LoFP / administrative scripts that change the desktop background to a company logo or other image.

condition: all of selection_reg_* and selection_keys and 1 of selection_cli_reg_*
selection_cli_reg_1:
  CommandLine|contains|all:
  - /v NoChangingWallpaper
  - /d 1
selection_cli_reg_2:
  CommandLine|contains|all:
  - /v Wallpaper
  - /t REG_SZ
selection_cli_reg_3:
  CommandLine|contains|all:
  - /v WallpaperStyle
  - /d 2
selection_keys:
  CommandLine|contains:
  - Control Panel\Desktop
  - CurrentVersion\Policies\ActiveDesktop
  - CurrentVersion\Policies\System
selection_reg_flag:
  CommandLine|contains: add
selection_reg_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe

condition: selection_keys and 1 of selection_values_* and not 1 of filter_main_* and
  not 1 of filter_optional_*
filter_main_empty:
  Details: (Empty)
  TargetObject|endswith: \Control Panel\Desktop\Wallpaper
filter_main_explorer:
  Image|endswith: C:\Windows\Explorer.EXE
filter_main_svchost:
  Image|endswith: \svchost.exe
filter_optional_ec2launch:
  Image:
  - C:\Program Files\Amazon\EC2Launch\EC2Launch.exe
  - C:\Program Files (x86)\Amazon\EC2Launch\EC2Launch.exe
  TargetObject|endswith: \Control Panel\Desktop\Wallpaper
selection_keys:
  TargetObject|contains:
  - Control Panel\Desktop
  - CurrentVersion\Policies\ActiveDesktop
  - CurrentVersion\Policies\System
selection_values_1:
  Details: DWORD (0x00000001)
  TargetObject|endswith: NoChangingWallpaper
selection_values_2:
  TargetObject|endswith: \Wallpaper
selection_values_3:
  Details: '2'
  TargetObject|endswith: \WallpaperStyle