config case_sensitive = false | preset=xdr_registry | filter (event_type = ENUM.REGISTRY and 
 event_sub_type = ENUM.REGISTRY_SET_VALUE) and 
 (agent_os_type = ENUM.AGENT_OS_WINDOWS and 
 ((action_registry_key_name contains "\SYSTEM\CurrentControlSet\Control" and 
 (action_registry_key_name in ("*\Terminal Server\WinStations\RDP-Tcp\InitialProgram*", "*\Terminal Server\Wds\rdpwd\StartupPrograms*", "*\SecurityProviders\SecurityProviders*", "*\SafeBoot\AlternateShell*", "*\Print\Providers*", "*\Print\Monitors*", "*\NetworkProvider\Order*", "*\Lsa\Notification Packages*", "*\Lsa\Authentication Packages*", "*\BootVerificationProgram\ImagePath*"))) and 
 (not 
 ((action_registry_value_name = "(Empty)" or 
 action_registry_data = "(Empty)") or 
 (actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and 
 action_registry_key_name contains "\Print\Monitors\CutePDF Writer Monitor" and 
 ((action_registry_value_name in ("cpwmon64_v40.dll", "CutePDF Writer")) or 
 (action_registry_data in ("cpwmon64_v40.dll", "CutePDF Writer")))) or 
 (actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and 
 action_registry_key_name contains "Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_" and 
 (actor_effective_username in ("*AUTHORI*", "*AUTORI*"))) or 
 (actor_process_image_path = "C:\Windows\System32\poqexec.exe" and 
 action_registry_key_name contains "\NetworkProvider\Order\ProviderOrder") or 
 (actor_process_image_path = "C:\Windows\System32\spoolsv.exe" and 
 action_registry_key_name contains "\Print\Monitors\MONVNC\Driver" and 
 (action_registry_value_name = "VNCpm.dll" or 
 action_registry_data = "VNCpm.dll"))))))