Showing results for 
Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 1

svchost.exe trying to delete DisableRegistryTools

I have a detection where svchost.exe is trying to delete \REGISTRY\USER\S-1-5-21-2954251252-2009956459-2392978873-42980\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

all the research I have done shows that if this was under HKLM\Software then it would probably be a virus or malware.

I'm thinking this is a Group Policy trying to do what it does and McAfee is stopping it as it is supposed to do. I guess I'm wanting to see if anyone else has had a similar experience and what you did, or do you simply ignore this alert?

I'm tempted to setup Application Control and run full scans and then allow this behaviour.

Thoughts? Comments?