Extremely important: Please read this part
Please note that overwriting every single service key and its values based on iterative parsing and recreation is almost CERTAIN to lead to stability issues. This is likely due to the criticality of services to the driver loading and startup process during boot. DO NOT run the linked proof of concept on a system that you are not prepared to re-image or restore from a stable snapshot. I am releasing this tool in a “broken”, but still demonstrative, state on purpose. If you want to use this in a non-POC context, you will need to make the modifications yourself.

This WILL happen to your system if you overwrite the entirety of the HKLM\SYSTEM\CurrentControlSet\Services\ registry key. This is almost certainly the result of supplying the REG_FORCE_RESTORE flag to RegRestoreKey. It is likely possible to make this work, but I will leave that work up to you. In general, I would suggest simply choosing a different target registry key to overwrite.
Important
Three rules don't support Warn mode in Intune:
  • Block Javascript or VBScript from launching downloaded executable content
  • Block persistence through WMI event subscription
  • Use advanced protection against ransomware
Important
Conflicting per-rule exclusions across multiple ASR policies can cause policy conflicts. When possible, consolidate per-rule exclusions into a single device-targeted policy.
Important
Target your pilot device groups carefully. Intune merges nonconflicting settings across policies, but conflicting settings are withheld (appearing as "not applied").
Know with certainty.
Join the prelude community:
Linkedin Logo Streamline Icon: https://streamlinehq.com
X Twitter Logo Streamline Icon: https://streamlinehq.com
Google Mail Logo Streamline Icon: https://streamlinehq.com
AICPA SOC 2 certification

©2025 Prelude Research, Inc. All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.

PrivacyTermsSub-processors