(((Image:\\reg.exe OR OriginalFileName:reg.exe) CommandLine:add*) OR (((Image:\\powershell.exe OR Image:\\pwsh.exe) OR (OriginalFileName:powershell.exe OR OriginalFileName:pwsh.dll)) (CommandLine:New\-ItemProperty* OR CommandLine:Set\-ItemProperty* OR CommandLine:ni\ * OR CommandLine:sp\ *))) CommandLine:\\ms\-settings\\shell\\open\\command*