drop system evtx csv and registry export · detect virtualization based security disabled · identify credential guard removal enabling credential theft · surface vbs configuration changes · runs locally
VBS · LsaCfgFlags · HVCI · Event 4657 · 1074/6005/6006 · bcdedit hypervisorlaunchtype · lsass access
drop system evtx csv · security evtx csv · registry export