syscheck_registry HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\VSS\\Diag FP Suppressed - VSS Diag registry keys modified during backup/snapshot operation syscheck_registry HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\VSS\\ BACKUPCOMPLETE|BACKUPSHUTDOWN|BACKUPSTART|PREPAREBACKUP|POSTBACKUP|BackupComplete FP Suppressed - VSS backup lifecycle registry value changed (normal backup operation) syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate FP Suppressed - Windows Update registry keys (normal update activity) syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Component Based Servicing FP Suppressed - CBS registry changes during Windows Update syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform FP Suppressed - Software Protection Platform registry (licensing checks, normal) syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Perflib FP Suppressed - Performance Library registry keys (updated continuously by OS) syscheck_registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PerfHost FP Suppressed - PerfHost service registry (performance counter host, normal activity) syscheck_registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces LeaseObtainedTime|LeaseTerminatesTime|T1|T2|DhcpIPAddress|DhcpNameServer|DhcpSubnetMask|DhcpDefaultGateway FP Suppressed - DHCP lease renewal registry update (normal network operation) syscheck_registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog MajorVersion|MinorVersion|CurrentSize|LastWriteTime|Flags FP Suppressed - EventLog metadata registry keys (updated on every log write) syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates FP Suppressed - Windows Defender signature update registry changes syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Scans FP Suppressed - Windows Defender scan state registry keys syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\AutoEnrollment FP Suppressed - Certificate auto-enrollment registry update (normal AD/PKI operation) syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates FP Suppressed - System certificate store registry changes (CRL updates, renewals) syscheck_registry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks LastRunTime|NextRunTime|LastSuccessfulRunTime FP Suppressed - Task Scheduler runtime timestamps (updated on every task execution) syscheck_registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time LastSyncTime|ClockAdjustment|PhaseOffset|ClockRate FP Suppressed - W32Time NTP synchronization registry update (normal time sync)