Well that’s gross. Copy the text export of the registry, build a man file and place it appropriately, watch the system inhale fully with no logging and use your man file as registry hive next login, all without privilege.

Maybe a login script to check for specific important registry values and have it create a custom windows event log? This sucks for detection I feel like jank might be the only option.