. By targeting specific registry keys associated with System Restore, the rule detects changes that may indicate malicious intent, such as preventing rollback to previous system states after an attack. The key components of this rule are the registry paths `\Policies\Microsoft\Windows NT\SystemRestore` and `\Microsoft\Windows NT\CurrentVersion\SystemRestore`, along with the specific values `DisableConfig` or `DisableSR` set to `DWORD (0x00000001)`. Given the significance of system restore in recovering from malware incidents, monitoring these registry changes is crucial for maintaining endpoint security and integrity. The rule is essential for threat detection and response teams, particularly in Windows environments where malicious actors might aim to disable system recovery features before executing their attacks, ensuring they cannot be easily undone.