shadowbrokers-exploits/windows/Resources/Ep/Scripts/malfind/sig1user.eps

@record on;
`regquery -hive U`;
@record off;

string $subkeys = GetCmdData('subkey');
string $subkey;

foreach $subkey ($subkeys)
{
	if (`regquery -hive U -subkey "$subkey\\software\\microsoft\\windows\\currentversion\\StrtdCfg" -recursive`)
	{
		return true;
	}


}

return false;