%WINDIR%\System32\drivers\etc %WINDIR%\System32\WindowsPowerShell %PROGRAMFILES% %PROGRAMFILES(X86)% HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion %WINDIR%\System32\LogFiles %WINDIR%\iis6logfiles %WINDIR%\Temp %APPDATA%\Local\Temp eventchannel Security Event/System[EventID != 5156 and EventID != 5157 and EventID != 5158] eventchannel System eventchannel Application eventchannel Microsoft-Windows-PowerShell/Operational eventchannel Microsoft-Windows-Windows Defender/Operational eventchannel Microsoft-Windows-TaskScheduler/Operational yes yes 12h etc/shared/sca/cis_win11_enterprise.yml