drop registry export · detect modified event log source registrations · identify providers removed or added to hide or inject events · surface manipulation of the event provider registry · runs locally
HKLM\EventLog\{Channel}\{Source} · EventMessageFile · WINEVT\Publishers\{GUID} · optional MFT for DLL exists check
drop registry export(s) from EventLog and WINEVT\Publishers