This detection rule is designed to identify unauthorized modifications to the Windows registry that disable event logging for specific Windows event channels. The rule monitors changes to the registry key associated with Windows event channels, particularly looking for alterations to the 'Enabled' value under '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\'. If the registry value is set to 'DWORD (0x00000000)', the logging for that event channel is effectively turned off, which can be a tactic used by attackers to evade detection. The rule includes specific filters to differentiate between legitimate administrative actions and potentially malicious attempts to modify logging settings, filtering out actions taken by known Windows processes such as 'wevtutil.exe', 'TiWorker.exe', 'svchost.exe', and 'TrustedInstaller.exe'. By employing these filters, the detection rule aims to minimize false positives while ensuring that true evasion attempts are detected. This experiment aims to enhance the security posture of Windows environments by ensuring event logging remains intact, thereby providing robust audits and system insights against potential threats.