drop security evtx csv or registry export · detect run and runonce key value deletion · identify persistence mechanism removal · surface autorun entries that existed and were then deleted during the investigation window · runs locally
4657/4660 on Run · RunOnce · RunOnceEx · Winlogon · before/after .reg or paired autoruns csv · RunOnce expected vs manual deletion
drop security evtx csv, registry diff, or autoruns csv snapshots