drop wevtutil · logman · json etw exports · detect deleted or disabled edr providers · runs locally
crowdstrike · sentinelone · defender · sysmon · threat intelligence providers · disabled/stopped/deleted status
heuristic screener · parses wevtutil/logman/json exports locally · provider inventory may be incomplete · not definitive proof