This is an experimental Windows process_creation rule that detects the use of Reg.exe to read the system language from the registry. It triggers when Reg.exe is the executed image (OriginalFileName reg.exe) and the command line includes a registry query targeting the language setting (registry path such as Control\\Nls\\Language with an operation like query). The intent is to identify discovery activity where an attacker determines the victim's locale/geography to tailor payloads, localize content, or evade locale-specific defenses. The rule maps to ATT&CK technique T1614.001 (System Language Discovery). It provides regression tests and a simulation via Atomic Red Team for validation. False positives are currently listed as Unknown. The rule is categorized as medium severity and is designed for Windows endpoints.