drop registry export with security descriptors · detect registry keys owned by unexpected accounts · identify attacker-owned registry keys that survived cleanup · surface ownership anomalies indicating unauthorized key creation · runs locally
registry ownership export
drop registry security / ownership export (multi-file)
or click
Registry Explorer security CSV · Get-Acl PowerShell output · SDDL with O: owner component · HKLM user-owned & orphaned SID flags
drop registry export with owner / SDDL columns (.csv, .reg, or Get-Acl text)